Given below is an overview of how some common security concepts are implemented in Apache ActiveMQ.
Security Concept | How it is Implemented |
---|---|
Authentication | Simple authentication and JAAS plugins. |
Authorization | Built-in authorization mechanism using XML configuration. |
Availability | Master/Slave configurations using fail-over transport in ActiveMQ (not to be confused with WSO2 ESB transports). |
Integrity | WS-Security |
Authentication
Simple Authentication: ActiveMQ comes with an authentication plugin, which provides basic authentication between the ActiveMQ JMS and the WSO2 ESB. The steps below describe how to configure.
1. Add the following configuration in <ACTIVEMQ_HOME>/conf/activemq-security.xml file.
<simpleAuthenticationPlugin anonymousAccessAllowed="true"> <users> <authenticationUser username="system" password="${activemq.password}" groups="users,admins"/> <authenticationUser username="user" password="${guest.password}" groups="users"/> <authenticationUser username="guest" password="${guest.password}" groups="guests"/> </users> </simpleAuthenticationPlugin>
2. Edit <ACTIVEMQ_HOME>/conf/credentials.properties file for plain-text version or <ACTIVEMQ_HOME>/conf/credentials-enc.properties file for encrypted version to define the username and password lists referenced in the configuration above.
Th e anonymousAccessAllowed attribute defines whether or not to allow anonymous access. The groups and users defined in step 1 are used to provide authorization schemes. Refer to section Authorization for more information.
3. Ensure that the <transportReceiver> element below is added in < ESB_HOME>/repository/conf/axis2/axis2.xml file.
<transportReceiver name="jms" class="org.apache.axis2.transport.jms.JMSListener"> <parameter name="myTopicConnectionFactory" locked="false"> <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter> <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter> <parameter name="transport.jms.UserName">system</parameter> <parameter name="transport.jms.Password">manager</parameter> <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">TopicConnectionFactory</parameter> <parameter name="transport.jms.ConnectionFactoryType" locked="false">topic</parameter> </parameter> <parameter name="myQueueConnectionFactory" locked="false"> <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter> <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter> <parameter name="transport.jms.UserName">system</parameter> <parameter name="transport.jms.Password">manager</parameter> <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">QueueConnectionFactory</parameter> <parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter> </parameter> <parameter name="default" locked="false"> <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter> <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter> <parameter name="transport.jms.UserName">system</parameter> <parameter name="transport.jms.Password">manager</parameter> <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">QueueConnectionFactory</parameter> <parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter> </parameter> </transportReceiver>
Lines similar to the following contain the username and password configured in ActiveMQ.
<parameter name="transport.jms.UserName">system</parameter> <parameter name="transport.jms.Password">manager</parameter>
Infor
For more advanced authentication schemes that use JAAS which are supported in ActiveMQ, refer to the official ActiveMQ documentation here: http://activemq.apache.org/security.html
Authorization
ActiveMQ provides authorization schemes using simple XML configurations, which you can apply to the users defined in the authentication plugin. To setup authorization, ensure you have the following configuration in <ACTIVEMQ_HOME>/conf/activemq-sequrity.xml file.
<authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" read="admins" write="admins" admin="admins" /> <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" /> <authorizationEntry queue="TEST.Q" read="guests" write="guests" /> <authorizationEntry topic=">" read="admins" write="admins" admin="admins" /> <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" /> <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin>
Infor
Availability
ActiveMQ supports the use of master/slave and fail-over transport to provide high-availability. ActiveMQ supports two types of master/slave configurations as follows:
- Master/slave using shared file systems
- Master/slave using JDBC
Infor
We explore the second option here.
Master/slave using JDBC
ActiveMQ uses a special URI similar to the following to facilitate fail-over functionality: failover://(tcp://127.0.0.1:61616,tcp://127.0.0.1:61617,tcp://127.0.0.1:61618)?initialReconnectDelay=100. Use this URI inside WSO2 ESB for a highly-available JMS solution.
To create proxy services, sequences, endpoints, message stores, processors etc. in ESB, you can either use the management console or copy the XML configuration to the source view. You can find the source view under menu Manage > Service Bus > Source View in the left navigation pane of the WSO2 ESB management console. Alternatively, you can add an XML file to <ESB_HOME>/repository/deployment/server/synapse-configs/default/proxy-services.
A sample WSO2 ESB Proxy service for this setup is given below.
<proxy xmlns="http://ws.apache.org/ns/synapse" name="FailOverJMS" transports="http" startOnLoad="true" trace="disable"> <target> <inSequence> <log level="full"/> <property name="OUT_ONLY" value="true" scope="default"/> <clone> <target> <endpoint> <address uri="jms:/OMS?transport.jms.ConnectionFactoryJNDIName=QueueConnectionFactory&java.naming.factory.initial=org.apache.activemq.jndi.ActiveMQInitialContextFactory&java.naming.provider.url=failover:(tcp://localhost:61616,tcp://localhost:61617)?randomize=false&transport.jms.DestinationType=queue"/> </endpoint> </target> </clone> </inSequence> </target> <publishWSDL key="gov:/services/FileService.wsdl"> <resource location="Message.xsd" key="gov:/services/Message.xsd"/> </publishWSDL> </proxy>
Note java.naming.provider.url=failover:(tcp://localhost:61616,tcp://localhost:61617)?randomize=false
inside the address endpoint uri attribute. The randomize=false
parameter makes this setup follow a prioritized fail-over configuration, which means when the first instance fails, it moves to the next. For more information on ActiveMQ fail-over transport and its parameters, refer to ActiveMQ documentation here: http://activemq.apache.org/failover-transport-reference.html.
Integrity
Integrity is part of message-level security, and can be implemented using a standard like WS-Security. Following sample shows the application of WS-Security for message-level encryption where messages are stored in a message store in WSO2 ESB.
<definitions xmlns="http://ws.apache.org/ns/synapse"> <localEntry key="sec_policy" src="file:repository/samples/resources/policy/policy_3.xml"/> <in> <send> <endpoint> <address uri="jms:/StockQuoteJmsProxy2?transport.jms.ConnectionFactoryJNDIName=QueueConnectionFactory&java.naming.factory.initial=org.apache.activemq.jndi.ActiveMQInitialContextFactory&java.naming.provider.url=tcp://localhost:61616"> <enableSec policy="sec_policy"/> <enableAddressing/> </address> </endpoint> </send> </in> <out> <header name="wsse:Security" action="remove" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/> <send/> </out> </definitions>