2019-01-16

ActiveMQ JMX - Password Protecting service:jmx:rmi(port:1099) & tcp(port:61616)


Password Protecting the Broker - service:jmx:rmi: (JMX Connector)
Implemented: activemq.bat & activemq.xml

Reference URL:

in file: activemq.xml
Change:    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.data}">
To:    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.data}" useJmx="true">

Optional:
Change: <managementContext createConnector="false"/>
To: <managementContext createConnector="true" rmiServerPort="1098"  connectorPort="1099" />


in file: activemq.bat
After line of: if "%ACTIVEMQ_SUNJMX_START%" == "" set ACTIVEMQ_SUNJMX_START=-Dcom.sun.management.jmxremote
SET ACTIVEMQ_SUNJMX_START=-Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.password.file="%ACTIVEMQ_BASE%/conf/jmx.password" -Dcom.sun.management.jmxremote.access.file="%ACTIVEMQ_BASE%/conf/jmx.access"
Double quote (") here to avoid space in ur full path.
eg:  "C:\Program Files\ActiveMQ\"



Test if startup correctly:
Reference URL:
http://www.cleantutorials.com/jconsole/downloading-jconsole-and-connecting-it-to-a-local-java-process

Run: C:\Program Files\Java\jdk1.8.0_192\bin\jconsole.exe

host=localhost:1099
id=admin
password=activemq





Caused by:
Error: Password file read access must be restricted: <Path>\ActiveMQ\apache-activemq-5.13.2\bin\../conf/jmx.password
sun.management.AgentConfigurationError
        at sun.management.jmxremote.ConnectorBootstrap.checkPasswordFile(ConnectorBootstrap.java:577)
        at sun.management.jmxremote.ConnectorBootstrap.startRemoteConnectorServer(ConnectorBootstrap.java:426)
        at sun.management.Agent.startAgent(Agent.java:262)
        at sun.management.Agent.startAgent(Agent.java:452)



Reference URL:
https://docs.oracle.com/javase/6/docs/technotes/guides/management/security-windows.html

Solved by:

 To Secure a Password File on Windows XP Home Edition

As stated above, Windows XP Home Edition does not allow you to set file permissions graphically. However, you can set permissions using the cacls command.
  1. Open a command prompt window.
  2. Run the following command
    C:\MyPasswordFile>cacls jmxremote.password
    
    This command displays the access control list (ACL) of the jmxremote.password file.
  3. Set the access rights so that only your username has read access.
    When no users have been configured on the machine the default username is usually Owner, or a localized translation of Owner.
    C:\MyPasswordFile>cacls jmxremote.password /P [Owner]:R
    
    This command grants access to the user Owner with read-only permission, where Owner is the owner of the jmxremote.password file.
  4. Display the ACL again.
    C:\MyPasswordFile>cacls jmxremote.password
    
    This time, you will see that only the Owner has access to the password file.



How to identify [Owner] at above command:


Reference URL:
https://www.windows-commandline.com/current-logged-in-user-name-command/

Solved by:
ECHO %username%
or
whoami



Caused by:
java.lang.SecurityException: Authentication failed! Credentials required



Reference URL:
https://stackoverflow.com/questions/4679877/tomcat-jmx-connection-authentication-failed?rq=1

Solved by: Add credential into config and pass into connect function:

...
String url = "JMSRMIURL=service:jmx:rmi://localhost:1098/jndi/rmi://localhost:1099/jmxrmi";
JMXServiceURL urlJmxService = new JMXServiceURL( url );
Hashtable<String, String[]> credential = new Hashtable<String, String[]>();
credential.put(JMXConnector.CREDENTIALS, new String[]{"your_login_id","your_login_password"});
JMXConnector connector = JMXConnectorFactory.connect( urlJmxService, credential);
connector.connect();
...

Reference:
JMXServiceURL url = new JMXServiceURL(urlString);         
Hashtable<String, String[]> env = new Hashtable<String, String[]>();
String[] credentials = new String[] {user,pass};
env.put(JMXConnector.CREDENTIALS, credentials);         
jmxc = JMXConnectorFactory.connect(url,env); 
mbsc = jmxc.getMBeanServerConnection(); 



How to stop activemq after enabled JMX:
Reference URL: http://activemq.apache.org/activemq-command-line-tools-reference.html
activemq-admin stop --jmxurl service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi --jmxuser admin --jmxpassword activemq

activemq-admin list --jmxurl service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi --jmxuser admin --jmxpassword activemq


But not sure even able to stop it using only: activemq-admin stop










Password Protecting the Broker - TCP(port:61616)
Implemented: activemq.xml, login.config

Reference URL:
https://blog.csdn.net/jaylong35/article/details/6968903





Issue during implementation:

Issue#1of2
...ERROR | Failed to load: class path resource [activemq.xml], reason: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>".org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>"....ERROR: java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>".java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>"....



