Chapter 7. Security
AMQ JMS has a range of security-related configuration options that can be leveraged according to your application’s needs.
Basic user credentials such as username and password should be passed directly to the ConnectionFactory
when creating the Connection
within the application. However, if you are using the no-argument factory method, it is also possible to supply user credentials in the connection URI. For more information, see the Section 5.1, “JMS options” section.
Another common security consideration is use of SSL/TLS. The client connects to servers over an SSL/TLS transport when the amqps
URI scheme is specified in the connection URI, with various options available to configure behavior. For more information, see the Section 5.3, “SSL/TLS options” section.
In concert with the earlier items, it may be desirable to restrict the client to allow use of only particular SASL mechanisms from those that may be offered by a server, rather than selecting from all it supports. For more information, see the Section 5.4, “AMQP options” section.
Applications calling getObject()
on a received ObjectMessage
may wish to restrict the types created during deserialization. Note that message bodies composed using the AMQP type system do not use the ObjectInputStream
mechanism and therefore do not require this precaution. For more information, see the the section called “Deserialization policy options” section.
7.1. Enabling OpenSSL support
SSL/TLS connections can be configured to use a native OpenSSL implementation for improved performance. To use OpenSSL, the transport.useOpenSSL
option must be enabled, and an OpenSSL support library must be available on the classpath.
To use the system-installed OpenSSL libraries on Red Hat Enterprise Linux, install the openssl
and apr
RPM packages and add the following dependency to your POM file:
Example: Adding native OpenSSL support
<dependency> <groupId>io.netty</groupId> <artifactId>netty-tcnative</artifactId> <version>2.0.31.Final-redhat-00001</version> <classifier>linux-x86_64-fedora</classifier> </dependency>
A list of OpenSSL library implementations is available from the Netty project.
7.2. Authenticating using Kerberos
The client can be configured to authenticate using Kerberos when used with an appropriately configured server. To enable Kerberos, use the following steps.
Configure the client to use the
GSSAPI
mechanism for SASL authentication using theamqp.saslMechanisms
URI option.amqp://myhost:5672?amqp.saslMechanisms=GSSAPI failover:(amqp://myhost:5672?amqp.saslMechanisms=GSSAPI)
Set the
java.security.auth.login.config
system property to the path of a JAAS login configuration file containing appropriate configuration for a KerberosLoginModule
.-Djava.security.auth.login.config=<login-config-file>
The login configuration file might look like the following example:
amqp-jms-client { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; };
The precise configuration used will depend on how you wish the credentials to be established for the connection, and the particular LoginModule
in use. For details of the Oracle Krb5LoginModule
, see the Oracle Krb5LoginModule
class reference. For details of the IBM Java 8 Krb5LoginModule
, see the IBM Krb5LoginModule
class reference.
It is possible to configure a LoginModule
to establish the credentials to use for the Kerberos process, such as specifying a principal and whether to use an existing ticket cache or keytab. If, however, the LoginModule
configuration does not provide the means to establish all necessary credentials, it may then request and be passed the username and password values from the client Connection
object if they were either supplied when creating the Connection
using the ConnectionFactory
or previously configured via its URI options.
Note that Kerberos is supported only for authentication purposes. Use SSL/TLS connections for encryption.
The following connection URI options can be used to influence the Kerberos authentication process.
- sasl.options.configScope
-
The name of the login configuration entry used to authenticate. The default is
amqp-jms-client
. - sasl.options.protocol
-
The protocol value used during the GSSAPI SASL process. The default is
amqp
. - sasl.options.serverName
-
The
serverName
value used during the GSSAPI SASL process. The default is the server hostname from the connection URI.
Similar to the amqp.
and transport.
options detailed previously, these options must be specified on a per-host basis or as all-host nested options in a failover URI.