Hello list,
since, according to documentation, PropertiesLogin JAAS module is not
recommended for production use, and .properties files are not synched in a
cluster environment, we are now searching for possible authentication
alternatives.
At first I thought to build a Keycloak cluster, but reading through
documentation I found that there is such a thing as
ActiveMQBasicSecurityManager which should be enough (our case: thousands of
external MQ clients using different Artemis user each, to separate their JMS
queue data).
Unfortunately documentation is a bit scarce on the examples how exactly
ActiveMQBasicSecurityManager is configured, and internet search returns almost
nothing, so I’m sorry in advance for a lot of questions.
1. Is it enough to configure <security-manager> in bootstrap.xml? Do I need
to remove <jaas-security domain="activemq"/> line? Do I also somehow change
login.config? Currently it is configured to use default PropertiesLogin JAAS
module.
2. How do I separate Hawtio authentication from broker authentication? Does
this mean I have to separate default “activemq” realm, use that different realm
when starting Hawtio and then change login.config so it includes both realms
using different authentication modules?
3. If the above answer is yes, is there an example somewhere how
ActiveMQBasicSecurityManager is configured in login.config and what are the
options?
4. Can I use the same .properties file for both, populate
ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio
authentication?
5. How bootstrapUser and bootstrapPassword works in cluster environment if
binding journal already contains the same user? Let’s say I restart primary and
backup becomes live, but earlier I have changed the password via management API
using other means? Should I set bootstrapUser configuration in all cluster
nodes or just in primary?
6. From our code perspective, can we still use
JMSManagementHelper.putOperationInvocation() with "addUser" operation to
add/delete users dynamically, or do we need to use different API?
7. Is there a tool to at least list all the users in the journal, or this is
only possible calling some kind of API?
8. From the security perspective, are users’ passwords in binding journal
properly hashed and cannot be retrieved if someone pokes at the data?
Thank you in advance for any pointers.
--
Best Regards,
Vilius Šumskas
Rivile
IT manager
+370 614 75713
