Securing up ActiveMQ

[leaski <tr...@enghouse.com>]

Hi all,

At the moment I am currently investigating how to secure up our
implementation of Active MQ.  I have done some reading and have managed to
setup a test system running SSL and the Simple Authentication Plugin.  This
seems pretty simple, but I have a couple of questions about the level of
security it offers.

1) If someone asks for the implementation to be FIPS 140 complaint, how
would we go about doing that.  What library does ActiveMQ use for its
encryption/decryption/RNGs?  I guess this apply's to the SSL transport, and
the simpleAuthenticationPlugin when it is using encrypted passwords.

2) Is there a way to change the password encryption algorithm from
PBEWithMD5AndDES to something else as DES is pretty poor.

3) Is there anything out there that allows the key storage for use with the
password encryption to not have to be included in the configuration file? 
I.E a custom launcher (wrapper as we use the windows implementation with our
windows product) that can read the key from an external location?

4) Whats the thoughts on running anonymous authentication with SSL
configured relying on the trusted keystores as a way of restricting access
(assuming that access to the machines keystores are not easy) so that it
password storage for the simpleAuthenticationPlugin becomes redundant.

Given that we don't have the ability to tie the Active MQ setup in with an
LDAP Server to control access to the brokers, am I right in thinking my only
option is using the simpleAuthenticationPlugin along with SSL or just
abandoning SSL and running IPSec over the top of the setup.

Am I missing something?

Thanks



--
View this message in context: http://activemq.2283324.n4.nabble.com/Securing-up-ActiveMQ-tp4705767.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.