How to properly secure an ActiveMQ instance, and what are all of the different files for?

Question

I'm trying to configure user based authentication for ActiveMQ, and I'm pretty confused about the many different files involved in this process. I've read ActiveMQ's security page, but I still have several questions.

Just to be clear, my goals is to make it so only a specified user can read or write to ActiveMQ or access the web console. These can be local ActiveMQ users, LDAP is not needed.

I have successfully realized that in order to configure access to the web console I need to configure the users in conf/jetty-realm.properties, but beyond that I'm stuck.

Ok, so the files that seem to be related to authentication in the conf folder are...

• credentials.properties
• credentials-enc.properties
• groups.properties
• login.config
• users.properties

On top of that, the security pages recommends using the "simpleAuthenticationPlugin"

<simpleAuthenticationPlugin>
    <users>
        <authenticationUser username="system" password="manager"
            groups="users,admins"/>
        <authenticationUser username="user" password="password"
            groups="users"/>
        <authenticationUser username="guest" password="password" groups="guests"/>
    </users>
</simpleAuthenticationPlugin>

In the broker

So my understanding is..

• users.properties seems like where the users should go, but I don't see the point the simpleAuthenticationPlugin if this file exists.
• group.properties seems like a place to configure the groups, ok.
• login.config seems like it just points to users.properties and groups.properties, ok.
• credentials.properties seems redundant. It looks like users are being configured in here. Not sure why this exists if users.properties exists.
• credentials-enc.properites seems like a place for encrypted passwords, but again why does this exist if users.properties exists?

My questions are...

1. What is the proper way to configure a local user on ActiveMQ and make it so they are the only ones who can read or write to the queues?

2. What is the purpose of each of the following files?

   • credentials.properties
   • credentials-enc.properties
   • groups.properties
   • login.config
   • users.properties

3. Does the simpleAuthenticationPlugin make these files obsolete?

Answer 1

At the time I am answering this, this question is 2 years old, so my answer might include things that have changed from the time this was posted. Ill answer the second question first:

credentials.properties     -> clear text passwords
credentials-enc.properties -> Encrypted passwords, if configured
groups.properties          -> a list of groups, and what users are members
login.config               -> a file to configure more advanced auth like ldap integration
users.properties           -> a list of user names.  

So I found this question while trying to figure out some of these things myself, so I am no expert. But I will share what I have learned.

Everything above other than login.config is now irrelevant. or it seems that way to me. If you are trying to configure LDAP integration, you have to deal with login.config, but otherwise... I think that one is also irrelevant. The things that do something when I mess with them:

jetty-realm.properties This is the important one right 'out of the box'. It is formatted like:

userName: securePassword, nameOfGroupUserIsMemberOf

so if you want the 'foouser' user to use the password 'barpasswd', and be a member of the 'buzgroup' group, this file needs a line:

foouser: barpaaswd, buzgroup

OK, so how does ActiveMQ know to call this file? By default, it is configured in the file: jetty.xml This is a very important file. Many of the instructions I found for LDAP integration suggest changing this file... but I cant get it to work. If i figure it out, I will amend this post. The other important file is: activemq.xml At the time of this post, the official docs suggest altering this file for several reasons. One of them is for LDAP integration... but those instructions do not work as far as I can tell. Above, you discovered altering this file to hard-code user accounts. I think they include this for backward compatibility, but I am not certain.

Now i will answer the first question. Once you have users configured in jetty-realm.properties, you can configure activemq.xml with permissions.

an example: https://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml you can see it in the authorizationMap section...

More notes for anyone interested:

When I followed the instructions to encrypt passwords, the service stopped loading. The reason seems to be the formatting of the file 'credentials-enc.properties'. When I reformatted to be like 'jetty-realm.properties', the service would load, but ignore the encrypted passwords. Fun. I tried putting the encrypt passwords in 'jetty-realm.properties', no joy.

I can get activemq to encrypt and decrypt text, but be aware that the documentation says that only alpha-numeric are supported. No spaces, nothing else.

Also, I will provide links to the pages I found, but they all conflict, and I got little to work other than the default setup.

What I know about LDAP integration: if you use JAAS, do not try to use a newer version. Do not try to use jetty-plus as they suggest in some of these links.

https://www.middlewareinventory.com/blog/active-mq-installation-and-security-setup-and-hardening-step-by-step/ https://activemq.apache.org/encrypted-passwords.html http://activemq.apache.org/cached-ldap-authorization-module.html http://activemq.apache.org/security.html https://stackoverflow.com/questions/52686757/activemq-web-console-using-ldap-active-directory-authentication/55244956#55244956 https://bacedifo.blogspot.com/2013/06/securing-activemq-580-web-console-using.html https://steamingpileofsoftware.blogspot.com/2013/10/secure-your-jetty-activemq-web-console.html