이 콘텐츠는 선택한 언어로 제공되지 않습니다.

4.2. Securing the Web Console


Overview

By default the Red Hat JBoss A-MQ Web console is insecure. It does not require authentication and uses the standard HTTP transport. For most commercial deployments, it is advisable that the Web console is secured. Adding security is done by editing the etc/jetty.xml configuration file.

Enabling basic authentication

The Jetty server can be configured to enable HTTP basic authentication. Although the conf/jetty.xml file already includes most of the configuration required for basic authentication, the authentication feature is disabled by default. To enable it, search for the following line in the jetty.xml file:
<property name="authenticate" value="false" />
Edit the value attribute, changing its value to true. The result should be similar to:
<property name="authenticate" value="true" />
When you restart the broker, basic authentication will be enabled on the Web console. For example, you can log on using the credentials, username=admin, password=admin.

Editing user credentials

The Jetty user data are stored in the conf/jetty-realm.properties file, which you can edit to add user credentials and roles. Each user is defined on a separate line, which has the following format:
Username: Password [, Role01, Role02, ... ]
For example, to define the user with username, jblogs, password, secret, and role, developer, you would add the following line to the jetty-realm.properties file:
jblogs: secret, developer

Enabling SSL security

To enable SSL security on the Jetty server, edit the Connector bean in the conf/jetty.xml file. Replace the org.eclipse.jetty.server.nio.SelectChannelConnector class with the org.eclipse.jetty.server.ssl.SslSelectChannelConnector class. Specify the relevant properties of the SslSelectChannelConnector class in order to configure the Jetty server's HTTPS port as shown in Example 4.2, “SSL Enabled Web Console Configuration”.

Example 4.2. SSL Enabled Web Console Configuration

<property name="connectors">
  <list>
    <bean id="Connector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
      <property name="port"        value="8443" />
      <property name="maxIdleTime" value="30000"/>
      <property name="keystore"    value="${activemq.home}/conf/broker.ks"/>
      <property name="password"    value="testjetty"/>
      <property name="keyPassword" value="testjetty"/>
      <property name="truststore"  value="${activemq.home}/conf/broker.ks"/>
    </bean>
  </list>
</property>
The SslSelectChannelConnector properties can be explained as follows:
  • port—specifies the secure IP port number (accessible through HTTPS).
  • maxIdleTime—specifies the connection idle time in milliseconds. If there is no activity on a connection for longer than this timeout, the connection will be closed.
  • keystore—specifies the location of the Jetty server's X.509 certificate, which is stored in a Java keystore file on the file system. The Jetty server uses this certificate to identify itself to a client, during the SSL handshake.
  • password—specifies the store password, which is needed to unlock the keystore file. See the Security Guide.
  • keyPassword—specifies the key password, which is used to decrypt the private key that is stored within the keystore file. Typically, the store password and the key password are identical. Some SSL implementations even require this to be the case.
  • truststore—specifies the location of a Java keystore file that contains a list of one or more trusted certificates, which can be used during the SSL handshake to check that incoming client certificates are correctly signed.
    Note
    In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.
When SSL security is configured as shown, you can access the Web console through the HTTPS protocol using the URL https://localhost:8443/admin.
Warning
The broker.ks certificate used in the example is insecure. Anyone can access its private key. To secure your system properly, you must create new certificates signed by a trusted CA, as described in the Security Guide.

Reference

For more details about the properties you can set on the SslSelectChannelConnector class, see http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSocketConnector.html.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.