linux_wiki:activemq

Activemq

General Information

ActiveMQ messaging server with amqp+ssl transport connector for an AWS like messaging protocol.

Official Site: http://activemq.apache.org/

Checklist

  • Distro(s): CentOS 7

Install

Installing ActiveMQ.

  • Install Java pre-req.
    yum install java-1.8.0-openjdk
  • Install ActiveMQ tarball into /opt/ (5.15.3 example)
    wget https://archive.apache.org/dist/activemq/5.15.3/apache-activemq-5.15.3-bin.tar.gz
    tar -zxvf apache-activemq-5.14.3-bin.tar.gz -C /opt
  • Symlink for a version agnostic path (5.15.3 example)
    ln -s /opt/apache-activemq-5.15.3/ /opt/activemq
  • Service file
    • CentOS 7: Create systemd service file
      vim /etc/systemd/system/activemq.service
       
      [Unit]
      Description=activemq message queue
      After=network.target
      [Service]
      PIDFile=/opt/activemq/data/activemq.pid
      ExecStart=/opt/activemq/bin/activemq start
      ExecStop=/opt/activemq/bin/activemq stop
      User=root
      Group=root
      [Install]
      WantedBy=multi-user.target
    • Reload systemd daemon
      systemctl daemon-reload

Configure

Configuring ActiveMQ.

  • Update admin and user passwords
    vim /opt/activemq/conf/jetty-realm.properties
  • Edit transport connectors to use ssl (amqp+ssl), comment out/delete all unused transports
    /opt/activemq/conf/activemq.xml
     
    <transportConnectors>
     
      <transportConnector name="amqp+ssl" uri="amqp+ssl://0.0.0.0:5671?transport.enabledProtocols=TLSv1.2&amp;transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
     
    </transportConnectors>
  • Append SSL options to environment file
    echo -e "\n# Tell broker to use keystore\nACTIVEMQ_SSL_OPTS=\"-Djavax.net.ssl.keyStore=\${ACTIVEMQ_CONF}/broker.ks -Djavax.net.ssl.keyStorePassword=password\"" >> /opt/activemq/bin/env
  • HTTPS on the web console
    vim /opt/activemq/conf/jetty.xml
     
    <bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
                                            <constructor-arg ref="Server" />
                                            <constructor-arg>
                                                    <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
     
                                                            <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
                                                            <property name="keyStorePassword" value="activepw!" />
                                                    </bean>
                                            </constructor-arg>
                                            <property name="port" value="8162" />
                                    </bean>
  • After verifying above https works, disable (comment out or delete) http web console Connector
    vim /opt/activemq/conf/jetty.xml
     
    <!-- <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
                            <constructor-arg ref="Server" />
                       <property name="host" value="#{systemProperties['jetty.host']}" />
                       <property name="port" value="#{systemProperties['jetty.port']}" />
                   </bean> -->

Verify

Verify the above configured settings.

Web console

Transport

  • Check secure transport port
    nc -i 3 -vw 3 ip.address.goes.here 5671
     
    sslscan --no-failed ip.address.goes.here:5671
  • Ensure insecure transport port is not reachable
    nc -i 3 -vw 3 ip.address.goes.here 5672

  • linux_wiki/activemq.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)