SupportConsoleDevelopersStart a trialContact

3.2. Basic Security Configuration

Overview

The default security settings block access to a broker's remote ports. If you want to access the Red Hat JBoss A-MQ runtime remotely, you must first customize the security configuration. The first thing you will want to do is create at least one JAAS user. This will enable remote access to the broker.
Other common configuration changes you may want to make are:
  • configure access to the Web console
  • assign roles to each of the remote ports to limit access
  • strengthen the credentials needed to access the remote console
Warning
If you are planning to enable SSL/TLS security, you must ensure that you explicitly disable SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.

Create a secure JAAS user

By default, no JAAS users are defined for the container, which effectively disables remote access (it is impossible to log on).
To create a secure JAAS user, edit the InstallDir/etc/users.properties file and add a new user field, as follows: 
Username=Password,admin
Where Username and Password are the new user credentials. The admin role gives this user the privileges to access all administration and management functions of the container. For more details about JAAS, see the Security Guide.
Warning
It is strongly recommended that you define custom user credentials with a strong password.

Configure the Web console

If you want to access the Web console (for remote administration of JMS messaging), you must provide the Web console servlet with the credentials it needs to login to the JMS broker.
Edit the InstallDir/etc/system.properties file. Search for the activemq.jmx.user and activemq.jmx.password settings (which are commented out by default), and modify them as follows: 
#
# Authentication - must match an entry in user.properties with the admin privilege
#
activemq.jmx.user=Username
activemq.jmx.password=Password
Where the Username and Password are the credentials of a JAAS user with admin privileges.
Note
The preceding properties are used in the org.apache.activemq.webconsole.cfg file, in order to set more properties in that file. Hence, indirectly these properties are used to set the webconsole.jmx.* and webconsole.jms.* properties.
For more details on securing the Web console see the Security Guide.

Assigning roles for remote access

You can independently configure roles for the following different administrative protocols:
  • SSH (remote console login)
    To override the default role for the remote console add a sshRole property to the org.apache.karaf.shell PID. The following sets the role to admin: 
    sshRole=admin
  • JMX management
    To override the default role for JMX add a jmxRole property to the org.apache.karaf.management PID. The following sets the role to jmx: 
    jmxRole=jmx
  • Web console

Strengthening security on the remote console port

You can employ the following measures to strengthen security on the remote console port:
  • Make sure that the JAAS user credentials have strong passwords.
  • Customize the X.509 certificate (replace the Java keystore file, InstallDir/etc/host.key, with a custom key pair).
For more details, see the Security Guide.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.