====== Activemq ======
**General Information**
ActiveMQ messaging server with amqp+ssl transport connector for an AWS like messaging protocol.
Official Site: http://activemq.apache.org/
**Checklist**
* Distro(s): CentOS 7
----
====== Install ======
Installing ActiveMQ.
* Install Java pre-req.yum install java-1.8.0-openjdk
* Install ActiveMQ tarball into /opt/ (5.15.3 example)wget https://archive.apache.org/dist/activemq/5.15.3/apache-activemq-5.15.3-bin.tar.gz
tar -zxvf apache-activemq-5.14.3-bin.tar.gz -C /opt
* Symlink for a version agnostic path (5.15.3 example)ln -s /opt/apache-activemq-5.15.3/ /opt/activemq
* Service file
* CentOS 7: Create systemd service filevim /etc/systemd/system/activemq.service
[Unit]
Description=activemq message queue
After=network.target
[Service]
PIDFile=/opt/activemq/data/activemq.pid
ExecStart=/opt/activemq/bin/activemq start
ExecStop=/opt/activemq/bin/activemq stop
User=root
Group=root
[Install]
WantedBy=multi-user.target
* Reload systemd daemonsystemctl daemon-reload
----
====== Configure ======
Configuring ActiveMQ.
* Update admin and user passwordsvim /opt/activemq/conf/jetty-realm.properties
* Edit transport connectors to use ssl (amqp+ssl), comment out/delete all unused transports/opt/activemq/conf/activemq.xml
* Append SSL options to environment fileecho -e "\n# Tell broker to use keystore\nACTIVEMQ_SSL_OPTS=\"-Djavax.net.ssl.keyStore=\${ACTIVEMQ_CONF}/broker.ks -Djavax.net.ssl.keyStorePassword=password\"" >> /opt/activemq/bin/env
* HTTPS on the web consolevim /opt/activemq/conf/jetty.xml
* After verifying above https works, disable (comment out or delete) http web console Connectorvim /opt/activemq/conf/jetty.xml
----
====== Verify ======
Verify the above configured settings.
Web console
* https://ip.address.goes.here:8162
* Check protocols and cipherssslscan --no-failed ip.address.goes.here:8162
* Ensure **insecure web portal is not reachable** via: http://ip.address.goes.here:8161
Transport
* Check secure transport portnc -i 3 -vw 3 ip.address.goes.here 5671
sslscan --no-failed ip.address.goes.here:5671
* Ensure **insecure transport port is not** reachablenc -i 3 -vw 3 ip.address.goes.here 5672
----