4.2. Securing the Web Console

Overview

By default the Red Hat JBoss A-MQ Web console is insecure. It does not require authentication and uses the standard HTTP transport. For most commercial deployments, it is advisable that the Web console is secured. Adding security is done by editing the etc/jetty.xml configuration file.

Enabling basic authentication

The Jetty server can be configured to enable HTTP basic authentication. Although the conf/jetty.xml file already includes most of the configuration required for basic authentication, the authentication feature is disabled by default. To enable it, search for the following line in the jetty.xml file: 
<property name="authenticate" value="false" />
Edit the value attribute, changing its value to true. The result should be similar to: 
<property name="authenticate" value="true" />
When you restart the broker, basic authentication will be enabled on the Web console. For example, you can log on using the credentials, username=admin, password=admin.

Editing user credentials

The Jetty user data are stored in the conf/jetty-realm.properties file, which you can edit to add user credentials and roles. Each user is defined on a separate line, which has the following format: 
Username: Password [, Role01, Role02, ... ]
For example, to define the user with username, jblogs, password, secret, and role, developer, you would add the following line to the jetty-realm.properties file: 
jblogs: secret, developer

Enabling SSL security

To enable SSL security on the Jetty server, edit the Connector bean in the conf/jetty.xml file. Replace the org.eclipse.jetty.server.nio.SelectChannelConnector class with the org.eclipse.jetty.server.ssl.SslSelectChannelConnector class. Specify the relevant properties of the SslSelectChannelConnector class in order to configure the Jetty server's HTTPS port as shown in Example 4.2, “SSL Enabled Web Console Configuration”.

Example 4.2. SSL Enabled Web Console Configuration

<property name="connectors">
  <list>
    <bean id="Connector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
      <property name="port"        value="8443" />
      <property name="maxIdleTime" value="30000"/>
      <property name="keystore"    value="${activemq.home}/conf/broker.ks"/>
      <property name="password"    value="testjetty"/>
      <property name="keyPassword" value="testjetty"/>
      <property name="truststore"  value="${activemq.home}/conf/broker.ks"/>
    </bean>
  </list>
</property>
The SslSelectChannelConnector properties can be explained as follows:
  • port—specifies the secure IP port number (accessible through HTTPS).
  • maxIdleTime—specifies the connection idle time in milliseconds. If there is no activity on a connection for longer than this timeout, the connection will be closed.
  • keystore—specifies the location of the Jetty server's X.509 certificate, which is stored in a Java keystore file on the file system. The Jetty server uses this certificate to identify itself to a client, during the SSL handshake.
  • password—specifies the store password, which is needed to unlock the keystore file. See the Security Guide.
  • keyPassword—specifies the key password, which is used to decrypt the private key that is stored within the keystore file. Typically, the store password and the key password are identical. Some SSL implementations even require this to be the case.
  • truststore—specifies the location of a Java keystore file that contains a list of one or more trusted certificates, which can be used during the SSL handshake to check that incoming client certificates are correctly signed.
    Note
    In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.
When SSL security is configured as shown, you can access the Web console through the HTTPS protocol using the URL https://localhost:8443/admin.
Warning
The broker.ks certificate used in the example is insecure. Anyone can access its private key. To secure your system properly, you must create new certificates signed by a trusted CA, as described in the Security Guide.

Reference

For more details about the properties you can set on the SslSelectChannelConnector class, see http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSocketConnector.html.