linux_wiki:activemq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:activemq [2019/05/25 23:50] (current)
Line 1: Line 1:
 +====== Activemq ======
 +
 +**General Information**
 +
 +ActiveMQ messaging server with amqp+ssl transport connector for an AWS like messaging protocol.
 +
 +Official Site: http://activemq.apache.org/
 +
 +**Checklist**
 +  * Distro(s): CentOS 7
 +
 +----
 +
 +====== Install ======
 +
 +Installing ActiveMQ.
 +
 +  * Install Java pre-req.<code bash>yum install java-1.8.0-openjdk</code>
 +  * Install ActiveMQ tarball into /opt/ (5.15.3 example)<code bash>wget https://archive.apache.org/dist/activemq/5.15.3/apache-activemq-5.15.3-bin.tar.gz
 +tar -zxvf apache-activemq-5.14.3-bin.tar.gz -C /opt</code>
 +  * Symlink for a version agnostic path (5.15.3 example)<code bash>ln -s /opt/apache-activemq-5.15.3/ /opt/activemq</code>
 +  * Service file
 +    * CentOS 7: Create systemd service file<code bash>vim /etc/systemd/system/activemq.service
 +
 +[Unit]
 +Description=activemq message queue
 +After=network.target
 +[Service]
 +PIDFile=/opt/activemq/data/activemq.pid
 +ExecStart=/opt/activemq/bin/activemq start
 +ExecStop=/opt/activemq/bin/activemq stop
 +User=root
 +Group=root
 +[Install]
 +WantedBy=multi-user.target</code>
 +    * Reload systemd daemon<code bash>systemctl daemon-reload</code>
 +
 +----
 +
 +====== Configure ======
 +
 +Configuring ActiveMQ.
 +
 +  * Update admin and user passwords<code bash>vim /opt/activemq/conf/jetty-realm.properties</code>
 +  * Edit transport connectors to use ssl (amqp+ssl), comment out/delete all unused transports<code bash>/opt/activemq/conf/activemq.xml
 +
 +<transportConnectors>
 +
 +  <transportConnector name="amqp+ssl" uri="amqp+ssl://0.0.0.0:5671?transport.enabledProtocols=TLSv1.2&amp;transport.enabledCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256&amp;maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>
 +
 +</transportConnectors></code>
 +  * Append SSL options to environment file<code bash>echo -e "\n# Tell broker to use keystore\nACTIVEMQ_SSL_OPTS=\"-Djavax.net.ssl.keyStore=\${ACTIVEMQ_CONF}/broker.ks -Djavax.net.ssl.keyStorePassword=password\"" >> /opt/activemq/bin/env</code>
 +  * HTTPS on the web console<code bash>vim /opt/activemq/conf/jetty.xml
 +
 +<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
 +                                        <constructor-arg ref="Server" />
 +                                        <constructor-arg>
 +                                                <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
 +
 +                                                        <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
 +                                                        <property name="keyStorePassword" value="activepw!" />
 +                                                </bean>
 +                                        </constructor-arg>
 +                                        <property name="port" value="8162" />
 +                                </bean></code>
 +  * After verifying above https works, disable (comment out or delete) http web console Connector<code bash>vim /opt/activemq/conf/jetty.xml
 +
 +<!-- <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
 +                        <constructor-arg ref="Server" />
 +                   <property name="host" value="#{systemProperties['jetty.host']}" />
 +                   <property name="port" value="#{systemProperties['jetty.port']}" />
 +               </bean> -->
 +</code>
 +
 +----
 +
 +====== Verify ======
 +
 +Verify the above configured settings.
 +
 +Web console
 +  * https://ip.address.goes.here:8162
 +    * Check protocols and ciphers<code bash>sslscan --no-failed ip.address.goes.here:8162</code>
 +    * Ensure **insecure web portal is not reachable** via: http://ip.address.goes.here:8161
 +
 +Transport
 +  * Check secure transport port<code bash>nc -i 3 -vw 3 ip.address.goes.here 5671
 +
 +sslscan --no-failed ip.address.goes.here:5671</code>
 +  * Ensure **insecure transport port is not** reachable<code bash>nc -i 3 -vw 3 ip.address.goes.here 5672</code>
 +
 +----
  
  • linux_wiki/activemq.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)