THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
SSL encrypted RMI (0.5 and above)
Current versions of the broker make use of SSL encryption to secure their RMI based JMX ConnectorServer for security purposes.
JMXMP (M4 and previous)
In previous releases of Qpid (M4 and below) the broker, The Qpid broker can make use of the Sun's Java Management Extensions Messaging Protocol (JMXMP) to provide encryption of the JMX connection, offering increased security over the default unencryted RMI based JMX connection.
Download and Install
This is possible by adding the jmxremote_optional.jar as provided by Sun. This jar is covered by the Sun Binary Code License and is not compatible with the Apache License which is why this component is not bundled with Qpid.
Download the JMX Remote API 1.0.1_04 Reference Implementation from here. The included 'jmxremote-1_0_1-bin\lib\jmxremote_optional.jar' file must be added to the broker classpath:
First set your classpath to something like this:
| No Format |
|---|
CLASSPATH=jmxremote_optional.jar
|
Then, run qpid-server passing the following additional flag:
| No Format |
|---|
qpid-server -run:external-classpath=first
|
Following this Once this jar has been added to the broker classpath then the configuration option can be updated to enabled use of the JMXMP based JMXConnectorServer.
Configuring
To enabled this security option change the security-enabled value in your broker configuration file.
| No Format |
|---|
<management>
<security-enabled>true</security-enabled>
</management>
|
...
To utilise the new secure connection with the Qpid Management console there are two steps:
- Add jmxremote_optional.jar the classpath
- Add -Dsecurity=CRAM-MD5 to the start command in the relevant qpidmc script.
User Accounts
User accounts for the Management Console must be created in the jmxremote.access file.
JConsole
NOTE: This has not be validated but technically should work fine.
JConsole can also be configured to talk to the broker. Again by adding the jmxremote_optional jar to the classpath.
| No Format |
|---|
jconsole -J-Djava.class.path=JAVA_HOME/lib/jconsole.jar:JAVA_HOME/lib/tools.jar:jmxremote_optional.jar
|
For further details see Sun's JConsole guide
Then specify your server url address in the jconsole connecting window to use jmxmp:
User Accounts & Access Rights
In order to access the management operations via JMX, users must have an account and have been assigned appropriate access rights. See Configuring Management Users
...