Skip to content

Securing connections

Jump to bottom
Dannes Wessels edited this page Mar 22, 2016 · 24 revisions

Authentication

Client authentication

Add a snippet like below to the <broker> section of the activemq.xml configuration file. Note that ActiveMQ provides sophisticated authentication features for 'real world' usages. The ActiveMQ project provides documentation about pluggable security through various different providers.

Server side

Add an XML fragment to enable (simple) authentication. Please note the anonymousAccessAllowed attribute.

<plugins>
  <simpleAuthenticationPlugin anonymousAccessAllowed="false">
    <users>
        <authenticationUser username="system" password="manager"  groups="users,admins"/>
        <authenticationUser username="user"   password="password" groups="users"/>
        <authenticationUser username="myusername" password="mypassword" groups="guests"/>
    </users>
  </simpleAuthenticationPlugin>
</plugins>

On the client site define connection.username and connection.password in the scripts or in conf.xml:

Client side, XML config

  <parameter name="connection.username" value="myusername"/>
  <parameter name="connection.password" value="mypassword"/>

Client side, in XQuery

let $jmsConfiguration :=
    map {
        "java.naming.factory.initial" 
            := "org.apache.activemq.jndi.ActiveMQInitialContextFactory",
        "java.naming.provider.url" := "tcp://localhost:61616",
        "destination" := "dynamicQueues/eXistdb-messaging-demo",
        "connection-factory" := "ConnectionFactory",
        "connection.username" := "myusername",
        "connection.password" := "mypassword"
    }

Secure connection with SSL

On the ActiveMQ website there is plenty documentation on how to secure connections between ActiveMQ clients and a ActiveMQ broker:

In short:

  • Create a keystore for the broker
  • Create a truststore for the client from the certificate of the broker
  • Create a keystore for the client
  • Create a truststore for the broker from the certificate of the client

Server side

Add the following (XML fragments) to the <beans>/<broker> section if not yet present to enable the SSL connector:

<beans>
  <broker>

    <!-- Enable SSL connector -->
    <transportConnectors>
      <transportConnector name="ssl" uri="ssl://0.0.0.0:61618?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    </transportConnectors>

    <!-- Set path to keystore -->
    <sslContext>     
      <sslContext keyStore="/path/to/broker.ks" keyStorePassword="password"/>
    </sslContext>

    <!-- Set user authentication details-->
    <plugins>
      <simpleAuthenticationPlugin anonymousAccessAllowed="false">
        <users>
          <!-- See top of page -->
        </users>
      </simpleAuthenticationPlugin>
    </plugins>

  <broker>
<beans>

Set needClientAuth=true on the transport connector if the client needs to be authenticated via the client certificate. In this case the <simpleAuthenticationPlugin> section can be left out and is the truststore used:

<beans>
  <broker>

    <!-- Enable SSL connector with client authentication -->
    <transportConnectors>
      <transportConnector name="ssl" uri="ssl://0.0.0.0:61618?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    </transportConnectors>

    <!-- Set paths to keystore and truststore -->
    <sslContext>
      <sslContext keyStore="/path/to/broker.ks"    keyStorePassword="password"
                  trustStore="/path/to/broker.ts"  trustStorePassword="password"/>
    </sslContext>

  <broker>
<beans>

Client side

This need to be worked out, there are probably better options. For now edit bin/functions.d/eXist-settings.sh and add the following in the set_java_options() section:

JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.keyStore=/path/to/client.ks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=/path/to/client.ts";

For debugging the SSL layer the following snippet can be added:

JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.debug=ssl,handshake";

Jetty

Don't forget to harden the web console! For this

  1. Enable the SSL connector
  2. Update the admin password

Enable the SSL connector

Edit conf/jetty.xml, uncomment the following section. Please note the broker keystore is used for the SSL certificate with the default password:

<!--
    Enable this connector if you wish to use https with web console
-->
<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
    <constructor-arg ref="Server"/>
    <constructor-arg>
        <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
            <property name="keyStorePath" value="${activemq.conf}/broker.ks"/>
            <property name="keyStorePassword" value="password"/>
        </bean>
    </constructor-arg>
    <property name="port" value="8162"/>
</bean>

Update the admin password

Edit the file conf/jetty-realm.properties and change the password!

Clone this wiki locally