ActiveMQ Security Using JAAS Authentication

Introduction

By default, ActiveMQ does not provide access to the message broker anonymously. That means we don't need to pass user name and password. This is not desired. There are two simple authentication schemes. The firsts use simple authentication and the second one uses JAAS plugin. JASS plugin can be used with LDAP.

In this blog, I am going explain how to use jaasAuthenticationPlugin.

Configuration Changes

To configure ActiveMQ using JAAS authentication plugin requires to modify the following files [all these files are located at $ACTIVEMQ_HOME/conf:

1. login.config
2. users.properties
3. groups.properties
4. activemq.xml

activema.xml

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

<broker>        ...        <plugins>          <jaasauthenticationplugin configuration="activemq-domain">            <authorizationplugin>            <map>              <authorizationmap>                <authorizationentries>                  <authorizationentry queue=">" read="admins" write="admins" admin="admins">                  <authorizationentry queue=">" read="users" write="users" admin="users">                    <authorizationentry topic=">" read="admins" write="admins" admin="admins">                  <authorizationentry topic=">" read="users" write="users" admin="users">                    <authorizationentry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users">                </authorizationentry></authorizationentry></authorizationentry></authorizationentry></authorizationentry></authorizationentries>                  <tempdestinationauthorizationentry>                  <tempdestinationauthorizationentry read="tempDestinationAdmins" write="tempDestinationAdmins" admin="tempDestinationAdmins">               </tempdestinationauthorizationentry>              </tempdestinationauthorizationentry></authorizationmap>            </map>          </authorizationplugin>        </jaasauthenticationplugin></plugins>        ...   </broker>

login.config

?

1 2 3 4 5 6

activemq-domain {     org.apache.activemq.jaas.PropertiesLoginModule required         debug=true         org.apache.activemq.jaas.properties.user="users.properties"         org.apache.activemq.jaas.properties.group="groups.properties"; };

Note: configuration="activemq-domain" in the activemq.xml implies that ActiveMQ will look for the entry of activemq-domain in the login.config file.

users.properties

?

1 2	admin=admin hmuser=user123@

groups.properties

?

1 2	admins=admin users=hmuser

Test Configuration

To test the configuration, you can run the following scripts:

producer: runProducerOneWay.sh

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14

#!/bin/bash ACTIVEMQ_HOME=/opt/app/amq/Transport/NioSsl ant producer \  -Durl="nio+ssl://localhost:61617" \  -Duser="hmuser" \  -Dpassword="user123@" \  -Dtopic=false \  -Ddurable=true \  -Dsubject=QUEUE.NIOSSL \  -Dmax=100 \  -Djavax.net.debug=ssl:handshake \  -Djavax.net.ssl.keyStore=/home/amq/client.ks \  -Djavax.net.ssl.keyStorePassword=amqadmin@ \  -Djavax.net.ssl.trustStore=/home/amq/client.ts

consumer: runConsumerOneWay.sh

?

1 2 3 4 5 6 7 8 9 10 11 12

#!/bin/bash ACTIVEMQ_HOME=/opt/app/amq/Transport/NioSsl ant consumer  \  -Durl="nio+ssl://localhost:61617" \  -Duser="hmuser" \  -Dpassword="user123@" \  -Dtopic=false \  -Ddurable=true \  -Dsubject=QUEUE.NIOSSL \  -Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \  -Djavax.net.ssl.keyStorePassword=amqadmin@ \  -Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts