-
-
Notifications
You must be signed in to change notification settings - Fork 7
Securing connections
Add a snippet like below to the <broker> section of the activemq.xml configuration file. Note that ActiveMQ provides sophisticated authentication features for 'real world' usages. The ActiveMQ project provides documentation about pluggable security through various different providers.
Server side
Add an XML fragment to enable (simple) authentication. Please note the anonymousAccessAllowed attribute.
<plugins>
<simpleAuthenticationPlugin anonymousAccessAllowed="false">
<users>
<authenticationUser username="system" password="manager" groups="users,admins"/>
<authenticationUser username="user" password="password" groups="users"/>
<authenticationUser username="myusername" password="mypassword" groups="guests"/>
</users>
</simpleAuthenticationPlugin>
</plugins>On the client site define connection.username and connection.password in the scripts or in conf.xml:
Client side, XML config
<parameter name="connection.username" value="myusername"/>
<parameter name="connection.password" value="mypassword"/>Client side, in XQuery
let $jmsConfiguration :=
map {
"java.naming.factory.initial"
:= "org.apache.activemq.jndi.ActiveMQInitialContextFactory",
"java.naming.provider.url" := "tcp://localhost:61616",
"destination" := "dynamicQueues/eXistdb-messaging-demo",
"connection-factory" := "ConnectionFactory",
"connection.username" := "myusername",
"connection.password" := "mypassword"
}On the ActiveMQ website there is documentation how to secure connections between ActiveMQ clients and a ActiveMQ broker:
In short:
- Create a keystore for the broker
- Create a truststore for the client from the certificate of the broker
- Create a keystore for the client
- Optionally: create a truststore for the broker
Add the following (XML fragments) to the <beans>/<broker> section if not yet present to enable the SSL connector:
<beans>
<broker>
<transportConnectors>
<!-- Enable SSL connector -->
<transportConnector name="ssl" uri="ssl://0.0.0.0:61618?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
<sslContext>
<!-- Set path to keystore -->
<sslContext keyStore="/path/to/broker.ks"
keyStorePassword="password"/>
</sslContext>
<!-- Set user authentication details-->
<plugins>
<simpleAuthenticationPlugin anonymousAccessAllowed="false">
<users>
<!-- See top of page-->
</users>
</simpleAuthenticationPlugin>
</plugins>
<broker>
<beans>Set needClientAuth=true on the transport connector if the client needs to be authenticated via the client certificate. In this case the <simpleAuthenticationPlugin> section can be left out and is the trust:
<transportConnectors>
<transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" />
</transportConnectors><beans>
<broker>
<transportConnectors>
<!-- Enable SSL connector with client authentication -->
<transportConnector name="ssl" uri="ssl://0.0.0.0:61618?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
</transportConnectors>
<sslContext>
<!-- Set path to keystore -->
<sslContext keyStore="/path/to/broker.ks"
keyStorePassword="password"
trustStore="/path/to/broker.ts"
trustStorePassword="password"/>
</sslContext>
<broker>
<beans>