When trying to add a new DC to the environment, it will not connect even after adding the DC cert to the DA, with error:

2026-04-28 18:30:00,668 | INFO  | dc_broker_030fb33e-5377-41ee-8187-90bf485907de bridge to Unknown stopped | org.apache.activemq.network.DemandForwardingBridgeSupport | ActiveMQBrokerService[dc_broker_030fb33e-xxxx-xxxx-xxxx-xxxxxxxxx] Task-24117

2026-04-28 18:30:00,668 | WARN  | Could not start network bridge between: vm://dc_broker_030fb33e-xxxx-xxxx-xxxx-xxxxxxxxx and: tcp://192.168.0.1:61616 due to: Connection refused | org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-19350

DX NetOps CA Performance Management (CAPM) all currently supported releases

As the DA is setup for SSL, this indicates a configuration issue/s on the DC with regards to SSL and/or certificates.

Export the DA certificates (intermediate & root) from its keystore;

# /opt/IMDataAggregator/jre/bin/keytool -exportcert -alias intermediate -file intermediatecert -keystore/opt/IMDataAggregator/broker/apache-activemq-5.18.6/conf/broker.ks

and

# /opt/IMDataAggregator/jre/bin/keytool -exportcert -alias root -file rootcert -keystore/opt/IMDataAggregator/broker/apache-activemq-5.18.6/conf/broker.ks

The import them into the new DC:

# /opt/IMDataCollector/jre/bin/keytool -import -alias DAintermediate -keystore /opt/IMDatacollector/broker/apache-activemq-5.18.6/conf/broker.ks -file /tmp/intermediatecert

and

# /opt/IMDataCollector/jre/bin/keytool -import -alias DAroot -keystore /opt/IMDatacollector/broker/apache-activemq-5.18.6/conf/broker.ks -file /tmp/rootcert

After this, the activemq.xml file was modified to use SSL (instead of tcp) in the <networkConnector...> sections and the ports changed (for example 61617 for SSL instead of 61616 for tcp):

<networkConnector name="da_manager-IREP"  uri="stat1c (ssl://192.168.0.1:61621)" duplex="true.

However, if this still is not allowing the activeMQ to connect, with the following error in its log showing it still could not connect to ActiveMQ on the DA:

WARN  | Could not start network bridge between: vm://dc_broker_030fb33e-xxxx-xxxx-xxxx-xxxxxxxxx and: ssl://192.168.0.1:61623 due to: No subject alternative names matching IP address 192.168.0.1 found | org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-7

The above warning message indicates that the configuration in activemq.xml did not specify the same hostname (Subject Alternate Name) for the DA as what is used in the DA's certificates. In this case, there are two options:

1. Change the DA IP address configured in the activemq.xml <networkConnector name=... sections to the DA Hostname (in the example below - my_aggregator_hostname):
   
   <networkConnector name="da_manager-IREP"  uri="stat1c (ssl://my_aggregator_hostname:61621)" duplex="true.



2. The following also works (adding ?socket.verifyHostName=false), but it removes the Hostname check from the certificate validation so putting the actual DA hostname in to match the certificate's SAN is the better option:

<networkConnector name="da_manager-IREP"  uri="stat1c (ssl://192.168.0.1:61621?socket.verifyHostName=false)"duplex="true.

After this, activeMQ should be running with the following output in its log:

2026-04-29 01:08,130 | INFO |Network connection between vm://dc_broker_030fb33e-xxxx-xxxx-xxxx-xxxxxxxxxde#12 and ssl//my_aggregator_hostname/192.168.0.1:61623(da broker) has been established. | org apache.activemq.network.DemandForwardingBridaeSupport | triggerStartAsyncNetworkBridgeCreation: remoteBroker=ssl://my_aggregator_hostname/192.168.0.1:61623, localBroker= vm://da_broker_030fb33-xxxx-xxxx-xxxx-xxxxxxxxx#12