Caused by: Having special character issue between "authorizationEntry" "queue"

authorizationEntry queue

Solved by: Use Notepad++ to replace this character(" ") by a normal space (" ").

Add the <plugin></plugin>
into config/activemq.xml





partial xml in <broker></broker> from config/activemq.xml
<plugins>
<!-- Configure authentication; Username, passwords and groups 添加jaas认证插件 activemq-domain 在login.config里面定义,详细见 login.config -->
<jaasAuthenticationPlugin configuration="ActiveMQ_Credentials" />


<!-- Lets configure a destination based authorization mechanism 配置队列用户权限,>表示任意字符 -->
<authorizationPlugin>
  <map>
    <authorizationMap>
      <authorizationEntries>
        <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
        <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
        <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />


        <authorizationEntry queue="TEST.Q" read="guests" write="guests" />


        <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
        <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
        <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
        <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
      </authorizationEntries>
    </authorizationMap>
  </map>
</authorizationPlugin>
</plugins>
<!--
===================== 
作者:jaylong35 
来源:CSDN 
原文:https://blog.csdn.net/jaylong35/article/details/6968903 
版权声明:本文为博主原创文章,转载请附上博文链接!
-->










Issue#2of2
in eclipse
Caused by: java.io.IOException: Configuration Error:
Invalid control flag,

Caused by: comment is not support within config


Solved by: Remove comment





in config/login.config


ActiveMQ_Credentials {
    org.apache.activemq.jaas.PropertiesLoginModule required
reload=true
debug=true
        org.apache.activemq.jaas.properties.user="users.properties"        org.apache.activemq.jaas.properties.group="groups.properties";};





in users.properties

admin=adminggggg=aeaea






in groups.properties

admins=adminusers=ggggg







2 implementations above will have 2 sets of credential maintenance.

Following is to simplify this maintenance task:

Reference URL: https://access.redhat.com/documentation/en-US/Fuse_ESB/4.4.1/html/ActiveMQ_Security_Guide/files/JMX-AmqConnector-Authent.html


For my case, both connections(jmx service & tcp), but could be more which refer to <transportConnectors></transportConnectors>



1 of 3 edits; in activemq.xml:
Add <plugins> below into <broker></broker>


<plugins>
<!-- Configure authentication; Username, passwords and groups 添加jaas认证插件 activemq-domain 在login.config里面定义,详细见 login.config -->
<jaasAuthenticationPlugin configuration="ActiveMQ_Credentials" />


<!-- Lets configure a destination based authorization mechanism 配置队列用户权限,>表示任意字符 -->
<authorizationPlugin>
  <map>
    <authorizationMap>
      <authorizationEntries>
        <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
        <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
        <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />


        <authorizationEntry queue="TEST.Q" read="guests" write="guests" />


        <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
        <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
        <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
        <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
      </authorizationEntries>
    </authorizationMap>
  </map>
</authorizationPlugin>
</plugins>
<!--
===================== 
作者:jaylong35 
来源:CSDN 
原文:https://blog.csdn.net/jaylong35/article/details/6968903 
版权声明:本文为博主原创文章,转载请附上博文链接!
-->


2 of 3 edits; in activemq.xml:
Replace
<managementContext createConnector="false" />
by
<managementContext> at below
into
<managementContext></managementContext>




<managementContext createConnector="true" rmiServerPort="1098"  connectorPort="1099" jmxDomainName="org.apache.activemq" >
<property xmlns="http://www.springframework.org/schema/beans" name="environment">
<map xmlns="http://www.springframework.org/schema/beans">
<entry xmlns="http://www.springframework.org/schema/beans"
   key="jmx.remote.x.login.config"
   value="ActiveMQ_Credentials"/>
  </map>
</property>
</managementContext>



3 of 3 edits; in login.config:
Add block below below activemq block




ActiveMQ_Credentials {
org.apache.activemq.jaas.PropertiesLoginModule required
reload=true
debug=true
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};




















1 comment:

  1. I really like it when individuals get together and share opinions.
    Great site, stick with it!

    ReplyDelete