enabling security for activemq jmx access
TRANSCRIPT
Enabling security for ActiveMQ JMX access
By Ramakrishna Narkedamilli
Overview:
Apache ActiveMQ is the most popular and powerful open source messaging and Integration Patterns server. It is fast, supports many Cross Language Clients. Using this we can enable to message throttling, redelivery, delay of messages.
In the presentation will see how to enable the security for ActiveMQ JMX access to monitor and control ActiveMQ behaviour.
Accessing ActiveMQ through JMX in unsecured way:
First I will run the ActiveMQ instance with default configuration to show how we can access ActiveMQ JMX without entering any credentials (kind of unsecured access).
Note: Add useJmx="true" attribute in the broker tag for a file “activemq.xml” available under ActiveMQ root folder/conf (as highlighted below). Otherwise you can’t access the ActiveMQ JMX.
1) First, run the activemq.bat available under ActiveMQ root folder/bin
2) Now, open the jconsole using command prompt
3) Select the option “Remote Process” and enter “localhost:1099” and click on connect.
4) It will take you to the JMX console to monitor and control activemq.
Here we can observe that, we are able to access ActiveMQ through JMX without entering any security credentials.
This will be a one of security problem and we can see now how to solve by enabling the security for ActiveMQ JMX issue.
Accessing ActiveMQ through JMX in secured way:
To enable security, below are the lists of files needs changes a) jmx.access & jmx.password available under ActiveMQ root folder/conf. b) activemq.xml available under ActiveMQ root folder/conf. c) activemq.bat available ActiveMQ root folder/bin.
The procedure follows
1) The jmx.access & jmx.password files contain access privileges and credentials respectively. Update these files to add the new user or to update the existing user credentials accordingly.
2) Now, it’s time to protect the jmx.password file. Make sure that file jmx.password has got only read permission to the user who’s going to run activemq.
Right click on jmx.password file properties Security Advanced Change permissions Edit update permissions accordingly ok
Note: The above step required when the file got access (read/write) to other users on system apart from user who’s going to run activemq. Otherwise you can skip this step.
In case if you forget to change file permissions and tried to start activmq, you will get the below error
3) Add managementContext configuration under broker tag in activemq.xml file to disable the ActiveMQ own connector creation so that it will use the default JVM JMX connector
4) Finally modify the activemq.bat to add extra parameters to specify the location of JMX files and other configuration.(as highlighted)
We are done with the required changes and now time to start activemq and open jconsole again.
If you try to login now without entering credentials, activemq won’t allow to login. Enter valid credentials that we specified in a file “jmx.password” to login.
THANKS YOU By Ramakrishna Narkedamilli