Red Hat Training

A Red Hat training course is available for Red Hat AMQ

Chapter 4. Configuration

4.1. Setting Up User Access to AMQ Console

You can access AMQ Console using the broker login credentials. The following table provides information about different methods to add additional broker users to access AMQ Console:

Authentication MethodDescription

Guest Authentication

Enables anonymous access. In this configuration, any user who connects without credentials or with the wrong credentials will be authenticated automatically and assigned a specific user and role.

For more information, see Enabling Guest Access in Using AMQ Broker.

Basic User and Password Authentication

For each user, you must define a username and password and assign a security role. Users can only log into AMQ Console using these credentials.

For more information, see Enabling Password Authentication in Using AMQ Broker.

LDAP Authentication

Users are authenticated and authorized by checking the credentials against user data stored in a central X.500 directory server.

For more information, see Adding Certificate-Based Authentication in Using AMQ Broker.

4.2. Securing AMQ Console and AMQ Broker Connections

To allow AMQ Console to access resources on the broker, specify the permitted origin URLs that can access it by editing the allow-origin parameters in the access management configuration file on the broker.

Prerequisite

  • You must first upgrade to AMQ Broker 7.1.0, during which the access management configuration file named jolokia-access.xml is added to the broker instance. For more information about upgrading, see Upgrading Your Broker to 7.1.0 in Using AMQ Broker.

Procedure

  1. Open the BROKER_INSTANCE_DIR/etc/jolokia-access.xml file in a text editor.
  2. Within the <cors> section, edit the allow-origin settings to add each URL that you want to allow to access AMQ Console. For example:

    <cors>
       <!-- allow access to web console from localhost -->
       <allow-origin>https://localhost:8161/*</allow-origin>
       <!-- Check for the proper origin on the server side, too -->
       <strict-checking/>
    </cors>
  3. Save the file.

4.3. Securing Network Access to AMQ Console

To secure AMQ Console when it is being accessed over a WAN or the internet, use SSL to specify that network access uses https instead of http.

Prerequisites

The following should be located in the BROKER_INSTANCE_DIR/etc/:

  • Java KeyStore (.jks)
  • Java TrustStore (only if you want to require client authentication)

Procedure

  1. Open the BROKER_INSTANCE_DIR/etc/bootstrap.xml file.
  2. In the <web> element, add the following attributes:

    <web bind="https://localhost:8161"
        path="web"
        keyStorePath="<path_to_KeyStore>"
        keyStorePassword="<password>"
        clientAuth="<true/false>"
        trustStorePath="<path_to_TrustStore>"
        trustStorePassword="<password>">
        ...
    </web>
    bind
    Change the URI scheme to https.
    keyStorePath

    The path of the KeyStore file. For example:

    keyStorePath="${artemis.instance}/etc/keystore.jks"
    keyStorePassword
    The KeyStore’s password.
    clientAuth
    Specifies whether client authentication is required. The default is false, but you can change it to true to enable authentication.
    trustStorePath
    The path of the TrustStore file. This attribute is only needed if clientAuth is true.
    trustStorePassword
    The TrustStore’s password.

4.4. Configuring AMQ Interconnect for AMQ Console

To access AMQ Interconnect from AMQ Console, you must add a listener that accepts incoming WebSocket traffic from AMQ Console.

Procedure

  1. Open the router’s configuration file.

    The default router configuration file is located at /etc/qpid-dispatch/qdrouterd.conf. If you have multiple routers, you should open the configuration file of the router through which you want to connect to AMQ Console.

  2. Add an incoming connection for AMQ Console management traffic.

    listener {
        name: NAME
        role: normal
        host: HOST
        port: PORT
        http: yes
        ...
    }
    name
    The name of the incoming connection.
    role
    Set this to normal.
    host
    Either an IP address (IPv4 or IPv6) or hostname.
    port
    The port number or symbolic service name.
    http
    Set this to yes.