qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Qpid > Management Console Security
Date Mon, 28 Nov 2011 13:39:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/21/_/styles/combined.css?spaceKey=qpid&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/qpid/Management+Console+Security">Management
Console Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~k-wall">keith
wall</a>
    </h4>
        <br/>
                         <h4>Changes (1)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >h2. User Accounts &amp; Access
Rights <br> <br></td></tr>
            <tr><td class="diff-changed-lines" >In order to access the management
operations via JMX, users must have an account and have been assigned appropriate access rights.
<span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">See
[Configuring Management Users]</span> <br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="ManagementConsoleSecurity-ManagementConsoleSecurity"></a>Management
Console Security</h1>

<div>
<ul>
    <li><a href='#ManagementConsoleSecurity-SSLencryptedRMI%280.5andabove%29'>SSL
encrypted RMI (0.5 and above)</a></li>
    <li><a href='#ManagementConsoleSecurity-JMXMP%28M4andprevious%29'>JMXMP (M4
and previous)</a></li>
    <li><a href='#ManagementConsoleSecurity-UserAccounts%26AccessRights'>User
Accounts &amp; Access Rights</a></li>
</ul></div>

<h2><a name="ManagementConsoleSecurity-SSLencryptedRMI%280.5andabove%29"></a>SSL
encrypted RMI (0.5 and above)</h2>

<p>Current versions of the broker make use of SSL encryption to secure their RMI based
JMX ConnectorServer for security purposes. This ships enabled by default, although the test
SSL keystore used during development is not provided for security reasons (using this would
provide no security as anyone could have access to it).</p>

<h3><a name="ManagementConsoleSecurity-BrokerConfiguration"></a>Broker Configuration</h3>

<p>The broker configuration must be updated before the broker will start. This can be
done either by disabling the SSL support, utilizing a purchased SSL certificate to create
a keystore of your own, or using the example 'create-example-ssl-stores' script in the brokers
bin/ directory to generate a self-signed keystore.</p>

<p>The broker must be configured with a keystore containing the private and public keys
associated with its SSL certificate. This is accomplished by setting the Java environment
properties <em>javax.net.ssl.keyStore</em> and <em>javax.net.ssl.keyStorePassword</em>
respectively with the location and password of an appropriate SSL keystore. Entries for these
properties exist in the brokers main configuration file alongside the other management settings
(see below), although the command line options will still work and take precedence over the
configuration file. </p>

<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>&lt;management&gt;
    &lt;ssl&gt;
        &lt;enabled&gt;true&lt;/enabled&gt;
        &lt;!-- Update below path to your keystore location, eg ${conf}/qpid.keystore
 --&gt;
        &lt;keyStorePath&gt;${prefix}/../test_resources/ssl/keystore.jks&lt;/keyStorePath&gt;
        &lt;keyStorePassword&gt;password&lt;/keyStorePassword&gt;
    &lt;/ssl&gt;
&lt;/management&gt;
</pre>
</div></div>

<h3><a name="ManagementConsoleSecurity-JMXManagementConsoleConfiguration"></a>JMX
Management Console Configuration</h3>

<p>If the broker makes use of an SSL certificate signed by a known signing CA (Certification
Authority), the management console needs no extra configuration, and will make use of Java's
built-in CA<br/>
truststore for certificate verification (you may however have to update the system-wide default
truststore if your CA is not already present in it).</p>

<p>If however you wish to use a self-signed SSL certificate, then the management console
must be provided with an SSL truststore containing a record for the SSL certificate so that
it is able to validate it when presented by the broker. This is performed by setting the <em>javax.net.ssl.trustStore</em>
and <em>javax.net.ssl.trustStorePassword</em> environment variables when starting
the console. This can be done at the command line, or alternatively an example configuration
has been made within the console's qpidmc.ini launcher configuration file that may pre-configured
in advance for repeated usage. See the <a href="/confluence/display/qpid/Qpid+JMX+Management+Console+User+Guide"
title="Qpid JMX Management Console User Guide">User Guide</a> for more information
on this configuration process.</p>


<h3><a name="ManagementConsoleSecurity-JConsoleConfiguration"></a>JConsole
Configuration</h3>

<p>As with the JMX Management Console above, if the broker is using a self-signed SSL
certificate then in order to connect remotely using JConsole, an appropriate trust store must
be provided at startup. See <a href="/confluence/display/qpid/JConsole" title="JConsole">JConsole</a>
for further details on configuration.</p>


<h3><a name="ManagementConsoleSecurity-AdditionalInformation"></a>Additional
Information</h3>

<p>More information on Java's handling of SSL certificate verification and customizing
the keystores can be found in the <a href="http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores"
class="external-link" rel="nofollow">JSSE Reference Guide </a>.</p>


<h2><a name="ManagementConsoleSecurity-JMXMP%28M4andprevious%29"></a>JMXMP
(M4 and previous)</h2>

<p>In previous releases of Qpid (M4 and below) the broker, can make use of Sun's Java
Management Extensions Messaging Protocol (JMXMP) to provide encryption of the JMX connection,
offering increased security over the default unencrypted RMI based JMX connection.</p>

<h3><a name="ManagementConsoleSecurity-DownloadandInstall"></a>Download
and Install</h3>

<p>This is possible by adding the jmxremote_optional.jar as provided by Sun. This jar
is covered by the Sun Binary Code License and is not compatible with the Apache License which
is why this component is not bundled with Qpid. </p>

<p>Download the JMX Remote API 1.0.1_04 Reference Implementation from <a href="http://java.sun.com/javase/technologies/core/mntr-mgmt/javamanagement/download.jsp"
class="external-link" rel="nofollow">here</a>. The included 'jmxremote-1_0_1-bin\lib\jmxremote_optional.jar'
file must be added to the broker classpath:</p>

<p>First set your classpath to something like this:</p>

<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>CLASSPATH=jmxremote_optional.jar
</pre>
</div></div>

<p>Then, run qpid-server passing the following additional flag:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>qpid-server -run:external-classpath=first
</pre>
</div></div>


<p>Following this the configuration option can be updated to enabled use of the JMXMP
based JMXConnectorServer.</p>

<h3><a name="ManagementConsoleSecurity-BrokerConfiguration"></a>Broker Configuration</h3>
<p>To enabled this security option change the <em>security-enabled</em>
value in your broker configuration file. </p>

<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre>    &lt;management&gt;
        &lt;security-enabled&gt;true&lt;/security-enabled&gt;
    &lt;/management&gt;
</pre>
</div></div>

<p>You may also (for M2 and earlier) need to set the following system properties using
the environment variable QPID_OPTS:</p>

<p>QPID_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"</p>

<h3><a name="ManagementConsoleSecurity-JMXManagementConsoleConfiguration"></a>JMX
Management Console Configuration</h3>

<p>If you wish to connect to a broker configured to use JMXMP then the console also
requires provision of the Optional sections of the JMX Remote API that are not included within
the JavaSE platform. </p>

<p>In order to make it available to the console, place the 'jmxremote_optional.jar'
(rename the file if any additional information is present in the file name) jar file within
the 'plugins/jmxremote.sasl_1.0.1/' folder of the console release (on Mac OS X you will need
to select 'Show package contents' from the context menu whilst selecting the management console
bundle in order to reveal the inner file tree).</p>

<p>Following the the console will automatically load the JMX Remote Optional classes
and attempt the JMXMP connection when connecting to a JMXMP enabled broker.</p>

<h2><a name="ManagementConsoleSecurity-UserAccounts%26AccessRights"></a>User
Accounts &amp; Access Rights</h2>

<p>In order to access the management operations via JMX, users must have an account
and have been assigned appropriate access rights.</p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/qpid/Management+Console+Security">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=90843&revisedVersion=18&originalVersion=17">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/qpid/Management+Console+Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org


Mime
View raw message