LibraryToggle FramesPrintFeedback

Authentication for the Platform JMX Connector

Prerequisites

In order for Fuse Message Broker to use the JVM platform JMX connector, you must disable the Apache ActiveMQ JMX connector by setting the createConnector attribute to false on the managementContext element. Edit the default broker configuration file, ACTIVEMQ_BASE/conf/activemq.xml using your favorite text editor, so that the managementContext element is defined as follows:

<broker xmlns="http://activemq.org/config/1.0" brokerName="localhost" useJmx="true">
  ...
  <managementContext>
     <managementContext createConnector="false"/>
  </managementContext>
  ...
</broker>

Authentication alternatives

The following alternative authentication mechanisms are supported for the platform JMX connector:

  • Simple authentication—configure authentication by providing two files: a jmx.password file, which contains login details, and a jmx.access file, which defines access rights for the defined users.

  • JAAS authentication—configure authentication using JAAS realms and login modules.

Enable simple authentication

To enable the simple authentication mechanism for the JVM platform JMX connector, perform the following steps:

  1. If not already present in the ACTIVEMQ_BASE/conf/ directory, create the password file, ACTIVEMQ_BASE/conf/jmx.password, and add the following lines using your favorite text editor:

    # The "admin" user has password "activemq".
    admin activemq

    The preceding file defines a single user identity, admin, and the corresponding password, activemq.

  2. If not already present in the ACTIVEMQ_BASE/conf/ directory, create the access file, ACTIVEMQ_BASE/conf/jmx.access, and add the following lines:

    # The "admin" user has readwrite access.
    admin readwrite

    This file enables you to define two kinds of access:

    readonly

    Users can read MBean attributes.

    readwrite

    Users can read and write MBean attributes, invoke operations on MBeans, and create and delete MBeans. Additional clauses can be added to readwrite access in order to specify which types of MBean users can create and to specify whether or not users have permission to delete MBeans. For details of this syntax, see the comments in the JAVA_HOME/jre/lib/management/jmxremote.access file.

  3. Using file system permissions, ensure that the jmx.password file you created in the previous step is readable and writable only by the user that runs the Apache ActiveMQ broker. All other users must have read and write permissions disabled.

    Windows

    Form Windows Explorer, right-click on jmx.password and select Properties. Click on the Security tab and remove all groups or users that have access to this file, except for the current user.

    *NIX

    While logged in as the user that runs the broker, enter the following command to clear all permissions for group and others on the jmx.password file:

    chmod u=rw,go= jmx.password
    [Note]Note

    If you do not modify the file permissions as specified here, the Apache ActiveMQ broker will refuse to start up, when JMX authentication is enabled.

  4. Modify the activemq[.bat] startup script in the ACTIVEMQ_BASE/bin/ directory, as appropriate for your platform:

    Windows

    Search the activemq.bat script for SUNJMX and replace the lines you find with the following lines:

    set SUNJMX=-Dcom.sun.management.jmxremote
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.port=11099 
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_HOME%\conf\jmx.password
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_HOME%\conf\jmx.access
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.ssl=false
    *NIX

    Search the activemq script for ACTIVEMQ_SUNJMX_START and uncomment the following lines:

    ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote.port=11099 "
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_CONFIG_DIR}/jmx.password"
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_CONFIG_DIR}/jmx.access"
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.ssl=false"
    [Warning]Warning

    In the current example, SSL is disabled. This configuration is not recommended in a production environment, because it leaves your JMX login credentials vulnerable to snooping.

  5. Start up the standalone broker. Open a new command prompt and run the startup script, as follows:

    bin/activemq
  6. You should now be able to connect to the JVM platform JMX connector using the following JMX URL:

    service:jmx:rmi:///jndi/rmi://Hostname:11099/jmxrmi

    Where you substitute Hostname with the name of the host where the broker is running. In the course of establishing the connection, you will be prompted to log in.

    For example, to run the standard JConsole provided with the JDK, enter the following command at a command prompt:

    jconsole

    When the JConsole: New Connection dialog pops up, enter the preceding JMX URL in the Remote Process: field, and enter the credentials for one of the JMX users in the Username and Password fields, as shown. Click Connect.

Enable JAAS authentication

To enable JAAS authentication for the JVM platform JMX connector, perform the following steps:

  1. Using your favorite text editor, create the file, conf/login.config, and add the following lines:

    PropertiesAuth {
        org.apache.activemq.jaas.PropertiesLoginModule required
        debug=true
        org.apache.activemq.jaas.properties.user="users.properties"
        org.apache.activemq.jaas.properties.group="groups.properties";
    };
    [Note]Note

    The current example illustrates how to configure JAAS using the PropertiesLoginModule, as described in JAAS Username/Password Authentication Plug-In. In practice, however, you could use any of the login modules described in JAAS Authentication.

  2. Create the conf/users.properties file (which defines credentials in the format, User=Password), and add the following line:

    system=manager

    Create the conf/groups.properties file (which defines user groups in the format, Group=UserList), and add the following lines:

    admins=system
    readwrite=system
    users=system
  3. Modify the activemq[.bat] startup script in the ACTIVEMQ_BASE/bin/ directory, as appropriate for your platform:

    Windows

    Search the activemq.bat script for SUNJMX and replace the lines you find with the following lines:

    set SUNJMX=-Dcom.sun.management.jmxremote
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.port=11099 
    set SUNJMX=%SUNJMX% -Djava.security.auth.login.config=%ACTIVEMQ_HOME%\conf\login.config
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.login.config=PropertiesAuth
    set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.ssl=false
    *NIX

    Search the activemq script for ACTIVEMQ_SUNJMX_START and replace the lines you find with the following lines:

    ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote"
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.port=2010"
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.login.config=PropertiesAuth"
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Djava.security.auth.login.config=${ACTIVEMQ_CONFIG_DIR}/login.config"
    ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.ssl=false"
    [Warning]Warning

    In the current example, SSL is disabled. This configuration is not recommended in a production environment, because it leaves your JMX login credentials vulnerable to snooping.

  4. Because the JVM platform JMX security is initialized before the Apache ActiveMQ classpath is set, you need to copy the requisite JAR libraries to the JVM extension folder. Copy the following JAR files from ACTIVEMQ_HOME/lib to JAVA_HOME/lib/ext (or JAVA_HOME/jre/lib/ext, as appropriate):

    activemq-jaas-5.5.1-fuse-00-xx.jar
    commons-logging-CommonsVersion.jar

    Copy the following JAR file from ACTIVEMQ_HOME/lib/optional to JAVA_HOME/lib/ext:

    log4j-Log4jVersion.jar
  5. Using your favorite text editor, modify the file, JAVA_HOME/jre/lib/management/jmxremote.access, to add access rights to your users, by adding the following line:

    system readwrite
  6. Start up the standalone broker. Open a new command prompt and run the startup script, as follows:

    bin/activemq
  7. Using a JMX client, you should now be able to connect to the JVM platform JMX connector using the following JMX URL:

    service:jmx:rmi:///jndi/rmi://Hostname:11099/jmxrmi

    When prompted, enter one of the configured credentials to log on to JMX—for example, with the username, system, and the password, manager.

Comments powered by Disqus