You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Manjunath Kashyap <ma...@gmail.com> on 2022/11/07 18:21:35 UTC

ACTIVEMQ WEBCONSOLE BROKE CONNECTION | JNDI Question

Hi All,

ISSUE:

We have Installed AMQ in a MASTER/SLAVE pair for both Consumers and Producers.
We also have installed the Web console to list all the queues using the MBEAN connector.
AS part of this implementation, we have provided the JMX plain username and password in the Catalina.sh script.

We have been told this is a Security threat and are requested to remove the Plain password from the process.The config and output is as shown below.

activemq.xml:

<managementContext>
	            <managementContext createConnector="true"  connectorPort="5014">
                    <property xmlns="http://www.springframework.org/schema/beans" name="environment">
                     <map xmlns="http://www.springframework.org/schema/beans">
                     <entry xmlns="http://www.springframework.org/schema/beans"
	                         key="jmx.remote.x.password.file"
                                   value="${activemq.base}/conf/jmx.password"/>
                     <entry xmlns="http://www.springframework.org/schema/beans"
                               key="jmx.remote.x.access.file"
                                 value="${activemq.base}/conf/jmx.access"/>
                     </map>
                    </property>
                  </managementContext>


Catalina.sh :

JAVA_OPTS="$JAVA_OPTS -Dwebconsole.type=properties -Dwebconsole.jms.url=failover:\(tcp://MASTER:52671,tcp://SLAVE:52671\) -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://MASTER:5014/jmxrmi,service:jmx:rmi:///jndi/rmi://SLAVE:5014/jmxrmi -Dwebconsole.jmx.user=admin -Dwebconsole.jmx.password=*******”


The process displays the password in plain text. So to overcome this issue we tried the below configuration in Catalina.sh but no luck,

JAVA_OPTS="$JAVA_OPTS -Dwebconsole.type=properties -Dwebconsole.jms.url=failover:\(tcp://MASTER:52671,tcp://SLAVE:52671\) -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://MASTER:5014/jmxrmi,service:jmx:rmi:///jndi/rmi://SLAVE:5014/jmxrmi -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.password.file=/opt/sncr/product/ActiveMQ/DEV/AMQ_ETL_MASTER/apache-activemq-5.16.4/conf/jmx.password -Dcom.sun.management.jmxremote.access.file=/opt/sncr/product/ActiveMQ/DEV/AMQ_ETL_MASTER/apache-activemq-5.16.4/conf/jmx.access -Dcom.sun.management.jmxremote.rmi.port=5014 -Dcom.sun.management.jmxremote.authenticate=true”


Question: Is there a way to hide the password in the tomcat configuration to authenticate to the brokers?


Thanks,
Kashyap.

Re: ACTIVEMQ WEBCONSOLE BROKE CONNECTION | JNDI Question

Posted by Manjunath Kashyap <ma...@gmail.com>.

HI Matt,

I updated the configs as below,

Activemq.xml:

    <managementContext>
                <managementContext createConnector="false"/>
         </managementContext>


Added the below parameter in activemq: env file:

ACTIVEMQ_SUNJMX_CONTROL="-Dcom.sun.management.jmxremote.port=5014 -Dcom.sun.management.jmxremote.ssl=false  -Dcom.sun.management.jmxremote.password.file=$ACTIVEMQ_BASE/conf/jmx.password  -Dcom.sun.management.jmxremote.access.file=$ACTIVEMQ_BASE/conf/jmx.access”

Observations:

1. Port 5014 is not listening when the broker is started.
2. I see the below message when the broker is stopped

INFO: failed to resolve jmxUrl for pid:946, using default JMX url
Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
.INFO: Broker not available at: service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi

Please let me know if I am doing something incorrectly. 

BR/Kashyap.

