This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Security in Apache ActiveMQ

Owned by Rukshani Weerasinha (Unlicensed)
Jun 03, 2014
6 min read

Given below is an overview of how some common security concepts are implemented in Apache ActiveMQ.

Security ConceptHow it is Implemented
Authentication Simple authentication and JAAS plugins.
Authorization Built-in authorization mechanism using XML configuration.
Availability Master/Slave configurations using fail-over transport in ActiveMQ (not to be confused with WSO2 ESB transports). 
IntegrityWS-Security

Authentication

Simple Authentication: ActiveMQ comes with an authentication plugin, which provides basic authentication between the ActiveMQ JMS and the WSO2 ESB. The steps below describe how to configure.  

1. Add the following configuration in <ACTIVEMQ_HOME>/conf/activemq-security.xml file. 

<simpleAuthenticationPlugin anonymousAccessAllowed="true">
           <users>
               <authenticationUser username="system" password="${activemq.password}"
                   groups="users,admins"/>
               <authenticationUser username="user" password="${guest.password}"
                   groups="users"/>
               <authenticationUser username="guest" password="${guest.password}" groups="guests"/>
           </users> 

</simpleAuthenticationPlugin>

2. Edit <ACTIVEMQ_HOME>/conf/credentials.properties file for plain-text version or <ACTIVEMQ_HOME>/conf/credentials-enc.properties file for encrypted version to define the username and password lists referenced in the configuration above.
 
Th e anonymousAccessAllowed attribute defines whether or not to allow anonymous access. The groups and users defined in step 1 are used to provide authorization schemes. Refer to section Authorization for more information.

3. Ensure that the <transportReceiver> element below is added in < ESB_HOME>/repository/conf/axis2/axis2.xml file.

<transportReceiver name="jms" class="org.apache.axis2.transport.jms.JMSListener">
       <parameter name="myTopicConnectionFactory" locked="false">
           <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
           <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter>
              <parameter name="transport.jms.UserName">system</parameter>
               <parameter name="transport.jms.Password">manager</parameter>
            <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">TopicConnectionFactory</parameter>
            <parameter name="transport.jms.ConnectionFactoryType" locked="false">topic</parameter>
       </parameter>

       <parameter name="myQueueConnectionFactory" locked="false">
           <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
           <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter>
               <parameter name="transport.jms.UserName">system</parameter>
               <parameter name="transport.jms.Password">manager</parameter>
           <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">QueueConnectionFactory</parameter>
            <parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter>
       </parameter>

       <parameter name="default" locked="false">
           <parameter name="java.naming.factory.initial" locked="false">org.apache.activemq.jndi.ActiveMQInitialContextFactory</parameter>
           <parameter name="java.naming.provider.url" locked="false">tcp://localhost:61616</parameter>
              <parameter name="transport.jms.UserName">system</parameter>
               <parameter name="transport.jms.Password">manager</parameter>
           <parameter name="transport.jms.ConnectionFactoryJNDIName" locked="false">QueueConnectionFactory</parameter>
            <parameter name="transport.jms.ConnectionFactoryType" locked="false">queue</parameter>
       </parameter>
</transportReceiver>

Lines similar to the following contain the username and password configured in ActiveMQ. 

<parameter name="transport.jms.UserName">system</parameter> 
<parameter name="transport.jms.Password">manager</parameter>

Infor

For more advanced authentication schemes that use JAAS which are supported in ActiveMQ, refer to the official ActiveMQ documentation here: http://activemq.apache.org/security.html  

Authorization 

ActiveMQ provides authorization schemes using simple XML configurations, which you can apply to the users defined in the authentication plugin. To setup authorization, ensure you have the following configuration in <ACTIVEMQ_HOME>/conf/activemq-sequrity.xml file.

