The Apache ActiveMQ Web console is a web-based administration tool for Apache ActiveMQ. When you start a
standalone broker instance using the script, bin/activemq[.bat]
, with the
default configuration, conf/activemq.xml
, the Web console is automatically
enabled. After starting the broker, you can access the Web console by entering the following
URL in your Web browser:
http://localhost:8161/admin
The Web console is hosted inside a Jetty server, which is configured by the Spring file, conf/jetty.xml
.
The conf/activemq.xml
configuration file imports the jetty.xml
file, using the following <import/>
tag:
<beans ... > ... <import resource="jetty.xml"/> </beans>
The Jetty server can be configured to enable HTTP basic authentication. Although the
conf/jetty.xml
file already includes most of the configuration required for
basic authentication, the authentication feature is disabled by default. To enable it,
search for the following line in the jetty.xml
file:
<property name="authenticate" value="false" />
Edit the value
attribute, changing its value to true
.
<property name="authenticate" value="true" />
When you restart the broker, basic authentication will be enabled on the Web console.
For example, you can log on using the credentials, username=admin
,
password=admin
.
The Jetty user data are stored in the conf/jetty-realm.properties
file,
which you can edit to add user credentials and roles. Each user is defined on a separate
line, which has the following format:
Username
:Password
[
,Role01
,Role02
, ...]
For example, to define the user with username, jblogs
, password,
secret
, and role, developer
, you would add the following line to
the jetty-realm.properties
file:
jblogs: secret, developer
To enable SSL security on the Jetty server, edit the Connector
bean in the
conf/jetty.xml
file. Instead of the SelectChannelConnector
class, define the Connector
bean to be an instance of the
org.eclipse.jetty.server.ssl.SslSelectChannelConnector
class. Specify the
relevant properties of the SslSelectChannelConnector
class in order to
configure the Jetty server's HTTPS port.
Search for the existing definition of the Connector
bean in the
conf/jetty.xml
file. In the default file, you should see some lines like the
following:
<property name="connectors"> <list> <bean id="Connector" class="org.eclipse.jetty.server.nio.SelectChannelConnector"> <property name="port" value="8161" /> </bean> </list> </property>
Replace the preceding lines by the following lines:
<property name="connectors"> <list> <bean id="Connector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> <property name="port" value="8443" /> <property name="maxIdleTime" value="30000"/> <property name="keystore" value="${activemq.home}/conf/broker.ks"/> <property name="password" value="testjetty"/> <property name="keyPassword" value="testjetty"/> <property name="truststore" value="${activemq.home}/conf/broker.ks"/> </bean> </list> </property>
Where the SslSelectChannelConnector
properties can be explained as
follows:
port
Specifies the secure IP port number (accessible through HTTPS).
maxIdleTime
Specifies the connection idle time in units of milliseconds. If there is no activity on a connection for longer than this timeout, the connection will be closed.
keystore
Specifies the location of the Jetty server's own X.509 certificate, which is stored in a Java keystore file on the file system. The Jetty server uses this certificate to identify itself to a client, during the SSL handshake.
password
Specifies the store password, which is needed to unlock the keystore file (see Java Keystores).
keyPassword
Specifies the key password, which is used to decrypt the private key that is stored within the keystore file. Typically, the store password and the key password are identical (some SSL implementations even require this to be the case).
truststore
Specifies the location of a Java keystore file that contains a list of one or more trusted certificates, which can be used during the SSL handshake to check that incoming client certificates are correctly signed. In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.
When SSL security is configured as shown, you can access the Web console through the HTTPS protocol using the following URL:
https://localhost:8443/admin
![]() | Warning |
---|---|
The |
For more details about the properties you can set on the
SslSelectChannelConnector
class, see http://download.eclipse.org/jetty/stable-7/apidocs/org/eclipse/jetty/server/ssl/SslSocketConnector.html.