> On 08-Nov-2022, at 12:26 AM, Matt Pavlovich <ma...@gmail.com> wrote:
> 
> Hello Manjunath-
> 
> Looks like you are creating multiple JMX connectors (one is JVM default, the other is ActiveMQ creating one per your non-default configuration). ActiveMQ does not need a dedicated connector, so you can modify the <managementContext createConnector=“false” /> and just use the -D parameters.
> 
> ref: https://activemq.apache.org/jmx <https://activemq.apache.org/jmx>
> 
> Thanks,
> Matt Pavlovich
> 
>> On Nov 7, 2022, at 12:21 PM, Manjunath Kashyap <ma...@gmail.com> wrote:
>> 
>> Hi All,
>> 
>> ISSUE:
>> 
>> We have Installed AMQ in a MASTER/SLAVE pair for both Consumers and Producers.
>> We also have installed the Web console to list all the queues using the MBEAN connector.
>> AS part of this implementation, we have provided the JMX plain username and password in the Catalina.sh script.
>> 
>> We have been told this is a Security threat and are requested to remove the Plain password from the process.The config and output is as shown below.
>> 
>> activemq.xml:
>> 
>> <managementContext>
>> 	            <managementContext createConnector="true"  connectorPort="5014">
>>                   <property xmlns="http://www.springframework.org/schema/beans" name="environment">
>>                    <map xmlns="http://www.springframework.org/schema/beans">
>>                    <entry xmlns="http://www.springframework.org/schema/beans"
>> 	                         key="jmx.remote.x.password.file"
>>                                  value="${activemq.base}/conf/jmx.password"/>
>>                    <entry xmlns="http://www.springframework.org/schema/beans"
>>                              key="jmx.remote.x.access.file"
>>                                value="${activemq.base}/conf/jmx.access"/>
>>                    </map>
>>                   </property>
>>                 </managementContext>
>> 
>> 
>> Catalina.sh :
>> 
>> JAVA_OPTS="$JAVA_OPTS -Dwebconsole.type=properties -Dwebconsole.jms.url=failover:\(tcp://MASTER:52671,tcp://SLAVE:52671\) -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://MASTER:5014/jmxrmi,service:jmx:rmi:///jndi/rmi://SLAVE:5014/jmxrmi -Dwebconsole.jmx.user=admin -Dwebconsole.jmx.password=*******”
>> 
>> 
>> The process displays the password in plain text. So to overcome this issue we tried the below configuration in Catalina.sh but no luck,
>> 
>> JAVA_OPTS="$JAVA_OPTS -Dwebconsole.type=properties -Dwebconsole.jms.url=failover:\(tcp://MASTER:52671,tcp://SLAVE:52671\) -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://MASTER:5014/jmxrmi,service:jmx:rmi:///jndi/rmi://SLAVE:5014/jmxrmi -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.password.file=/opt/sncr/product/ActiveMQ/DEV/AMQ_ETL_MASTER/apache-activemq-5.16.4/conf/jmx.password -Dcom.sun.management.jmxremote.access.file=/opt/sncr/product/ActiveMQ/DEV/AMQ_ETL_MASTER/apache-activemq-5.16.4/conf/jmx.access -Dcom.sun.management.jmxremote.rmi.port=5014 -Dcom.sun.management.jmxremote.authenticate=true”
>> 
>> 
>> Question: Is there a way to hide the password in the tomcat configuration to authenticate to the brokers?
>> 
>> 
>> Thanks,
>> Kashyap.
>

Re: ACTIVEMQ WEBCONSOLE BROKE CONNECTION | JNDI Question

Posted by Matt Pavlovich <ma...@gmail.com>.

Hello Manjunath-

Looks like you are creating multiple JMX connectors (one is JVM default, the other is ActiveMQ creating one per your non-default configuration). ActiveMQ does not need a dedicated connector, so you can modify the <managementContext createConnector=“false” /> and just use the -D parameters.

ref: https://activemq.apache.org/jmx <https://activemq.apache.org/jmx>

Thanks,
Matt Pavlovich

> On Nov 7, 2022, at 12:21 PM, Manjunath Kashyap <ma...@gmail.com> wrote:
> 
> Hi All,
> 
> ISSUE:
> 
> We have Installed AMQ in a MASTER/SLAVE pair for both Consumers and Producers.
> We also have installed the Web console to list all the queues using the MBEAN connector.
> AS part of this implementation, we have provided the JMX plain username and password in the Catalina.sh script.
> 
> We have been told this is a Security threat and are requested to remove the Plain password from the process.The config and output is as shown below.
> 
> activemq.xml:
> 
> <managementContext>
> 	            <managementContext createConnector="true"  connectorPort="5014">
>                    <property xmlns="http://www.springframework.org/schema/beans" name="environment">
>                     <map xmlns="http://www.springframework.org/schema/beans">
>                     <entry xmlns="http://www.springframework.org/schema/beans"
> 	                         key="jmx.remote.x.password.file"
>                                   value="${activemq.base}/conf/jmx.password"/>
>                     <entry xmlns="http://www.springframework.org/schema/beans"
>                               key="jmx.remote.x.access.file"
>                                 value="${activemq.base}/conf/jmx.access"/>
>                     </map>
>                    </property>
>                  </managementContext>
> 
> 
> Catalina.sh :
> 
> JAVA_OPTS="$JAVA_OPTS -Dwebconsole.type=properties -Dwebconsole.jms.url=failover:\(tcp://MASTER:52671,tcp://SLAVE:52671\) -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://MASTER:5014/jmxrmi,service:jmx:rmi:///jndi/rmi://SLAVE:5014/jmxrmi -Dwebconsole.jmx.user=admin -Dwebconsole.jmx.password=*******”
> 
> 
> The process displays the password in plain text. So to overcome this issue we tried the below configuration in Catalina.sh but no luck,
> 
> JAVA_OPTS="$JAVA_OPTS -Dwebconsole.type=properties -Dwebconsole.jms.url=failover:\(tcp://MASTER:52671,tcp://SLAVE:52671\) -Dwebconsole.jmx.url=service:jmx:rmi:///jndi/rmi://MASTER:5014/jmxrmi,service:jmx:rmi:///jndi/rmi://SLAVE:5014/jmxrmi -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.password.file=/opt/sncr/product/ActiveMQ/DEV/AMQ_ETL_MASTER/apache-activemq-5.16.4/conf/jmx.password -Dcom.sun.management.jmxremote.access.file=/opt/sncr/product/ActiveMQ/DEV/AMQ_ETL_MASTER/apache-activemq-5.16.4/conf/jmx.access -Dcom.sun.management.jmxremote.rmi.port=5014 -Dcom.sun.management.jmxremote.authenticate=true”
> 
> 
> Question: Is there a way to hide the password in the tomcat configuration to authenticate to the brokers?
> 
> 
> Thanks,
> Kashyap.