Versions Compared

Old Version 7

changes.mady.by.user Robert Gemmell

Saved on

compared with

New Version 8

changes.mady.by.user Robert Gemmell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SSL encrypted RMI (0.5 and above)

Current versions of the broker make use of SSL encryption to secure their RMI based JMX ConnectorServer for security purposes. This ships enabled by default, although the test SSL keystore used during development is not provided for security reasons (using this would provide no security as anyone could have access to it), and so the configuration must be updated before the broker will start. This can be down either by disabling the SSL support, utilizing a purchased SSL certificate to create a keystore of your own, or using the example 'create-example-ssl-stores' script in the brokers bin/ directory to generate a self-signed keystore.

The broker must be configured with a keystore containing the private and public keys associated with its SSL certificate. This is accomplished by setting the Java environment properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword respectively with the location and password of an appropriate SSL keystore. Entries for these properties exist in the brokers main configuration file alongside the other management settings (see below), although the command line options will still work and take precedence over the configuration file.

No Format

<management>
    <enabled>true</enabled>
    <jmxport>8999</jmxport>
    <ssl>
        <enabled>true</enabled>
        <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore  -->
        <keyStorePath>${prefix}/../test_resources/ssl/keystore.jks</keyStorePath>
        <keyStorePassword>password</keyStorePassword>
    </ssl>
</management>

JMX Management Console

If the broker makes use of an SSL certificate signed by a known signing CA (Certification Authority), the management console needs no extra configuration, and will make use of Java's built-in CA
truststore for certificate verification (you may however have to update the system-wide default truststore if your CA is not already present in it).

If however you wish to use a self-signed SSL certificate, then the management console must be provided with an SSL truststore containing a record for the SSL certificate so that it is able to validate it when presented by the broker. This is performed by setting the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword environment variables when starting the console. This can be done at the command line, or alternatively an example configuration has been made within the console's qpidmc.ini launcher configuration file that may pre-configured in advance for repeated usage.

More information on Java's handling of SSL certificate verification and customizing the keystores can be found in the JSSE Reference Guide .

JMXMP (M4 and previous)

In previous releases of Qpid (M4 and below) the broker, can make use of Sun's Java Management Extensions Messaging Protocol (JMXMP) to provide encryption of the JMX connection, offering increased security over the default unencryted unencrypted RMI based JMX connection.

...

No Format
    <management>
        <security-enabled>true</security-enabled>
    </management>

User Accounts & Access Rights

In order to access the management operations via JMX, users must have an account and have been assigned appropriate access rights. See Configuring Management Users