Chapter 3. Security Basics
Abstract
By default, Red Hat AMQ is secure because none of its ports are remotely accessible. You want to open a few basic ports for remote access for management purposes.
3.1. Security Overview
Overview
The Red Hat AMQ runtime exposes three ports for remote access. These ports, which are mostly intended for managing the broker, are essentially disabled by default. They are configured to require authentication, but have no defined users. This makes the broker immune to breaches, but is not ideal for remote management.
Ports exposed by the container
Figure 3.1, “Ports Exposed by the Red Hat AMQ Container” shows the ports exposed by the AMQ container by default.
Figure 3.1. Ports Exposed by the Red Hat AMQ Container
The following ports are exposed by the container:
- Console port—enables remote control of a container instance, through Apache Karaf shell commands. This port is enabled by default and is secured both by JAAS authentication and by SSL.
- JMX port—enables management of the container through the JMX protocol. This port is enabled by default and is secured by JAAS authentication.
- Web console port—provides access to an embedded Jetty container that hosts the Fuse Management Console.
Authentication and authorization system
Red Hat AMQ uses Java Authentication and Authorization Service (JAAS) for ensuring the users trying to access the broker have the proper credentials. The implementation is modular, with individual JAAS modules providing the authentication implementations. AMQ's command console provides commands to configure the JAAS system.