<authorizationPlugin>
 <map>
  <authorizationMap>
    <authorizationEntries>
      <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
      <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
      <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
 
      <authorizationEntry queue="TEST.Q" read="guests" write="guests" />
 
      <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
      <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
      <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
 
      <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
    </authorizationEntries>
  </authorizationMap>
 </map>
</authorizationPlugin>


Infor

This configuration defines role-based authorization on queues and topics, and uses ActiveMQ wildcards. For information on    wildcards, refer to ActiveMQ documentation here: http://activemq.apache.org/wildcards.html .

Availability

ActiveMQ supports the use of master/slave and fail-over transport to provide high-availability. ActiveMQ supports two types of master/slave configurations as follows:

  • Master/slave using shared file systems
  • Master/slave using JDBC

Infor

For more information on either model, refer to ActiveMQ documentation on master/slave here: http://activemq.apache.org/masterslave.html.

We explore the second option here.

Master/slave using JDBC

ActiveMQ uses a special URI similar to the following to facilitate fail-over functionality: failover://(tcp://127.0.0.1:61616,tcp://127.0.0.1:61617,tcp://127.0.0.1:61618)?initialReconnectDelay=100. Use this URI inside WSO2 ESB for a highly-available JMS solution.

To create proxy services, sequences, endpoints, message stores, processors etc. in ESB, you can either use the management console or copy the XML configuration to the source view. You can find the source view under menu Manage > Service Bus > Source View in the left navigation pane of the WSO2 ESB management console. Alternatively, you can add an XML file  to <ESB_HOME>/repository/deployment/server/synapse-configs/default/proxy-services.

A sample WSO2 ESB Proxy service for this setup is given below.     

<proxy xmlns="http://ws.apache.org/ns/synapse" name="FailOverJMS"
transports="http" startOnLoad="true" trace="disable">
   <target>
       <inSequence>
           <log level="full"/>
           <property name="OUT_ONLY" value="true" scope="default"/>
           <clone>
               <target>
                   <endpoint>
               <address                         uri="jms:/OMS?transport.jms.ConnectionFactoryJNDIName=QueueConnectionFactory&amp;java.naming.factory.initial=org.apache.activemq.jndi.ActiveMQInitialContextFactory&amp;java.naming.provider.url=failover:(tcp://localhost:61616,tcp://localhost:61617)?randomize=false&amp;transport.jms.DestinationType=queue"/>
           </endpoint>
               </target>
           </clone>
       </inSequence>
   </target>
   <publishWSDL key="gov:/services/FileService.wsdl">
       <resource location="Message.xsd" key="gov:/services/Message.xsd"/>
   </publishWSDL>
</proxy>

Note java.naming.provider.url=failover:(tcp://localhost:61616,tcp://localhost:61617)?randomize=false inside the address endpoint uri attribute. The randomize=false parameter makes this setup follow a prioritized fail-over configuration, which means when the first instance fails, it moves to the next. For more information on ActiveMQ fail-over transport and its parameters, refer to ActiveMQ documentation here: http://activemq.apache.org/failover-transport-reference.html.

Integrity

Integrity is part of message-level security, and can be implemented using a standard like WS-Security. Following sample shows the application of WS-Security for message-level encryption where messages are stored in a message store in WSO2 ESB.

<definitions xmlns="http://ws.apache.org/ns/synapse">
   <localEntry key="sec_policy" src="file:repository/samples/resources/policy/policy_3.xml"/>

   <in>
       <send>
           <endpoint>
        <address uri="jms:/StockQuoteJmsProxy2?transport.jms.ConnectionFactoryJNDIName=QueueConnectionFactory&java.naming.factory.initial=org.apache.activemq.jndi.ActiveMQInitialContextFactory&java.naming.provider.url=tcp://localhost:61616">
                 <enableSec policy="sec_policy"/>
                   <enableAddressing/>
               </address>
           </endpoint>
       </send>
   </in>
   <out>
       <header name="wsse:Security" action="remove"      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
       <send/>
   </out>
</definitions>