Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Activemq ====== **General Information** ActiveMQ messaging server with amqp+ssl transport connector for an AWS like messaging protocol. Official Site: http://activemq.apache.org/ **Checklist** * Distro(s): CentOS 7 ---- ====== Install ====== Installing ActiveMQ. * Install Java pre-req.<code bash>yum install java-1.8.0-openjdk</code> * Install ActiveMQ tarball into /opt/ (5.15.3 example)<code bash>wget https://archive.apache.org/dist/activemq/5.15.3/apache-activemq-5.15.3-bin.tar.gz tar -zxvf apache-activemq-5.14.3-bin.tar.gz -C /opt</code> * Symlink for a version agnostic path (5.15.3 example)<code bash>ln -s /opt/apache-activemq-5.15.3/ /opt/activemq</code> * Service file * CentOS 7: Create systemd service file<code bash>vim /etc/systemd/system/activemq.service [Unit] Description=activemq message queue After=network.target [Service] PIDFile=/opt/activemq/data/activemq.pid ExecStart=/opt/activemq/bin/activemq start ExecStop=/opt/activemq/bin/activemq stop User=root Group=root [Install] WantedBy=multi-user.target</code> * Reload systemd daemon<code bash>systemctl daemon-reload</code> ---- ====== Configure ====== Configuring ActiveMQ. * Update admin and user passwords<code bash>vim /opt/activemq/conf/jetty-realm.properties</code> * Edit transport connectors to use ssl (amqp+ssl), comment out/delete all unused transports<code bash>/opt/activemq/conf/activemq.xml <transportConnectors> <transportConnector name="amqp+ssl" uri="amqp+ssl://0.0.0.0:5671?transport.enabledProtocols=TLSv1.2&transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256&maximumConnections=1000&wireFormat.maxFrameSize=104857600"/> </transportConnectors></code> * Append SSL options to environment file<code bash>echo -e "\n# Tell broker to use keystore\nACTIVEMQ_SSL_OPTS=\"-Djavax.net.ssl.keyStore=\${ACTIVEMQ_CONF}/broker.ks -Djavax.net.ssl.keyStorePassword=password\"" >> /opt/activemq/bin/env</code> * HTTPS on the web console<code bash>vim /opt/activemq/conf/jetty.xml <bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector"> <constructor-arg ref="Server" /> <constructor-arg> <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <property name="keyStorePath" value="${activemq.conf}/broker.ks" /> <property name="keyStorePassword" value="activepw!" /> </bean> </constructor-arg> <property name="port" value="8162" /> </bean></code> * After verifying above https works, disable (comment out or delete) http web console Connector<code bash>vim /opt/activemq/conf/jetty.xml <!-- <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector"> <constructor-arg ref="Server" /> <property name="host" value="#{systemProperties['jetty.host']}" /> <property name="port" value="#{systemProperties['jetty.port']}" /> </bean> --> </code> ---- ====== Verify ====== Verify the above configured settings. Web console * https://ip.address.goes.here:8162 * Check protocols and ciphers<code bash>sslscan --no-failed ip.address.goes.here:8162</code> * Ensure **insecure web portal is not reachable** via: http://ip.address.goes.here:8161 Transport * Check secure transport port<code bash>nc -i 3 -vw 3 ip.address.goes.here 5671 sslscan --no-failed ip.address.goes.here:5671</code> * Ensure **insecure transport port is not** reachable<code bash>nc -i 3 -vw 3 ip.address.goes.here 5672</code> ---- linux_wiki/activemq.txt Last modified: 2019/05/25 23:50(external edit)