I'm talking about single master/slave pair using NFS as shared storage.
--
Vilius
-----Original Message-----
From: Justin Bertram <[email protected]>
Sent: Thursday, March 24, 2022 6:25 PM
To: [email protected]
Subject: Re: ActiveMQBasicSecurityManager configuration examples
When you say "cluster environment" are you talking about multiple master
brokers or just a single master/slave pair? ActiveMQBasicSecurityManager only
provides synchronization between master/slave pairs. It doesn't provide any
synchronization for multiple master brokers. You'd need to use a centralized
repository for that (e.g. LDAP).
Justin
On Thu, Mar 24, 2022 at 11:01 AM Vilius Šumskas <[email protected]>
wrote:
> Hello list,
>
> since, according to documentation, PropertiesLogin JAAS module is not
> recommended for production use, and .properties files are not synched
> in a cluster environment, we are now searching for possible
> authentication alternatives.
>
> At first I thought to build a Keycloak cluster, but reading through
> documentation I found that there is such a thing as
> ActiveMQBasicSecurityManager which should be enough (our case:
> thousands of external MQ clients using different Artemis user each, to
> separate their JMS queue data).
>
> Unfortunately documentation is a bit scarce on the examples how
> exactly ActiveMQBasicSecurityManager is configured, and internet
> search returns almost nothing, so I’m sorry in advance for a lot of questions.
>
> 1. Is it enough to configure <security-manager> in bootstrap.xml?
> Do I need to remove <jaas-security domain="activemq"/> line? Do I also
> somehow change login.config? Currently it is configured to use default
> PropertiesLogin JAAS module.
> 2. How do I separate Hawtio authentication from broker authentication?
> Does this mean I have to separate default “activemq” realm, use that
> different realm when starting Hawtio and then change login.config so
> it includes both realms using different authentication modules?
> 3. If the above answer is yes, is there an example somewhere how
> ActiveMQBasicSecurityManager is configured in login.config and what
> are the options?
> 4. Can I use the same .properties file for both, populate
> ActiveMQBasicSecurityManager bootstrap user credentials, and Hawtio
> authentication?
> 5. How bootstrapUser and bootstrapPassword works in cluster
> environment if binding journal already contains the same user? Let’s
> say I restart primary and backup becomes live, but earlier I have
> changed the password via management API using other means? Should I
> set bootstrapUser configuration in all cluster nodes or just in primary?
> 6. From our code perspective, can we still use
> JMSManagementHelper.putOperationInvocation() with "addUser" operation
> to add/delete users dynamically, or do we need to use different API?
> 7. Is there a tool to at least list all the users in the journal,
> or this is only possible calling some kind of API?
> 8. From the security perspective, are users’ passwords in binding
> journal properly hashed and cannot be retrieved if someone pokes at
> the data?
>
> Thank you in advance for any pointers.
>
> --
> Best Regards,
>
> Vilius Šumskas
> Rivile
> IT manager
> +370 614 75713
>
>
