Fuse Message Broker - Security Guide

	Note
In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.

Web Console Security

Overview

The Fuse Message Broker Web console is a web-based administration tool for Fuse Message Broker. When you start a standalone broker instance with the default configuration, conf/activemq.xml, the Web console is automatically enabled. After starting the broker, you can access the Web console by entering the following URL in your Web browser:

http://localhost:8161/admin

The Web console is hosted inside a Jetty server, which is configured by the file conf/jetty.xml. The conf/activemq.xml configuration file imports the jetty.xml file.

The Jetty server can be configured to enable HTTP basic authentication. Although the conf/jetty.xml file already includes most of the configuration required for basic authentication, the authentication feature is disabled by default. To enable it, search for the following line in the jetty.xml file:

<property name="authenticate" value="false" />

Edit the value attribute, changing its value to true. The result should be similar to:

<property name="authenticate" value="true" />

When you restart the broker, basic authentication will be enabled on the Web console. For example, you can log on using the credentials, username=admin, password=admin.

Editing user credentials

The Jetty user data are stored in the conf/jetty-realm.properties file, which you can edit to add user credentials and roles. Each user is defined on a separate line, which has the following format:

Username: Password [, Role01, Role02, ... ]

For example, to define the user with username, jblogs, password, secret, and role, developer, you would add the following line to the jetty-realm.properties file:

jblogs: secret, developer

Enabling SSL security

To enable SSL security on the Jetty server, edit the Connector bean in the conf/jetty.xml file. Replace the org.eclipse.jetty.server.nio.SelectChannelConnector class with the org.eclipse.jetty.server.ssl.SslSelectChannelConnector class. Specify the relevant properties of the SslSelectChannelConnector class in order to configure the Jetty server's HTTPS port as shown in Example 3.10.

Example 3.10. SSL Enabled Web Console Configuration

<property name="connectors">
  <list>
    <bean id="Connector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
      <property name="port"        value="8443" />
      <property name="maxIdleTime" value="30000"/>
      <property name="keystore"    value="${activemq.home}/conf/broker.ks"/>
      <property name="password"    value="testjetty"/>
      <property name="keyPassword" value="testjetty"/>
      <property name="truststore"  value="${activemq.home}/conf/broker.ks"/>
    </bean>
  </list>
</property>

The SslSelectChannelConnector properties can be explained as follows:

port—specifies the secure IP port number (accessible through HTTPS).

maxIdleTime—specifies the connection idle time in milliseconds. If there is no activity on a connection for longer than this timeout, the connection will be closed.

keystore—specifies the location of the Jetty server's X.509 certificate, which is stored in a Java keystore file on the file system. The Jetty server uses this certificate to identify itself to a client, during the SSL handshake.

password—specifies the store password, which is needed to unlock the keystore file. See Java Keystores.
keyPassword—specifies the key password, which is used to decrypt the private key that is stored within the keystore file. Typically, the store password and the key password are identical. Some SSL implementations even require this to be the case.
truststore—specifies the location of a Java keystore file that contains a list of one or more trusted certificates, which can be used during the SSL handshake to check that incoming client certificates are correctly signed.
Note
In the current example, the truststore is actually irrelevant, because clients are not required to send a certificate to the Jetty server.

When SSL security is configured as shown, you can access the Web console through the HTTPS protocol using the URL https://localhost:8443/admin.

	Warning
	The `broker.ks` certificate used in the example is insecure. Anyone can access its private key. To secure your system properly, you must create new certificates signed by a trusted CA, as described in Managing Certificates.