Authenticate and Encrypt ActiveMQ Communication

By default, the communication between the data aggregator and data collector is unencrypted and unauthenticated.
Secure the ActiveMQ broker to use HTTPS communication between the data aggregator and the data collector. The data aggregator host server and the data collector host server each has a local ActiveMQ broker. In the default configuration, the ActiveMQ brokers communicate on the same port over a network interface. By default, the communication between the broker and the data aggregator or data collector java process is unencrypted and unauthenticated. Data aggregator and data collector indirect communication is through the local ActiveMQ broker over the loopback interface. The traffic occurs only on the loopback interface and is not vulnerable to sniffing.
Secure the Communication
The following diagram illustrates the communication between the data aggregator and data collector services, brokers, and hosts:
Diagram that shows the communication architecture between the data aggregator and data collector.
Diagram that shows the communication architecture between the Data Aggregator and Data Collectors.
The following ports enable ActiveMQ communication between the data aggregator and the data collectors:
  • TCP 61616
    Enables only ActiveMQ traffic. Data aggregator and data collector indirect communication is through the local ActiveMQ brokers over the loopback interface on this port.
  • TCP 61618
    Enables poll response delivery traffic.
  • TCP 61620
    Enables distributed IREP traffic.
  • TCP 61622
    Enables large data transfers.
    This port also enables the simplified upgrade for data collectors.
    For more information, see Upgrade the Data Collectors.
For more information about the ports that are required for
DX NetOps Performance Management
to work properly, see Review Installation Requirements and Considerations.
This topic uses 61617, 61619, 61621, and 61623. Leave ports 61616, 61618, 616120, and 61622 unencrypted and restrict communication on these ports to the loopback interface.
Throughout the documentation 8182, 8382, 61617, 61619, 61621, and 61623 appear as suggested port numbers for secured communications. In the instances where these ports appear, you can use any value you want as long as no other processes are using it.
For more information about these ports, see Review Installation Requirements and Considerations.
If you installed
DX NetOps Performance Management
to be run as a
sudo
user, issue the following commands as that
sudo
user.
To secure communications between the data aggregator and data collectors, secure the communication between the ActiveMQ brokers on these servers. Use Transport Layer Security (TLS) and communicate on a different port.
Use the following process to secure communications:
3
A restart of the data aggregator and data collectors, is not required during this process. The configuration changes take effect after restarting the ActiveMQ brokers. Restart the brokers after the configuration changes are complete.
Verify the Prerequisites
Save a backup copy of the
activemq.xml
file from the data aggregator and each data collector. To revert the authentication configuration, replace the updated XML files with the backups.
Open Ports on Firewalls
On all relevant firewalls between the data aggregator host and data collector hosts, open port 61617 for TLS communications.
Generate Keys and Establish Trust
Establish a trusted connection by generating private/public key pairs for the data aggregator and each data collector, and then set up trust stores. Each data collector must trust itself and the data aggregator. The data aggregator must trust itself and the data collectors.
Each system requires two private keys: one for the ActiveMQ broker, and one for the client, which is the data aggregator or data collector process. On each system, you replace two
.ks
files and one
.ts
files. Each file has a nonsecure password that is stored in clear text in the
activemq.xml
file. Because of the passwords, and the general sensitivity of encryption keys, the files
activemq.xml
*.ts
*.ks
require 400 permission. The user that runs the ActiveMQ broker must own these files.
The local local security policy dictates how to generate the key pairs. After you generate the keys, copy the public keys to the other hosts. All the data collectors need the data aggregator key, and the data aggregator needs all the data collector keys.
Example:
This example procedure uses the JDK keytool. The following command generates a self-signed key using the JDK keytool:
keytool -genkey -alias
KEY_ALIAS
-keyalg RSA -keystore broker.ks
  • KEY_ALIAS
    is a string that identifies the key.
The keytool is interactive and requires a series of inputs. The following example shows the interaction for the keytool:
For the first and last name prompt, you must enter the host name of the system where you are creating the certification.
[[email protected] conf]# keytool -genkey -alias dc1 -keyalg RSA -keystore broker.ks Enter keystore password: 123456 Re-enter new password: 123456 What is your first and last name? [Unknown]:
Host_Name
What is the name of your organizational unit? [Unknown]: Team1 What is the name of your organization? [Unknown]: CGPM What is the name of your City or Locality? [Unknown]: Framingham What is the name of your State or Province? [Unknown]: MA What is the two-letter country code for this unit? [Unknown]: US Is CN=
Host_Name
, OU=Team1, O=CGPM, L=Framingham, ST=MA, C=US correct? [no]: yes Enter key password for <dc1> (RETURN if same as keystore password):
Generate Keys and Establish Trust on the Data Collectors
Complete this procedure on each data collector host. Each keytool command is interactive and requests a password for each
.ks
and
.ts
file.
