Skip to content

Securing connections

Jump to bottom
Dannes Wessels edited this page Mar 22, 2016 · 24 revisions

Authentication

Client authentication

Add a snippet like below to the <broker> section of the activemq.xml configuration file. Note that ActiveMQ provides sophisticated authentication features for 'real world' usages. The ActiveMQ project provides documentation about pluggable security through various different providers.

Server side

Add an XML fragment to enable (simple) authentication. Please note the anonymousAccessAllowed attribute.

<plugins>
  <simpleAuthenticationPlugin anonymousAccessAllowed="false">
    <users>
        <authenticationUser username="system" password="manager"  groups="users,admins"/>
        <authenticationUser username="user"   password="password" groups="users"/>
        <authenticationUser username="myusername" password="mypassword" groups="guests"/>
    </users>
  </simpleAuthenticationPlugin>
</plugins>

On the client site define connection.username and connection.password in the scripts or in conf.xml:

Client side, XML config

  <parameter name="connection.username" value="myusername"/>
  <parameter name="connection.password" value="mypassword"/>

Client side, in XQuery

let $jmsConfiguration :=
    map {
        "java.naming.factory.initial" 
            := "org.apache.activemq.jndi.ActiveMQInitialContextFactory",
        "java.naming.provider.url" := "tcp://localhost:61616",
        "destination" := "dynamicQueues/eXistdb-messaging-demo",
        "connection-factory" := "ConnectionFactory",
        "connection.username" := "myusername",
        "connection.password" := "mypassword"
    }

Secure connection with SSL

On the ActiveMQ website there is documentation how to secure connections between ActiveMQ clients and a ActiveMQ broker:

In short:

  • Create a keystore for the broker
  • Create a truststore for the client from the certificate of the broker
  • Create a keystore for the client
  • Optionally: create a truststore for the broker

Add the following to the / section if not yet present to enable the SSL connector:

<beans>
  <broker>
    <transportConnectors>
      <transportConnector name="ssl" uri="ssl://0.0.0.0:61618?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
    </transportConnectors>
  <broker>
<beans>

Set needClientAuth=true if the client needs to be authenticated via the client certificate. In this case the <simpleAuthenticationPlugin> section can be left out:

<transportConnectors>
  <transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" />
</transportConnectors>

Configure the paths to keystone (and truststore) (note the double ):

<beans>
  <broker>
    <sslContext>
      <sslContext keyStore="/path/to/broker.ks" 
                  keyStorePassword="password"
                  trustStore="/path/to/broker.ts"
                  trustStorePassword="password"/>
      </sslContext>
  <broker>
<beans>

Clone this wiki locally