红帽全球峰会Red Hat AMQ 6
As of February 2025, Red Hat is no longer supporting Red Hat AMQ 6. If you are using AMQ 6, please upgrade: Migrating to AMQ 7.此内容没有您所选择的语言版本。
3.2. Basic Security Configuration
Overview
复制链接链接已复制到粘贴板!
The default security settings block access to a broker's remote ports. If you want to access the Red Hat JBoss A-MQ runtime remotely, you must first customize the security configuration. The first thing you will want to do is create at least one JAAS user. This will enable remote access to the broker.
Other common configuration changes you may want to make are:
- configure access to the Fuse Management Console
- assign roles to each of the remote ports to limit access
- strengthen the credentials needed to access the remote console
Warning
If you are planning to enable SSL/TLS security, you must ensure that you explicitly disable SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
Create a secure JAAS user
复制链接链接已复制到粘贴板!
By default, no JAAS users are defined for the container, which effectively disables remote access (it is impossible to log on).
To create a secure JAAS user, edit the
InstallDir/etc/users.properties file and add a new user field, as follows:
Username=Password,admin
Username=Password,admin
Where
Username and Password are the new user credentials. The admin role gives this user the privileges to access all administration and management functions of the container. For more details about JAAS, see the Security Guide.
Warning
It is strongly recommended that you define custom user credentials with a strong password.
Assigning roles for remote access
复制链接链接已复制到粘贴板!
You can independently configure roles for the following different administrative protocols:
- SSH (remote console login)To override the default role for the remote console add a
sshRoleproperty to theorg.apache.karaf.shellPID. The following sets the role toadmin:sshRole=admin
sshRole=adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow - JMX managementTo override the default role for JMX add a
jmxRoleproperty to theorg.apache.karaf.managementPID. The following sets the role tojmx:jmxRole=jmx
jmxRole=jmxCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Strengthening security on the remote console port
复制链接链接已复制到粘贴板!
You can employ the following measures to strengthen security on the remote console port:
- Make sure that the JAAS user credentials have strong passwords.
- Customize the X.509 certificate (replace the Java keystore file,
InstallDir/etc/host.key, with a custom key pair).
For more details, see the Security Guide.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}