====== Activemq ======

**General Information**

ActiveMQ messaging server with amqp+ssl transport connector for an AWS like messaging protocol.

Official Site: http://activemq.apache.org/

**Checklist**
  * Distro(s): CentOS 7

----

====== Install ======

Installing ActiveMQ.

  * Install Java pre-req.<code bash>yum install java-1.8.0-openjdk</code>
  * Install ActiveMQ tarball into /opt/ (5.15.3 example)<code bash>wget https://archive.apache.org/dist/activemq/5.15.3/apache-activemq-5.15.3-bin.tar.gz
tar -zxvf apache-activemq-5.14.3-bin.tar.gz -C /opt</code>
  * Symlink for a version agnostic path (5.15.3 example)<code bash>ln -s /opt/apache-activemq-5.15.3/ /opt/activemq</code>
  * Service file
    * CentOS 7: Create systemd service file<code bash>vim /etc/systemd/system/activemq.service

[Unit]
Description=activemq message queue
After=network.target
[Service]
PIDFile=/opt/activemq/data/activemq.pid
ExecStart=/opt/activemq/bin/activemq start
ExecStop=/opt/activemq/bin/activemq stop
User=root
Group=root
[Install]
WantedBy=multi-user.target</code>
    * Reload systemd daemon<code bash>systemctl daemon-reload</code>

----

====== Configure ======

Configuring ActiveMQ.

  * Update admin and user passwords<code bash>vim /opt/activemq/conf/jetty-realm.properties</code>
  * Edit transport connectors to use ssl (amqp+ssl), comment out/delete all unused transports<code bash>/opt/activemq/conf/activemq.xml

<transportConnectors>

  <transportConnector name="amqp+ssl" uri="amqp+ssl://0.0.0.0:5671?transport.enabledProtocols=TLSv1.2&amp;transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>

</transportConnectors></code>
  * Append SSL options to environment file<code bash>echo -e "\n# Tell broker to use keystore\nACTIVEMQ_SSL_OPTS=\"-Djavax.net.ssl.keyStore=\${ACTIVEMQ_CONF}/broker.ks -Djavax.net.ssl.keyStorePassword=password\"" >> /opt/activemq/bin/env</code>
  * HTTPS on the web console<code bash>vim /opt/activemq/conf/jetty.xml

<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
                                        <constructor-arg ref="Server" />
                                        <constructor-arg>
                                                <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">

                                                        <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
                                                        <property name="keyStorePassword" value="activepw!" />
                                                </bean>
                                        </constructor-arg>
                                        <property name="port" value="8162" />
                                </bean></code>
  * After verifying above https works, disable (comment out or delete) http web console Connector<code bash>vim /opt/activemq/conf/jetty.xml

<!-- <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
                        <constructor-arg ref="Server" />
                   <property name="host" value="#{systemProperties['jetty.host']}" />
                   <property name="port" value="#{systemProperties['jetty.port']}" />
               </bean> -->
</code>

----

====== Verify ======

Verify the above configured settings.

Web console
  * https://ip.address.goes.here:8162
    * Check protocols and ciphers<code bash>sslscan --no-failed ip.address.goes.here:8162</code>
    * Ensure **insecure web portal is not reachable** via: http://ip.address.goes.here:8161

Transport
  * Check secure transport port<code bash>nc -i 3 -vw 3 ip.address.goes.here 5671

sslscan --no-failed ip.address.goes.here:5671</code>
  * Ensure **insecure transport port is not** reachable<code bash>nc -i 3 -vw 3 ip.address.goes.here 5672</code>

----