Fuse ESB - ActiveMQ Security Guide - Web Console Security

Web Console Security

Web console for Apache ActiveMQ

The Apache ActiveMQ Web console is a web-based administration tool for Apache ActiveMQ. When you start a standalone broker instance using the script, bin/activemq[.bat], with the default configuration, conf/activemq.xml, the Web console is automatically enabled. After starting the broker, you can access the Web console by entering the following URL in your Web browser:

http://localhost:8161/admin

The Web console is hosted inside a Jetty server, which is configured by the Spring file, conf/jetty.xml. The conf/activemq.xml configuration file imports the jetty.xml file, using the following <import/> tag:

<beans ... >
    ...
    <import resource="jetty.xml"/>
</beans>

Enabling basic authentication

The Jetty server can be configured to enable HTTP basic authentication. Although the conf/jetty.xml file already includes most of the configuration required for basic authentication, the authentication feature is disabled by default. To enable it, search for the following line in the jetty.xml file:

        <property name="authenticate" value="false" />

Edit the value attribute, changing its value to true.

        <property name="authenticate" value="true" />

When you restart the broker, basic authentication will be enabled on the Web console. For example, you can log on using the credentials, username=admin, password=admin.

Editing user credentials

The Jetty user data are stored in the conf/jetty-realm.properties file, which you can edit to add user credentials and roles. Each user is defined on a separate line, which has the following format:

Username: Password [, Role01, Role02, ... ]

For example, to define the user with username, jblogs, password, secret, and role, developer, you would add the following line to the jetty-realm.properties file:

jblogs: secret, developer

Enabling SSL security

To enable SSL security on the Jetty server, edit the Connector bean in the conf/jetty.xml file. Instead of the SelectChannelConnector class, define the Connector bean to be an instance of the org.eclipse.jetty.server.ssl.SslSelectChannelConnector class. Specify the relevant properties of the SslSelectChannelConnector class in order to configure the Jetty server's HTTPS port.

Sample SSL configuration

Search for the existing definition of the Connector bean in the conf/jetty.xml file. In the default file, you should see some lines like the following:

<property name="connectors">
    <list>
        <bean id="Connector" class="org.eclipse.jetty.server.nio.SelectChannelConnector">
            <property name="port" value="8161" />
        </bean>
    </list>
</property>

Replace the preceding lines by the following lines:

<property name="connectors">
    <list>
        <bean id="Connector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
            <property name="port"        value="8443" />
            <property name="maxIdleTime" value="30000"/>
            <property name="keystore"    value="${activemq.home}/conf/broker.ks"/>
            <property name="password"    value="testjetty"/>
            <property name="keyPassword" value="testjetty"/>
            <property name="truststore"  value="${activemq.home}/conf/broker.ks"/>
        </bean>
    </list>
</property>

Where the SslSelectChannelConnector properties can be explained as follows:

port: Specifies the secure IP port number (accessible through HTTPS).
maxIdleTime: Specifies the connection idle time in units of milliseconds. If there is no activity on a connection for longer than this timeout, the connection will be closed.
keystore: Specifies the location of the Jetty server's own X.509 certificate, which is stored in a Java keystore file on the file system. The Jetty server uses this certificate to identify itself to a client, during the SSL handshake.
password: Specifies the store password, which is needed to unlock the keystore file (see Java Keystores).
keyPassword: Specifies the key password, which is used to decrypt the private key that is stored within the keystore file. Typically, the store password and the key password are identical (some SSL implementations even require this to be the case).
truststore: Specifies the location of a Java keystore file that contains a list of one or more trusted certificates, which can be used during the SSL handshake to check that incoming client certificates are correctly signed. In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.

When SSL security is configured as shown, you can access the Web console through the HTTPS protocol using the following URL:

https://localhost:8443/admin

Warning

The broker.ks certificate used in the preceding example is insecure, because anyone can access its private key. To secure your system properly, you must create new certificates signed by a trusted CA, as described in Managing Certificates.

Reference

For more details about the properties you can set on the SslSelectChannelConnector class, see http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSocketConnector.html.

Comments powered by Disqus