Chapter 7. Security

AMQ JMS has a range of security-related configuration options that can be leveraged according to your application’s needs.

Basic user credentials such as username and password should be passed directly to the ConnectionFactory when creating the Connection within the application. However, if you are using the no-argument factory method, it is also possible to supply user credentials in the connection URI. For more information, see the Section 5.1, “JMS options” section.

Another common security consideration is use of SSL/TLS. The client connects to servers over an SSL/TLS transport when the amqps URI scheme is specified in the connection URI, with various options available to configure behavior. For more information, see the Section 5.3, “SSL/TLS options” section.

In concert with the earlier items, it may be desirable to restrict the client to allow use of only particular SASL mechanisms from those that may be offered by a server, rather than selecting from all it supports. For more information, see the Section 5.4, “AMQP options” section.

Applications calling getObject() on a received ObjectMessage may wish to restrict the types created during deserialization. Note that message bodies composed using the AMQP type system do not use the ObjectInputStream mechanism and therefore do not require this precaution. For more information, see the the section called “Deserialization policy options” section.

7.1. Enabling OpenSSL support

SSL/TLS connections can be configured to use a native OpenSSL implementation for improved performance. To use OpenSSL, the transport.useOpenSSL option must be enabled, and an OpenSSL support library must be available on the classpath.

To use the system-installed OpenSSL libraries on Red Hat Enterprise Linux, install the openssl and apr RPM packages and add the following dependency to your POM file:

Example: Adding native OpenSSL support


A list of OpenSSL library implementations is available from the Netty project.

7.2. Authenticating using Kerberos

The client can be configured to authenticate using Kerberos when used with an appropriately configured server. To enable Kerberos, use the following steps.

  1. Configure the client to use the GSSAPI mechanism for SASL authentication using the amqp.saslMechanisms URI option.

  2. Set the system property to the path of a JAAS login configuration file containing appropriate configuration for a Kerberos LoginModule.<login-config-file>

    The login configuration file might look like the following example:

    amqp-jms-client { required

The precise configuration used will depend on how you wish the credentials to be established for the connection, and the particular LoginModule in use. For details of the Oracle Krb5LoginModule, see the Oracle Krb5LoginModule class reference. For details of the IBM Java 8 Krb5LoginModule, see the IBM Krb5LoginModule class reference.

It is possible to configure a LoginModule to establish the credentials to use for the Kerberos process, such as specifying a principal and whether to use an existing ticket cache or keytab. If, however, the LoginModule configuration does not provide the means to establish all necessary credentials, it may then request and be passed the username and password values from the client Connection object if they were either supplied when creating the Connection using the ConnectionFactory or previously configured via its URI options.

Note that Kerberos is supported only for authentication purposes. Use SSL/TLS connections for encryption.

The following connection URI options can be used to influence the Kerberos authentication process.

The name of the login configuration entry used to authenticate. The default is amqp-jms-client.
The protocol value used during the GSSAPI SASL process. The default is amqp.
The serverName value used during the GSSAPI SASL process. The default is the server hostname from the connection URI.

Similar to the amqp. and transport. options detailed previously, these options must be specified on a per-host basis or as all-host nested options in a failover URI.