1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section><title>
Management Console Security
</title><section role="h1" id="ManagementConsoleSecurity-ManagementConsoleSecurity"><title>
Management
Console Security
</title>
<itemizedlist>
<listitem><para>
<xref linkend="ManagementConsoleSecurity-SSLencryptedRMI-280.5andabove-29"/>
</para></listitem>
<listitem><para>
<xref linkend="ManagementConsoleSecurity-JMXMP-28M4andprevious-29"/>
</para></listitem>
<listitem><para>
<xref linkend="ManagementConsoleSecurity-UserAccounts-26AccessRights"/>
</para></listitem>
</itemizedlist>
<section role="h2" id="ManagementConsoleSecurity-SSLencryptedRMI-280.5andabove-29"><title>
SSL
encrypted RMI (0.5 and above)
</title>
<para>
Current versions of the broker make use of SSL encryption to
secure their RMI based JMX ConnectorServer for security purposes.
This ships enabled by default, although the test SSL keystore
used during development is not provided for security reasons
(using this would provide no security as anyone could have access
to it).
</para><section role="h3" id="ManagementConsoleSecurity-BrokerConfiguration"><title>
Broker
Configuration
</title>
<para>
The broker configuration must be updated before the broker will
start. This can be done either by disabling the SSL support,
utilizing a purchased SSL certificate to create a keystore of
your own, or using the example 'create-example-ssl-stores' script
in the brokers bin/ directory to generate a self-signed keystore.
</para><para>
The broker must be configured with a keystore containing the
private and public keys associated with its SSL certificate. This
is accomplished by setting the Java environment properties
<emphasis>javax.net.ssl.keyStore</emphasis> and
<emphasis>javax.net.ssl.keyStorePassword</emphasis> respectively with the
location and password of an appropriate SSL keystore. Entries for
these properties exist in the brokers main configuration file
alongside the other management settings (see below), although the
command line options will still work and take precedence over the
configuration file.
</para>
<programlisting>
<management>
<ssl>
<enabled>true</enabled>
<!-- Update below path to your keystore location, eg ${conf}/qpid.keystore -->
<keyStorePath>${prefix}/../test_resources/ssl/keystore.jks</keyStorePath>
<keyStorePassword>password</keyStorePassword>
</ssl>
</management>
</programlisting>
<!--h3--></section>
<section role="h3" id="ManagementConsoleSecurity-JMXManagementConsoleConfiguration"><title>
JMX
Management Console Configuration
</title>
<para>
If the broker makes use of an SSL certificate signed by a known
signing CA (Certification Authority), the management console
needs no extra configuration, and will make use of Java's
built-in CA
truststore for certificate verification (you may however have to
update the system-wide default truststore if your CA is not
already present in it).
</para><para>
If however you wish to use a self-signed SSL certificate, then
the management console must be provided with an SSL truststore
containing a record for the SSL certificate so that it is able to
validate it when presented by the broker. This is performed by
setting the <emphasis>javax.net.ssl.trustStore</emphasis> and
<emphasis>javax.net.ssl.trustStorePassword</emphasis> environment variables
when starting the console. This can be done at the command line,
or alternatively an example configuration has been made within
the console's qpidmc.ini launcher configuration file that may
pre-configured in advance for repeated usage. See the <xref linkend="Qpid-JMX-Management-Console-User-Guide"/> for more
information on this configuration process.
</para>
<!--h3--></section>
<section role="h3" id="ManagementConsoleSecurity-JConsoleConfiguration"><title>
JConsole
Configuration
</title>
<para>
As with the JMX Management Console above, if the broker is using
a self-signed SSL certificate then in order to connect remotely
using JConsole, an appropriate trust store must be provided at
startup. See <xref linkend="qpid_JConsole"/> for further details on configuration.
</para>
<!--h3--></section>
<section role="h3" id="ManagementConsoleSecurity-AdditionalInformation"><title>
Additional
Information
</title>
<para>
More information on Java's handling of SSL certificate
verification and customizing the keystores can be found in the
<ulink url="http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores">http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores</ulink>.
</para>
<!--h3--></section>
<!--h2--></section>
<section role="h2" id="ManagementConsoleSecurity-JMXMP-28M4andprevious-29"><title>
JMXMP
(M4 and previous)
</title>
<para>
In previous releases of Qpid (M4 and below) the broker, can make
use of Sun's Java Management Extensions Messaging Protocol
(JMXMP) to provide encryption of the JMX connection, offering
increased security over the default unencrypted RMI based JMX
connection.
</para><section role="h3" id="ManagementConsoleSecurity-DownloadandInstall"><title>
Download and
Install
</title>
<para>
This is possible by adding the jmxremote_optional.jar as provided
by Sun. This jar is covered by the Sun Binary Code License and is
not compatible with the Apache License which is why this
component is not bundled with Qpid.
</para><para>
Download the JMX Remote API 1.0.1_04 Reference Implementation
from <xref linkend="qpid_download.jsp"/>. The included
'jmxremote-1_0_1-bin\lib\jmxremote_optional.jar' file must be
added to the broker classpath:
</para><para>
First set your classpath to something like this:
</para>
<programlisting>
CLASSPATH=jmxremote_optional.jar
</programlisting>
<para>
Then, run qpid-server passing the following additional flag:
</para>
<programlisting>
qpid-server -run:external-classpath=first
</programlisting>
<para>
Following this the configuration option can be updated to enabled
use of the JMXMP based JMXConnectorServer.
</para>
<!--h3--></section>
<section role="h3" id="ManagementConsoleSecurity-BrokerConfiguration2"><title>
Broker
Configuration
</title>
<para>
To enabled this security option change the
<emphasis>security-enabled</emphasis> value in your broker configuration
file.
</para>
<programlisting>
<management>
<security-enabled>true</security-enabled>
</management>
</programlisting>
<para>
You may also (for M2 and earlier) need to set the following
system properties using the environment variable QPID_OPTS:
</para><para>
QPID_OPTS="-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false"
</para>
<!--h3--></section>
<section role="h3" id="ManagementConsoleSecurity-JMXManagementConsoleConfiguration-2"><title>
JMX
Management Console Configuration
</title>
<para>
If you wish to connect to a broker configured to use JMXMP then
the console also requires provision of the Optional sections of
the JMX Remote API that are not included within the JavaSE
platform.
</para><para>
In order to make it available to the console, place the
'jmxremote_optional.jar' (rename the file if any additional
information is present in the file name) jar file within the
'plugins/jmxremote.sasl_1.0.1/' folder of the console release (on
Mac OS X you will need to select 'Show package contents' from the
context menu whilst selecting the management console bundle in
order to reveal the inner file tree).
</para><para>
Following the the console will automatically load the JMX Remote
Optional classes and attempt the JMXMP connection when connecting
to a JMXMP enabled broker.
</para>
<!--h3--></section>
<!--h2--></section>
<section role="h2" id="ManagementConsoleSecurity-UserAccounts-26AccessRights"><title>
User
Accounts & Access Rights
</title>
<para>
In order to access the management operations via JMX, users must
have an account and have been assigned appropriate access rights.
See <xref linkend="qpid_Configuring-Management-Users"/>
</para>
<!--h2--></section>
<!--h1--></section>
</section>
|
