10.2. Configure and Run Active-MQ using Encrypted Passwords

Configure Password Encryption

ActiveMQ allows you to encrypt passwords and store them in configuration files. To encrypt the password, perform the following steps:
  1. Run encrypt command.
    $ bin/activemq encrypt --password encrypt123 --input password1
    INFO: Using default configuration
    Encrypted text: jkS8uzTLGwAoBzxEadnG6j7vkY1GD4Zt
    Where password is a secret used by the encryptor and input is the password you want to encrypt.
    Special characters, such as $/^&, are not supported. Use only alphanumeric characters for passwords.
  2. Add the password to the configuration file. By default, the credentials are added to the $ACTIVEMQ_HOME/conf/credentials-enc.properties.
    The contents of the credentials-enc.properties use the ENC() function to wrap encrypted passwords.
  3. Instruct the property loader to encrypt variables while loading properties to the memory.
    The property loader used for encryption is $ACTIVEMQ_HOME/examples/conf/activemq-security.xml.
    The contents of the activemq-security.xml shows the configuration that ActiveMQ uses to load encrypted passwords. The ACTIVEMQ_ENCRYPTION_PASSWORD environment variable is used to load the encryptor password. The property loads then de-crypts the password from the credential-enc.properties file.
    <bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
      <property name="algorithm" value="PBEWithMD5AndDES" />
      <property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" />
    <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
      <property name="config" ref="environmentVariablesConfiguration" />
    <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
      <constructor-arg ref="configurationEncryptor" />
      <property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/>
  4. Add the property to the activemq-security.xml as shown here:
        <authenticationUser username="system"
        <authenticationUser username="user"
        <authenticationUser username="guest"

Run Active-MQ using Encrypted Passwords

To run the Active-MQ broker with encrypted password configuration, follow the following steps:
  1. Set environment variable for encryption
     $ export ACTIVEMQ_ENCRYPTION_PASSWORD=encrypt123
  2. Set the AMQ broker
     $ bin/activemq start xbean:examples/conf/activemq-security.xml
  3. Reset the environment variable for encryption
    Resetting the environment is important to avoid saving passwords on your system.

Configuring the network connector

Given two brokers, Broker A and Broker B, where Broker A is configured to perform authentication, you can configure Broker B to log on to Broker A by setting the userName attribute and the password attribute in the networkConnector element, as follows:
<beans ...>
    <broker ...>
            <networkConnector name="BrokerABridge"

If Broker A is configured to connect to Broker B, Broker A's networkConnector element must also be configured with username/password credentials, even if Broker B is not configured to perform authentication. This is because Broker A's authentication plug-in checks for Broker A's username.