Chapter 4. Configuration
4.1. Setting Up User Access to AMQ Console
You can access AMQ Console using the broker login credentials. The following table provides information about different methods to add additional broker users to access AMQ Console:
| Authentication Method | Description |
|---|---|
| Guest Authentication | Enables anonymous access. In this configuration, any user who connects without credentials or with the wrong credentials will be authenticated automatically and assigned a specific user and role. For more information, see Enabling Guest Access in Using AMQ Broker. |
| Basic User and Password Authentication | For each user, you must define a username and password and assign a security role. Users can only log into AMQ Console using these credentials. For more information, see Enabling Password Authentication in Using AMQ Broker. |
| LDAP Authentication | Users are authenticated and authorized by checking the credentials against user data stored in a central X.500 directory server. For more information, see Adding Certificate-Based Authentication in Using AMQ Broker. |
4.2. Securing AMQ Console and AMQ Broker Connections
To allow AMQ Console to access resources on the broker, specify the permitted origin URLs that can access it by editing the allow-origin parameters in the access management configuration file on the broker.
Prerequisite
-
You must first upgrade to AMQ Broker 7.1.0, during which the access management configuration file named
jolokia-access.xmlis added to the broker instance. For more information about upgrading, see Upgrading Your Broker to 7.1.0 in Using AMQ Broker.
Procedure
-
Open the
BROKER_INSTANCE_DIR/etc/jolokia-access.xmlfile in a text editor. Within the <cors> section, edit the
allow-originsettings to add each URL that you want to allow to access AMQ Console. For example:<cors> <!-- allow access to web console from localhost --> <allow-origin>https://localhost:8161/*</allow-origin> <!-- Check for the proper origin on the server side, too --> <strict-checking/> </cors>
- Save the file.
Related Information
4.3. Securing Network Access to AMQ Console
To secure AMQ Console when it is being accessed over a WAN or the internet, use SSL to specify that network access uses https instead of http.
Prerequisites
The following should be located in the BROKER_INSTANCE_DIR/etc/:
- Java KeyStore (.jks)
- Java TrustStore (only if you want to require client authentication)
Procedure
-
Open the
BROKER_INSTANCE_DIR/etc/bootstrap.xmlfile. In the
<web>element, add the following attributes:<web bind="https://localhost:8161" path="web" keyStorePath="<path_to_KeyStore>" keyStorePassword="<password>" clientAuth="<true/false>" trustStorePath="<path_to_TrustStore>" trustStorePassword="<password>"> ... </web>bind-
Change the URI scheme to
https. keyStorePathThe path of the KeyStore file. For example:
keyStorePath="${artemis.instance}/etc/keystore.jks"keyStorePassword- The KeyStore’s password.
clientAuth-
Specifies whether client authentication is required. The default is
false, but you can change it totrueto enable authentication. trustStorePath-
The path of the TrustStore file. This attribute is only needed if
clientAuthistrue. trustStorePassword- The TrustStore’s password.
4.4. Configuring AMQ Interconnect for AMQ Console
To access AMQ Interconnect from AMQ Console, you must add a listener that accepts incoming WebSocket traffic from AMQ Console.
Procedure
Open the router’s configuration file.
The default router configuration file is located at
/etc/qpid-dispatch/qdrouterd.conf. If you have multiple routers, you should open the configuration file of the router through which you want to connect to AMQ Console.Add an incoming connection for AMQ Console management traffic.
listener { name: NAME role: normal host: HOST port: PORT http: yes ... }name- The name of the incoming connection.
role-
Set this to
normal. host- Either an IP address (IPv4 or IPv6) or hostname.
port- The port number or symbolic service name.
http-
Set this to
yes.
