Security Changes in 7.0.2

Overview

To ensure that the Fuse MQ Enterprise container is automatically secure after you install it, the default security settings have changed in version 7.0.2. By default in Fuse MQ Enterprise 7.0.2, none of the container's services are remotely accessible.

Affected ports and services

The following ports and services are affected by this security change:

SSH console port (remote administration).
JMX port.
Apache ActiveMQ JMS broker.
Apache ActiveMQ Web console.

Impact on Apache ActiveMQ applications

If you deploy any routes that connect to the internal Apache ActiveMQ broker, you must change the configuration of the ConnectionFactory so that it is defined with a username and a password. This is necessary, because the Apache ActiveMQ broker is now secure by default.

For example, in Spring XML you could configure the Camel ActiveMQ component as follows:

<beans ... >
    ...
    <bean id="activemq" 
          class="org.apache.activemq.camel.component.ActiveMQComponent">
        <property name="brokerURL" value="tcp://localhost:61616"/>
        <property name="userName" value="Username"/>
        <property name="password" value="Password"/>
    </bean>
    ...
</beans>

Where the Username and Password are the credentials of a JAAS user with admin privileges.

	Note
	If you want to revert to using an insecure broker (similar to versions prior to 7.0.2), see Disabling Broker Security in Managing and Monitoring a Broker for instructions on how to disable JAAS authentication in the broker.

Migrating your applications to 7.0.2

When migrating your applications to a fresh installation of a Fuse MQ Enterprise 7.0.2 container, you should perform the following steps to configure security on the container:

Configure JAAS security in the InstallDir/etc/users.properties file to have at least one user entry with admin privileges . Each user entry is defined on its own line and has the following format:
```
Username=Password,admin
```
Where the admin role gives this user the privileges to access all administration and management functions of the container.
Edit the InstallDir/etc/system.properties file and modify the webconsole.jmx.* and webconsole.jms.* properties as follows:
```
webconsole.jmx.user=Username
webconsole.jmx.password=Password
webconsole.jms.user=Username
webconsole.jms.password=Password
```
Where the Username and Password are the credentials of a JAAS user with admin privileges.

Reference

For more details about these security changes, see Security Basics in Managing and Monitoring a Broker.

Comments powered by Disqus