Active MQ JMX SSL

I'm trying to use SSL with the JMX connector that Active MQ creates, but with no success. I'm able to get SSL working with the JVM platform JMX connector, but that requires storing keystore and truststore passwords plaintext, which is a no-go for our project.

Using the instructions here, I set up managementContext in activemq.xml as follows:

<managementContext>
  <managementContext createConnector="true">
    <property xmlns="http://www.springframework.org/schema/beans" name="environment">
      <map xmlns="http://www.springframework.org/schema/beans">
        <entry xmlns="http://www.springframework.org/schema/beans"
               key="javax.net.ssl.keyStore"
               value="${activemq.base}/conf/keystor开发者_高级运维e.jks"/>
        <entry xmlns="http://www.springframework.org/schema/beans"
               key="javax.net.ssl.keyStorePassword"
               value="${keystore.password}"/>
        <entry xmlns="http://www.springframework.org/schema/beans"
               key="javax.net.ssl.trustStore" 
               value="${activemq.base}/conf/truststore.jks"/>
        <entry xmlns="http://www.springframework.org/schema/beans" 
               key="javax.net.ssl.trustStorePassword" 
               value="${truststore.password}"/> 
      </map>
    </property>
  </managementContext>
</managementContext>

This section seems to be completely ignored when the connector starts up. I can connect without credentials. I also tried using username and password authentication instead of ssl for JMX, as seen here, and that worked fine.

Has anyone seen this before? Any ideas? Thanks!

Have you enabled jmx ssl in the activemq launch scripts? On windows in the activemq-admin or activemq batch files, uncomment and modify the SUNJMX settings.

JMX authentiation is independent of whether ssl is used. It is controlled by the authenticate attribute. By default it will use the jmx access files in your jre, so re-point them with the system properties shown below. You may get an error message stating that the files themselves must be access controlled, so set them with chmod on unix or cacls on windows. I would suggest even turning off the ssl and getting the authentication to work first. You can test with jconsole with a remote connection to confirm that it wants credentials. Then follow-up with the ssl stuff.

set SUNJMX=-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1199 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_BASE%/conf/access/jmx.password -Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_BASE%/conf/access/jmx.access

I had the same issue regarding the ActiveMQ SSL configuration (keystore & password) in the XML not working.

My requirement was to enable remote JMX monitoring of ActiveMQ with SSL and authentication through a firewall.

I resolved it using a custom JMX connector (via a Java Agent), rather than using the JMX connector that Active MQ creates.

see: JMX connectivity through a firewall for an example (JMXAgent.java)

The important entries for configuring SSL in the JMXAgent.java are:

Map<String, Object> env = new HashMap<String, Object>();        
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);   

You can also specify your authentication files in the env Map:

env.put("jmx.remote.x.password.file", System.getProperty("password.file","<default_path>"));
env.put("jmx.remote.x.access.file", System.getProperty("access.file","<default_path>"));

The Java Agent needs to be compiled and put into a jar with a valid manifest file as described here

Add the following to the activemq launch configuration (depending on activemq version/ environment and run ActiveMQ:

-javaagent:<full_path_to_agent_jar_file> \ 
-Dpassword.file=<full_path_to_jmx.password_file> \
-Daccess.file=<full_path_to_jmx.access_file> \
-Djavax.net.ssl.keyStore=<full_path_to_keystore_file> \
-Djavax.net.ssl.keyStorePassword=<password> 

You should then be able to connect through jconsole (with correct security parameters)

The remote JMX connection URL will be something like:

service:jmx:rmi://<host>:<rmi_server_port>/jndi/rmi://<host>:<port>/jmxrmi

Note - ports can be configured in the Java Agent.