Password Protecting the Broker - service:jmx:rmi: (JMX Connector)
Implemented: activemq.bat & activemq.xml
Reference URL:
in file: activemq.xml
Change: <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.data}">
To: <broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.data}" useJmx="true">
Optional:
Change: <managementContext createConnector="false"/>
To: <managementContext createConnector="true" rmiServerPort="1098" connectorPort="1099" />
in file: activemq.bat
After line of: if "%ACTIVEMQ_SUNJMX_START%" == "" set ACTIVEMQ_SUNJMX_START=-Dcom.sun.management.jmxremote
SET ACTIVEMQ_SUNJMX_START=-Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.password.file="%ACTIVEMQ_BASE%/conf/jmx.password" -Dcom.sun.management.jmxremote.access.file="%ACTIVEMQ_BASE%/conf/jmx.access"
Double quote (") here to avoid space in ur full path.
eg: "C:\Program Files\ActiveMQ\"
Test if startup correctly:
Reference URL:
http://www.cleantutorials.com/jconsole/downloading-jconsole-and-connecting-it-to-a-local-java-process
Run: C:\Program Files\Java\jdk1.8.0_192\bin\jconsole.exe
host=localhost:1099
id=admin
password=activemq
Caused by:
Error: Password file read access must be restricted: <Path>\ActiveMQ\apache-activemq-5.13.2\bin\../conf/jmx.password
sun.management.AgentConfigurationError
at sun.management.jmxremote.ConnectorBootstrap.checkPasswordFile(ConnectorBootstrap.java:577)
at sun.management.jmxremote.ConnectorBootstrap.startRemoteConnectorServer(ConnectorBootstrap.java:426)
at sun.management.Agent.startAgent(Agent.java:262)
at sun.management.Agent.startAgent(Agent.java:452)
Reference URL:
https://docs.oracle.com/javase/6/docs/technotes/guides/management/security-windows.html
Solved by:
To Secure a Password File on Windows XP Home Edition
As stated above, Windows XP Home Edition does not allow you to set file permissions graphically. However, you can set permissions using the cacls command.
- Open a command prompt window.
- Run the following command
C:\MyPasswordFile>cacls jmxremote.password
This command displays the access control list (ACL) of the jmxremote.password file.
- Set the access rights so that only your username has read access.
When no users have been configured on the machine the default username is usually Owner, or a localized translation of Owner.
C:\MyPasswordFile>cacls jmxremote.password /P [Owner]:R
This command grants access to the user Owner with read-only permission, where Owner is the owner of the jmxremote.password file.
- Display the ACL again.
C:\MyPasswordFile>cacls jmxremote.password
This time, you will see that only the Owner has access to the password file.
How to identify
[Owner] at above command:
Reference URL:
https://www.windows-commandline.com/current-logged-in-user-name-command/
Solved by:
ECHO %username%
or
whoami
Caused by:
java.lang.SecurityException: Authentication failed! Credentials required
Reference URL:
https://stackoverflow.com/questions/4679877/tomcat-jmx-connection-authentication-failed?rq=1
Solved by: Add credential into config and pass into connect function:
...
String url = "JMSRMIURL=service:jmx:rmi://localhost:1098/jndi/rmi://localhost:1099/jmxrmi";
JMXServiceURL urlJmxService = new JMXServiceURL( url );
Hashtable<String, String[]> credential = new Hashtable<String, String[]>();
credential.put(JMXConnector.CREDENTIALS, new String[]{"your_login_id","your_login_password"});
JMXConnector connector = JMXConnectorFactory.connect( urlJmxService, credential);
connector.connect();
...
Reference:
JMXServiceURL url = new JMXServiceURL(urlString);
Hashtable<String, String[]> env = new Hashtable<String, String[]>();
String[] credentials = new String[] {user,pass};
env.put(JMXConnector.CREDENTIALS, credentials);
jmxc = JMXConnectorFactory.connect(url,env);
mbsc = jmxc.getMBeanServerConnection();
How to stop activemq after enabled JMX:
Reference URL:
http://activemq.apache.org/activemq-command-line-tools-reference.html
activemq-admin stop --jmxurl service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi --jmxuser admin --jmxpassword activemq
activemq-admin list --jmxurl service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi --jmxuser admin --jmxpassword activemq
But not sure even able to stop it using only: activemq-admin stop
Password Protecting the Broker - TCP(port:61616)
Issue during implementation:
Issue#1of2
...ERROR | Failed to load: class path resource [activemq.xml], reason: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>".org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>"....ERROR: java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>".java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 53 in XML document from class path resource [activemq.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 53; columnNumber: 27; Element type "authorizationEntry" must be followed by either attribute specifications, ">" or "/>"....
Caused by: Having special character issue between "authorizationEntry"
"queue"
authorizationEntry queue
Solved by: Use Notepad++ to replace this character("
") by a normal space (" ").
Add the <plugin></plugin>
into config/activemq.xml
partial xml in <broker></broker> from config/activemq.xml
<plugins>
<!-- Configure authentication; Username, passwords and groups 添加jaas认证插件 activemq-domain 在login.config里面定义,详细见 login.config -->
<jaasAuthenticationPlugin configuration="ActiveMQ_Credentials" />
<!-- Lets configure a destination based authorization mechanism 配置队列用户权限,>表示任意字符 -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry queue="TEST.Q" read="guests" write="guests" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
<!--
=====================
作者:jaylong35
来源:CSDN
原文:https://blog.csdn.net/jaylong35/article/details/6968903
版权声明:本文为博主原创文章,转载请附上博文链接!
-->
Issue#2of2
in eclipse
Caused by: java.io.IOException: Configuration Error:
Invalid control flag,
Caused by: comment is not support within config
Solved by: Remove comment
in config/login.config
ActiveMQ_Credentials {
org.apache.activemq.jaas.PropertiesLoginModule required
reload=true
debug=true
org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties";};
in users.properties
admin=adminggggg=aeaea
in groups.properties
admins=adminusers=ggggg
2 implementations above will have 2 sets of credential maintenance.
Following is to simplify this maintenance task:
Reference URL:
https://access.redhat.com/documentation/en-US/Fuse_ESB/4.4.1/html/ActiveMQ_Security_Guide/files/JMX-AmqConnector-Authent.html
For my case, both connections(jmx service & tcp), but could be more which refer to <transportConnectors></transportConnectors>
1 of 3 edits; in activemq.xml:
Add <plugins> below into <broker></broker>
<plugins>
<!-- Configure authentication; Username, passwords and groups 添加jaas认证插件 activemq-domain 在login.config里面定义,详细见 login.config -->
<jaasAuthenticationPlugin configuration="ActiveMQ_Credentials" />
<!-- Lets configure a destination based authorization mechanism 配置队列用户权限,>表示任意字符 -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry queue="TEST.Q" read="guests" write="guests" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
<!--
=====================
作者:jaylong35
来源:CSDN
原文:https://blog.csdn.net/jaylong35/article/details/6968903
版权声明:本文为博主原创文章,转载请附上博文链接!
-->
2 of 3 edits; in activemq.xml:
Replace
<managementContext createConnector="false" />
by
<managementContext> at below
into
<managementContext></managementContext>
<managementContext createConnector="true" rmiServerPort="1098" connectorPort="1099" jmxDomainName="org.apache.activemq" >
<property xmlns="http://www.springframework.org/schema/beans" name="environment">
<map xmlns="http://www.springframework.org/schema/beans">
<entry xmlns="http://www.springframework.org/schema/beans"
key="jmx.remote.x.login.config"
value="ActiveMQ_Credentials"/>
</map>
</property>
</managementContext>
3 of 3 edits; in login.config:
Add block below below activemq block
ActiveMQ_Credentials {
org.apache.activemq.jaas.PropertiesLoginModule required
reload=true
debug=true
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};