LibraryToggle FramesPrintFeedback

SSL/TLS for the Platform JMX Connector

Overview

System properties for SSL/TLS

To enable SSL/TLS on the platform JMX connector, you need to set the following system properties in the environment (see also Configuring JSSE System Properties):

com.sun.management.jmxremote.ssl

A boolean property, which must be set to true to enable SSL/TLS on the JMX endpoint.

javax.net.ssl.keyStore

Specifies the location of the key store containing the broker's own X.509 certificate.

javax.net.ssl.keyStorePassword

Specifies the password that unlocks the key store and decrypts the private key stored in the key store.

[Note]Note

It is not possible to enable SSL/TLS security without JMX remote authentication. JMX remote authentication is a prerequisite for enabling SSL/TLS on the JMX port.

Enable SSL/TLS

Modify the activemq[.bat] startup script in the ACTIVEMQ_BASE/bin/ directory, as appropriate for your platform:

Windows

Search the activemq.bat script for SUNJMX and replace the lines you find with the following lines:

set SUNJMX=-Dcom.sun.management.jmxremote
set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.ssl=true
set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.port=11099 
set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_HOME%\conf\jmx.password
set SUNJMX=%SUNJMX% -Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_HOME%\conf\jmx.access
set SUNJMX=%SUNJMX% -Djavax.net.ssl.keyStore=%ACTIVEMQ_HOME%\conf\broker.ks
set SUNJMX=%SUNJMX% -Djavax.net.ssl.keyStorePassword=password
*NIX

Search the activemq script for ACTIVEMQ_SUNJMX_START and replace the lines you find with the following lines:

ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote.port=11099 "
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_CONFIG_DIR}/jmx.password"
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_CONFIG_DIR}/jmx.access"
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.ssl=true"
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote"
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Djavax.net.ssl.keyStore=${ACTIVEMQ_CONFIG_DIR}/broker.ks"
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Djavax.net.ssl.keyStorePassword=password"

If you have already enabled JMX remote authentication (as described in Authentication for the Platform JMX Connector) the changes that you need to make here are to enable SSL, by setting com.sun.management.jmxremote.ssl to true, and to add the keyStore and keyStorePassword settings as shown.

Test the secure connection

To test the secure platform JMX connector, perform the following steps:

  1. Start up the standalone broker. Open a new command prompt and run the startup script, as follows:

    bin/activemq
  2. Start up the JConsole with the required SSL/TLS client settings, as follows:

    jconsole -J-Djavax.net.ssl.trustStore=ActiveMQInstallDir/conf/client.ts
             -J-Djavax.net.ssl.trustStorePassword=password

    Where the jconsole command uses the standard JSSE system properties to specify the relevant client trust store (see Configuring JSSE System Properties for details).

    [Tip]Tip

    Don't forget the -J switch, which passes the options through to the underlying Java virtual machine (JVM).

  3. You should be able to connect to the JVM platform JMX connector using the following JMX URL:

    service:jmx:rmi:///jndi/rmi://Hostname:11099/jmxrmi

    Where you substitute Hostname with the name of the host where the broker is running.

    When the JConsole: New Connection dialog pops up, enter the preceding JMX URL in the Remote Process: field, and enter the credentials for one of the JMX users in the Username and Password fields, as shown. Click Connect.

Comments powered by Disqus