Starting from version 5.9.0, activemq is shipped with the
hawt.io web console.
Out-of-the-box the credentials to access are admin:admin, istructions are at: $ACTIVEMQ_HOME/docs/WebConsole-README.txt.
In order to enable a LDAP based authorization, you need to modify the jaas conf file (default is: $ACTIVEMQ_HOME/conf/login.config) and a couple of Java Additional Parameters ($ACTIVEMQ_OPTS) which can be specified in various places, wrapper.conf, for example.
You also need a java LDAP library:
ldaptive. Please copy the newest ldaptive jar file from
http://www.ldaptive.org/download in your $ACTIVEMQ_HOME/lib.
login.config
The login.config should look like:
The cn=hawtio,ou=agents,dc=example,dc=org is a principal allowed to browse the groups' memberships.
Users allowed to access to hawt.io have to be members of the cn=the_admins_group,ou=groups,dc=example,dc=org group.
The LDAP server is ldap.example.org and it is contacted over TLS.
Java Additional Parameters
The relevant Java Additional Parameters are:
- hawtio.realm=activemq: should match the key if config.login (activemq in the previous example);
- hawtio.role=admins: group membership required. As the defaultRole membership is granted to the users found in the roleFilter, you need to match the defaultRole;
- hawtio.rolePrincipalClasses=org.ldaptive.jaas.LdapRole: the java class of the role. The given value is correct for a ldaptive-granted role;
- java.security.auth.login.config=%ACTIVEMQ_CONF%/login.config: location of the jaas config file.
These parameters can be specified in ./bin/activemq, in wrapper.conf or in /etc/default/activemq (Linux GNU/Debian).
Enable logging
This couple of lines in logback.xml can help you a lot:
