Menu Close

Chapter 4. Using AMQ Management Console

AMQ Management Console is a web console included in the AMQ Broker installation that enables you to use a web browser to manage AMQ Broker.

AMQ Management Console is based on hawtio.

4.1. Overview

AMQ Broker is a full-featured, message-oriented middleware broker. It offers specialized queueing behaviors, message persistence, and manageability. It supports multiple protocols and client languages, freeing you to use many of your application assets.

AMQ Broker’s key features allow you to:

  • monitor your AMQ brokers and clients

    • view the topology
    • view network health at a glance
  • manage AMQ brokers using:

    • AMQ Management Console
    • Command-line Interface (CLI)
    • Management API

The supported web browsers for AMQ Management Console are Firefox and Chrome. For more information on supported browser versions, see AMQ 7 Supported Configurations.

4.2. Configuring local and remote access to AMQ Management Console

The procedure in this section shows how to configure local and remote access to AMQ Management Console.

Remote access to the console can take one of two forms:

  • Within a console session on a local broker, you use the Connect tab to connect to another, remote broker
  • From a remote host, you connect to the console for the local broker, using an externally-reachable IP address for the local broker

Prerequisites

  • You must upgrade to at least AMQ Broker 7.1.0. As part of this upgrade, an access-management configuration file named jolokia-access.xml is added to the broker instance. For more information about upgrading, see Upgrading a Broker instance from 7.0.x to 7.1.0.

Procedure

  1. Open the <broker_instance_dir>/etc/bootstrap.xml file.
  2. Within the web element, observe that the web port is bound only to localhost by default.

    <web bind="http://localhost:8161" path="web">
        <app url="redhat-branding" war="redhat-branding.war"/>
        <app url="artemis-plugin" war="artemis-plugin.war"/>
        <app url="dispatch-hawtio-console" war="dispatch-hawtio-console.war"/>
        <app url="console" war="console.war"/>
    </web>
  3. To enable connection to the console for the local broker from a remote host, change the web port binding to a network-reachable interface. For example:

    <web bind="http://0.0.0.0:8161" path="web">

    In the preceding example, by specifying 0.0.0.0, you bind the web port to all interfaces on the local broker.

  4. Save the bootstrap.xml file.
  5. Open the <broker_instance_dir>/etc/jolokia-access.xml file.
  6. Within the <cors> (that is, Cross-Origin Resource Sharing) element, add an allow-origin entry for each HTTP origin request header that you want to allow to access the console. For example:

    <cors>
       <allow-origin>*://localhost*</allow-origin>
       <allow-origin>*://192.168.0.49*</allow-origin>
       <allow-origin>*://192.168.0.51*</allow-origin>
       <!-- Check for the proper origin on the server side, too -->
       <strict-checking/>
    </cors>

    In the preceding configuration, you specify that the following connections are allowed:

    • Connection from the local host (that is, the host machine for your local broker instance) to the console.

      • The first asterisk (*) wildcard character allows either the http or https scheme to be specified in the connection request, based on whether you have configured the console for secure connections.
      • The second asterisk wildcard character allows any port on the host machine to be used for the connection.
    • Connection from a remote host to the console for the local broker, using the externally-reachable IP address of the local broker. In this case, the externally-reachable IP address of the local broker is 192.168.0.49.
    • Connection from within a console session opened on another, remote broker to the local broker. In this case, the IP address of the remote broker is 192.168.0.51.
  7. Save the jolokia-access.xml file.
  8. Open the <broker_instance_dir>/etc/artemis.profile file.
  9. To enable the Connect tab in the console, set the value of the Dhawtio.disableProxy argument to false.

    -Dhawtio.disableProxy=false
    Important

    It is recommended that you enable remote connections from the console (that is, set the value of the Dhawtio.disableProxy argument to false) only if the console is exposed to a secure network.

  10. Add a new argument, Dhawtio.proxyWhitelist, to the JAVA_ARGS list of Java system arguments. As a comma-separated list, specify IP addresses for any remote brokers that you want to connect to from the local broker (that is, by using the Connect tab within a console session running on the local broker). For example:

    -Dhawtio.proxyWhitelist=192.168.0.51

    Based on the preceding configuration, you can use the Connect tab within a console session on the local broker to connect to another, remote broker with an IP address of 192.168.0.51.

  11. Save the aretmis.profile file.

Additional resources

4.3. Accessing AMQ Management Console

The procedure in this section shows how to:

  • Open AMQ Management Console from the local broker
  • Connect to other brokers from within a console session on the local broker
  • Open a console instance for the local broker from a remote host using the externally-reachable IP address of the local broker

Prerequisites

Procedure

  1. In your web browser, navigate to the console address for the local broker.

    The console address is http://<host:port>/console/login. If you are using the default address, navigate to http://localhost:8161/console/login. Otherwise, use the values of host and port that are defined for the bind attribute of the web element in the <broker_instance_dir>/etc/bootstrap.xml configuration file.

    Figure 4.1. Console login page

    AMQ Management Console Login Page
  2. Log in to AMQ Management Console using the default user name and password that you created when you created the broker.
  3. To connect to another, remote broker from the console session of the local broker:

    1. In the left menu, click the Connect tab.
    2. In the main pane, on the Remote tab, click the Add connection button.
    3. In the Add Connection dialog box, specify the following details:

      Name
      Name for the remote connection, for example, my_other_broker.
      Scheme
      Protocol to use for the remote connection. Select http for a non-secured connection, or https for a secured connection.
      Host
      IP address of a remote broker. You must have already configured console access for this remote broker.
      Port
      Port on the local broker to use for the remote connection. Specify the port value that is defined for the bind attribute of the web element in the <broker_instance_dir>/etc/bootstrap.xml configuration file. The default value is 8161.
      Path
      Path to use for console access. Specify console/jolokia.
    4. To test the connection, click the Test Connection button.

      If the connection test is successful, click the Add button. If the connection test fails, review and modify the connection details as needed. Test the connection again.

    5. On the Remote page, for a connection that you have added, click the Connect button.

      A new web browser tab opens for the console instance on the remote broker.

    6. In the Log In dialog box, enter the user name and password for the remote broker. Click Log In.

      The console instance for the remote broker opens.

  4. To connect to the console for the local broker from a remote host, specify the Jolokia endpoint for the local broker in a web browser. This endpoint includes the externally-reachable IP address that you specified for the local broker when configuring remote console access. For example:

    http://192.168.0.49/console/jolokia

4.4. Configuring AMQ Management Console

Configure user access and request access to resources on the broker.

4.4.1. Securing AMQ Management Console using Red Hat Single Sign-On

Prerequisites

  • Red Hat Single Sign-On 7.4

Procedure

  1. Configure Red Hat Single Sign-On:

    1. Navigate to the realm in Red Hat Single Sign-On that you want to use for securing AMQ Management Console. Each realm in Red Hat Single Sign-On includes a client named Broker. This client is not related to AMQ.
    2. Create a new client in Red Hat Single Sign-On, for example artemis-console.
    3. Navigate to the client settings page and set:

      • Valid Redirect URIs to the AMQ Management Console URL followed by *, for example:

        https://broker.example.com:8161/console/*
      • Web Origins to the same value as Valid Redirect URIs. Red Hat Single Sign-On allows you enter +, indicating that allowed CORS origins includes the value for Valid Redirect URIs.
    4. Create a role for the client, for example guest.
    5. Make sure all users who require access to AMQ Management Console are assigned the above role, for example, using Red Hat Single Sign-On groups.
  2. Configure the AMQ Broker instance:

    1. Add the following to your <broker-instance-dir>/instances/broker0/etc/login.config file to configure AMQ Management Console to use Red Hat Single Sign-On:

      console {
          org.keycloak.adapters.jaas.BearerTokenLoginModule required
              keycloak-config-file="${artemis.instance}/etc/keycloak-bearer-token.json"
              role-principal-class=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
          ;
      };

      Adding this configuration sets up a JAAS principal and a requirement for a bearer token from Red Hat Single Sign-On. The connection to Red Hat Single Sign-On is defined in the keycloak-bearer-token.json file, as described in the next step.

    2. Create a file <broker-instance-dir>/etc/keycloak-bearer-token.json with the following contents to specify the connection to Red Hat Single Sign-On used for the bearer token exchange:

      {
        "realm": "<realm-name>",
        "resource": "<client-name>",
        "auth-server-url": "<RHSSO-URL>/auth",
        "principal-attribute": "preferred_username",
        "use-resource-role-mappings": true,
        "ssl-required": "external",
        "confidential-port": 0
      }
      <realm-name>
      the name of the realm in Red Hat Single Sign-On
      <client-name>
      the name of the client in Red Hat Single Sign-On
      <RHSSO-URL>
      the URL of Red Hat Single Sign-On
    3. Create a file <broker-instance-dir>/etc/keycloak-js-token.json with the following contents to specify the Red Hat Single Sign-On authentication endpoint:

      {
        "realm": "<realm-name>",
        "clientId": "<client-name>",
        "url": "<RHSSO-URL>/auth"
      }
    4. Configure the security settings by editing the the <broker-instance-dir>/etc/bootstrap.xml file.

      For example, to allow users with the amq role consume messages and allow users with the guest role send messages, add the following:

               <security-setting match="Info">
                  <permission roles="amq" type="createDurableQueue"/>
                  <permission roles="amq" type="deleteDurableQueue"/>
                  <permission roles="amq" type="createNonDurableQueue"/>
                  <permission roles="amq" type="deleteNonDurableQueue"/>
                  <permission roles="guest" type="send"/>
                  <permission roles="amq" type="consume"/>
               </security-setting>
  3. Run the AMQ Broker instance and validate AMQ Management Console configuration.

4.4.2. Setting up user access to AMQ Management Console

You can access AMQ Management Console using the broker login credentials. The following table provides information about different methods to add additional broker users to access AMQ Management Console:

Authentication MethodDescription

Guest authentication

Enables anonymous access. In this configuration, any user who connects without credentials or with the wrong credentials will be authenticated automatically and assigned a specific user and role.

For more information, see Configuring guest access in Configuring AMQ Broker.

Basic user and password authentication

For each user, you must define a username and password and assign a security role. Users can only log into AMQ Management Console using these credentials.

For more information, see Configuring basic user and password authentication in Configuring AMQ Broker.

LDAP authentication

Users are authenticated and authorized by checking the credentials against user data stored in a central X.500 directory server.

For more information, see Configuring LDAP to authenticate clients in Configuring AMQ Broker.

4.4.3. Securing network access to AMQ Management Console

To secure AMQ Management Console when the console is being accessed over a WAN or the internet, use SSL to specify that network access uses https instead of http.

Prerequisites

The following should be located in the <broker_instance_dir>/etc/ directory:

  • Java key store
  • Java trust store (needed only if you require client authentication)

Procedure

  1. Open the <broker_instance_dir>/etc/bootstrap.xml file.
  2. In the <web> element, add the following attributes:

    <web bind="https://0.0.0.0:8161"
        path="web"
        keyStorePath="<path_to_keystore>"
        keyStorePassword="<password>"
        clientAuth="<true/false>"
        trustStorePath="<path_to_truststore>"
        trustStorePassword="<password>">
        ...
    </web>
    bind
    For secure connections to the console, change the URI scheme to https.
    keyStorePath

    Path of the keystore file. For example:

    keyStorePath="<broker_instance_dir>/etc/keystore.jks"
    keyStorePassword
    Key store password. This password can be encrypted.
    clientAuth
    Specifies whether client authentication is required. The default value is false.
    trustStorePath
    Path of the trust store file. You need to define this attribute only if clientAuth is set to true.
    trustStorePassword
    Trust store password. This password can be encrypted.

Additional resources

4.5. Managing brokers using AMQ Management Console

You can use AMQ Management Console to view information about a running broker and manage the following resources:

  • Incoming network connections (acceptors)
  • Addresses
  • Queues

4.5.1. Viewing details about the broker

To see how the broker is configured, in the left menu, click Artemis. In the folder tree, the local broker is selected by default.

In the main pane, the following tabs are available:

Status

Displays information about the current status of the broker, such as uptime and cluster information. Also displays the amount of address memory that the broker is currently using. The graph shows this value as a proportion of the global-max-size configuration parameter.

Figure 4.2. Status tab

*Status* tab
Connections
Displays information about broker connections, including client, cluster, and bridge connections.
Sessions
Displays information about all sessions currently open on the broker.
Consumers
Displays information about all consumers currently open on the broker.
Producers
Displays information about producers currently open on the broker.
Addresses
Displays information about addresses on the broker. This includes internal addresses, such as store-and-forward addresses.
Queues
Displays information about queues on the broker. This includes internal queues, such as store-and-forward queues.
Attributes
Displays detailed information about attributes configured on the broker.
Operations
Displays JMX operations that you can execute on the broker from the console. When you click an operation, a dialog box opens that enables you to specify parameter values for the operation.
Chart
Displays real-time data for attributes configured on the broker. You can edit the chart to specify the attributes that are included in the chart.
Broker diagram
Displays a diagram of the cluster topology. This includes all brokers in the cluster and any addresses and queues on the local broker.

4.5.2. Viewing the broker diagram

You can view a diagram of all AMQ Broker resources in your topology, including brokers (live and backup brokers), producers and consumers, addresses, and queues.

Procedure

  1. In the left menu, click Artemis.
  2. In the main pane, click the Broker diagram tab.

    The console displays a diagram of the cluster topology. This includes all brokers in the cluster and any addresses and queues on the local broker, as shown in the figure.

    Figure 4.3. Broker diagram tab

    *Broker diagram* tab
  3. To change what items are displayed on the diagram, use the check boxes at the top of the diagram. Click Refresh.
  4. To show attributes for the local broker or an address or queue that is connected to it, click that node in the diagram. For example, the following figure shows a diagram that also includes attributes for the local broker.

    Figure 4.4. Broker diagram tab, including attributes

    *Broker diagram* tab

4.5.3. Viewing acceptors

You can view details about the acceptors configured for the broker.

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, click acceptors.
  3. To view details about how an acceptor is configured, click the acceptor.

    The console shows the corresponding attributes on the Attributes tab, as shown in the figure.

    Figure 4.5. AMQP acceptor attributes

    AMQP acceptor attributes
  4. To see complete details for an attribute, click the attribute. An additional window opens to show the details.

4.5.4. Managing addresses and queues

An address represents a messaging endpoint. Within the configuration, a typical address is given a unique name.

A queue is associated with an address. There can be multiple queues per address. Once an incoming message is matched to an address, the message is sent on to one or more of its queues, depending on the routing type configured. Queues can be configured to be automatically created and deleted.

4.5.4.1. Creating addresses

A typical address is given a unique name, zero or more queues, and a routing type.

A routing type determines how messages are sent to the queues associated with an address. Addresses can be configured with two different routing types.

If you want your messages routed to…

Use this routing type…

A single queue within the matching address, in a point-to-point manner.

Anycast

Every queue within the matching address, in a publish-subscribe manner.

Multicast

You can create and configure addresses and queues, and then delete them when they are no longer in use.

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, click addresses.
  3. In the main pane, click the Create address tab.

    A page appears for you to create an address, as shown in the figure.

    Figure 4.6. Create Address page

    AMQ Management Console Create Address
  4. Complete the following fields:

    Address name
    The routing name of the address.
    Routing type

    Select one of the following options:

    • Multicast: Messages sent to the address will be distributed to all subscribers in a publish-subscribe manner.
    • Anycast: Messages sent to this address will be distributed to only one subscriber in a point-to-point manner.
    • Both: Enables you to define more than one routing type per address. This typically results in an anti-pattern and is not recommended.

      Note

      If an address does use both routing types, and the client does not show a preference for either one, the broker defaults to the anycast routing type. The one exception is when the client uses the MQTT protocol. In that case, the default routing type is multicast.

  5. Click Create Address.

4.5.4.2. Sending messages to an address

The following procedure shows how to use the console to send a message to an address.

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, select an address.
  3. On the navigation bar in the main pane, click MoreSend message.

    A page appears for you to create a message, as shown in the figure.

    Figure 4.7. Send Message page

    AMQ Management Console Send Message
  4. If necessary, click the Add Header button to add message header information.
  5. Enter the message body.
  6. In the Format drop-down menu, select an option for the format of the message body, and then click Format. The message body is formatted in a human-readable style for the format you selected.
  7. Click Send message.

    The message is sent.

  8. To send additional messages, change any of the information you entered, and then click Send message.

4.5.4.3. Creating queues

Queues provide a channel between a producer and a consumer.

Prerequisites

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, select the address to which you want to bind the queue.
  3. In the main pane, click the Create queue tab.

    A page appears for you to create a queue, as shown in the figure.

    Figure 4.8. Create Queue page

    AMQ Management Console Create Queue
  4. Complete the following fields:

    Queue name
    A unique name for the queue.
    Routing type

    Select one of the following options:

    • Multicast: Messages sent to the parent address will be distributed to all queues bound to the address.
    • Anycast: Only one queue bound to the parent address will receive a copy of the message. Messages will be distributed evenly among all of the queues bound to the address.
    Durable
    If you select this option, the queue and its messages will be persistent.
    Filter
    The username to be used when connecting to the broker.
    Max Consumers
    The maximum number of consumers that can access the queue at a given time.
    Purge when no consumers
    If selected, the queue will be purged when no consumers are connected.
  5. Click Create Queue.

4.5.4.4. Checking the status of a queue

Charts provide a real-time view of the status of a queue on a broker.

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, navigate to a queue.
  3. In the main pane, click the Chart tab.

    The console displays a chart that shows real-time data for all of the queue attributes.

    Figure 4.9. Chart tab for a queue

    Chart tab for a queue
    Note

    To view a chart for multiple queues on an address, select the anycast or multicast folder that contains the queues.

  4. If necessary, select different criteria for the chart:

    1. In the main pane, click Edit.
    2. On the Attributes list, select one or more attributes that you want to include in the chart. To select multiple attributes, press and hold the Ctrl key and select each attribute.
    3. Click the View Chart button. The chart is updated based on the attributes that you selected.

4.5.4.5. Browsing queues

Browsing a queue displays all of the messages in the queue. You can also filter and sort the list to find specific messages.

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, navigate to a queue.

    Queues are located within the addresses to which they are bound.

  3. On the navigation bar in the main pane, click MoreBrowse queue.

    The messages in the queue are displayed. By default, the first 200 messages are displayed.

    Figure 4.10. Browse Queue page

    Browse Queue page
  4. To browse for a specific message or group of messages, do one of the following:

    To…​Do this…​

    Filter the list of messages

    In the Filter…​ text field, enter filter criteria. Click the search (that is, magnifying glass) icon.

    Sort the list of messages

    In the list of messages, click a column header. To sort the messages in descending order, click the header a second time.

  5. To view the content of a message, click the Show button.

    You can view the message header, properties, and body.

4.5.4.6. Sending messages to a queue

After creating a queue, you can send a message to it. The following procedure outlines the steps required to send a message to an existing queue.

Procedure

  1. In the left menu, click Artemis.
  2. In the folder tree, navigate to a queue.
  3. In the main pane, click the Send message tab.

    A page appears for you to compose the message.

    Figure 4.11. Send Message page for a queue

    Send Message to a Queue
  4. If necessary, click the Add Header button to add message header information.
  5. Enter the message body.
  6. In the Format drop-down menu, select an option for the format of the message body, and then click Format. The message body is formatted in a human-readable style for the format you selected.
  7. Click Send message. The message is sent.
  8. To send additional messages, change any of the information you entered, and click Send message.

4.5.4.7. Resending messages to a queue

You can resend previously sent messages.

Procedure

  1. Browse for the message you want to resend.
  2. Click the check box next to the message that you want to resend.
  3. Click the Resend button. The message is displayed.
  4. Update the message header and body as needed, and then click Send message.

4.5.4.8. Moving messages to a different queue

You can move one or more messages in a queue to a different queue.

Procedure

  1. Browse for the messages you want to move.
  2. Click the check box next to each message that you want to move.
  3. In the navigation bar, click Move Messages.

    A confirmation dialog box appears.

  4. From the drop-down menu, select the name of the queue to which you want to move the messages. Click Move.

4.5.4.9. Deleting messages or queues

You can delete a queue or purge all of the messages from a queue.

Procedure

  1. Browse for the queue you want to delete or purge.
  2. Do one of the following:

    To…​Do this…​

    Delete a message from the queue

    1. Click the check box next to each message that you want to delete.
    2. Click the Delete button.

    Purge all messages from the queue

    1. On the navigation bar in the main pane, click Delete queue.
    2. Click the Purge Queue button.

    Delete the queue

    1. On the navigation bar in the main pane, click Delete queue.
    2. Click the Delete Queue button.