Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Installing and Deploying AMQ Broker on OpenShift Container Platform

The AMQ Broker on OpenShift Container Platform image is not available in the service catalog, so you must manually install the image.

Procedure

  1. Log in to OpenShift as a cluster administrator (or as a user that has project administrator access to the global openshift project), for example: 

    $ oc login -u system:admin
    Copy to Clipboard Toggle word wrap

  2. At the command line, run the following commands to update the core AMQ Broker on OpenShift Container Platform image stream in the openshift project: 

    $ oc create -n openshift -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/71-1.0.TP/amq-broker-7-image-streams.yaml

$ oc replace -n openshift --force -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/71-1.0.TP/amq-broker-7-image-streams.yaml

$ oc -n openshift import-image amq-broker-71-openshift:1.0
    Copy to Clipboard Toggle word wrap
    Note

    You might receive error messages indicating some image streams already exist after invoking the create command. A single command to create and replace is not available.

  3. Run the following command to update the AMQ Broker templates: 

    $ for template in amq-broker-71-basic.yaml \
amq-broker-71-ssl.yaml \
amq-broker-71-persistence.yaml \
amq-broker-71-persistence-ssl.yaml \
amq-broker-71-statefulset-clustered.yaml;
 do
 oc create -n openshift -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/71-1.0.TP/templates/${template}

 oc replace -n openshift -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/71-1.0.TP/templates/${template}
 done
    Copy to Clipboard Toggle word wrap
    Note

    You might receive "already exists" error messages after invoking the create command.

The AMQ Broker on OpenShift Container Platform image requires a service account for deployments. Service accounts are API objects that exist within each project. Three service accounts are created automatically in every project:

  • builder: This service account is used by build pods. It contains the system:image-builder role from which you can push images to any image stream in the project using the internal Docker registry.
  • deployer: This service account is used by deployment pods. It contains the system:deployer role from which you can view and modify replication controllers and pods in the project.
  • default: This service account is used to run all other pods unless you specify a different service account.

Service accounts can be created or deleted like any other API object. For multiple-node deployments, the service account must have the view role enabled so that it can discover and manage the various pods in the cluster. In addition, you must configure SSL to enable connections to AMQ Broker from outside of the OpenShift Container Platform instance; for more information about how to configure SSL see Configuring SSL. The type of discovery protocol that is used for discovering of AMQ Broker mesh endpoints is JGroups with OpenShift.dns ping protocol.

Procedure

  1. Add the view role to the service account: 
$ oc policy add-role-to-user view -z default
Copy to Clipboard Toggle word wrap

2.3. Configuring SSL
Copy link

For a minimal SSL configuration to allow connections outside of OpenShift Container Platform, AMQ Broker requires a broker keystore, a client keystore, and a client truststore that includes the broker keystore. The broker keystore is also used to create a secret for the AMQ Broker on OpenShift Container Platform image, which is added to the service account.

The following example commands use Java KeyTool, a package included with the Java Development Kit, to generate the necessary certificates and stores.

Procedure

  1. Generate a self-signed certificate for the broker keystore: 

    $ keytool -genkey -alias broker -keyalg RSA -keystore broker.ks
    Copy to Clipboard Toggle word wrap

  2. Export the certificate so that it can be shared with clients: 

    $ keytool -export -alias broker -keystore broker.ks -file broker_cert
    Copy to Clipboard Toggle word wrap

  3. Generate a self-signed certificate for the client keystore: 

    $ keytool -genkey -alias client -keyalg RSA -keystore client.ks
    Copy to Clipboard Toggle word wrap

  4. Create a client truststore that imports the broker certificate: 

    $ keytool -import -alias broker -keystore client.ts -file broker_cert
    Copy to Clipboard Toggle word wrap

  5. Export the client’s certificate from the keystore: 

    $ keytool -export -alias client -keystore client.ks -file client_cert
    Copy to Clipboard Toggle word wrap

  6. Import the client’s exported certificate into a broker SERVER truststore: 

    $ keytool -import -alias client -keystore broker.ts -file client_cert
    Copy to Clipboard Toggle word wrap

2.4. Generating the AMQ Broker secret
Copy link

The broker keystore can be used to generate a secret for the namespace, which is also added to the service account so that the applications can be authorized.

Procedure

  1. In a command line, run the following command: 

    $ oc create secret generic <secret-name> --from-file=<broker-keystore> --from-file=<broker-truststore>
$ oc secrets add sa/<service-account-name> secret/<secret-name>
    Copy to Clipboard Toggle word wrap

2.5. Creating an SSL route
Copy link

After the AMQ Broker on OpenShift Container Platform image has been deployed, an SSL route needs to be created for the AMQ Broker transport protocol port to allow connections to AMQ Broker outside of OpenShift.

In addition, selecting Passthrough for TLS Termination relays all communication to AMQ Broker without the OpenShift router decrypting and resending it. Only SSL routes can be exposed because the OpenShift router requires SNI to send traffic to the correct service. For more information see Secured Routes.

The default ports for the various AMQ Broker transport protocols are:

Expand
Table 2.1. Default ports for AMQ Broker transport protocols
AMQ Broker transport protocolDefault port

All protocols

61616

All protocols (SSL)

61617

AMQP

5672

AMQP (SSL)

5671

MQTT

1883

MQTT (SSL)

8883

STOMP

61613

STOMP (SSL)

61612

If you are using a template from an alternate repository, AMQ Broker configuration files such as artemis-users.properties can be included. When the image is downloaded for deployment, these files are copied from <amq-home>/conf/ to the <broker-instance-dir>/etc/ directory on AMQ Broker, which is committed to the container and pushed to the OpenShift registry.

Note

If using this method, ensure that the placeholders in the configuration files (such as AUTHENTICATION) are not removed, as these placeholders are necessary for building the AMQ Broker on OpenShift Container Platform image.

2.7. Configuring client connections
Copy link

Clients for the AMQ Broker on OpenShift Container Platform image must specify the OpenShift router port (443) when setting the broker URL for SSL connections. Otherwise, AMQ Broker attempts to use the default SSL port (61617). Including the failover protocol in the URL preserves the client connection in case the pod is restarted or upgraded, or a disruption occurs on the router. 

...
factory.setBrokerURL("failover://ssl://<route-to-broker-pod>:443");
...
Copy to Clipboard Toggle word wrap
Note

External clients do not support HA.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat