Management Console Security
Table of Contents | ||||
---|---|---|---|---|
|
SSL encrypted RMI (0.5 and above)
...
The broker configuration must be updated before the broker will start. This can be down done either by disabling the SSL support, utilizing a purchased SSL certificate to create a keystore of your own, or using the example 'create-example-ssl-stores' script in the brokers bin/ directory to generate a self-signed keystore.
...
If however you wish to use a self-signed SSL certificate, then the management console must be provided with an SSL truststore containing a record for the SSL certificate so that it is able to validate it when presented by the broker. This is performed by setting the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword environment variables when starting the console. This can be done at the command line, or alternatively an example configuration has been made within the console's qpidmc.ini launcher configuration file that may pre-configured in advance for repeated usage. See the User Guide for more information on this configuration process.
JConsole Configuration
As with the JMX Management Console above, if the broker is using a self-signed SSL certificate then in order to connect remotely using JConsole, an appropriate trust store must be provided at startup. See JConsole for further details on configuration.
...
No Format |
---|
<management> <security-enabled>true</security-enabled> </management> |
You may also (for M2 and earlier) need to set the following system properties using the environment variable QPID_OPTS:
QPID_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
JMX Management Console Configuration
...
In order to access the management operations via JMX, users must have an account and have been assigned appropriate access rights. See Configuring Management Users