In the following procedure,
DC_ALIAS
is a user-defined unique identifier for each data collector host and can be any string as long as it is unique for each data collector.
Follow these steps:
  1. Change directories by issuing the following command:
    cd /opt/IMDataCollector/broker/apache-activemq-
    version
    /conf
  2. Remove existing security files by issuing the following command:
    rm -f *.ks *.ts *.cert
  3. Generate the broker keystore and private key by issuing the following command:
    keytool -genkey -alias
    DC_ALIAS
    -keyalg RSA -keystore broker.ks
  4. Export the broker key for the data collector by issuing the following command:
    keytool -export -alias
    DC_ALIAS
    -keystore broker.ks -file
    DC_ALIAS
    .cert
  5. Import the client key for the data collector by issuing the following command:
    keytool -import -alias
    DC_ALIAS
    -keystore client.ts -file
    DC_ALIAS
    .cert
  6. Copy the data collector key to the data aggregator for import when you establish trust on the data aggregator by issuing the following command:
    scp
    DC_ALIAS
    .cert [email protected]$DA_HOST:/tmp/
    DC_ALIAS
    .cert
Generate Keys and Establish Trust on the Data Aggregator
Follow these steps:
  1. Change directories by issuing the following command:
    cd /opt/IMDataAggregator/broker/apache-activemq-
    version
    /conf
  2. Remove the existing security files by issuing the following command:
    rm -f *.ks *.ts *.cert
  3. Generate the broker keystore and private key by issuing the following command:
    keytool -genkey -alias
    DA_ALIAS
    -keyalg RSA -keystore broker.ks
  4. Export the broker key for the data aggregator by issuing the following command:
    keytool -export -alias
    DA_ALIAS
    -keystore broker.ks -file
    DA_ALIAS
    .cert
  5. Import the client key for the data aggregator by issuing the following command:
    keytool -import -alias
    DA_ALIAS
    -keystore client.ts -file
    DA_ALIAS
    .cert
  6. Import the client keys for
    each
    data collector by issuing the following command:
    keytool -import -alias
    DC_ALIAS
    -keystore client.ts -file /tmp/
    DC_ALIAS
    .cert
    Repeat the keytool import command for each data collector with each DC_ALIAS.
  7. Remove CERT files from the
    /tmp
    directory by issuing the following command:
    rm /tmp/*.cert
  8. Copy the broker key for the data aggregator to the
    /tmp
    directory by issuing the following command:
    cp
    DA_ALIAS
    .cert /tmp
  9. Grant the appropriate permissions to the security files by issuing the following command:
    chmod 400 *.ks *.ts *.cert
Establish Trust from the Data Collectors to the Data Aggregator
Complete this procedure on
each
data collector host.
Follow these steps:
  1. Change directories by issuing the following command:
    cd /opt/IMDataCollector/broker/apache-activemq-
    version
    /conf
  2. Copy the data aggregator key to the data collector host by issuing the following command:
    scp [email protected]$DA_HOST:/tmp/
    DA_ALIAS
    .cert .
  3. Import the data aggregator key to the data collector keystore by issuing the following command:
    keytool -import -alias
    DA_ALIAS
    -keystore client.ts -file
    DA_ALIAS
    .cert
  4. Grant the appropriate permissions to the security files by issuing the following command:
    chmod 400 *.ks *.ts *.cert
Configure ActiveMQ on the Data Aggregator
Follow these steps:
  1. On the data aggregator host, configure the data aggregator broker for TLS with client authentication by editing the following file:
    /opt/IMDataAggregator/broker/apache-activemq-
    version
    /conf/activemq.xml
  2. Add the following XML section before
    <transportConnectors>
    parameter:
    <sslContext>
    <sslContext
    keyStore="broker.ks" keyStorePassword="123456"
    trustStore="client.ts" trustStorePassword="123456"/>
    </sslContext>
  3. Restrict the existing OpenWire transport connector to the local host only:
    <transportConnector name="openwire" uri="tcp://127.0.0.1:61616"/>
  4. Change the permissions for the file by issuing the following command:
    chmod 400 activemq.xml
Configure ActiveMQ on the Data Collectors
Complete the procedure on
each
data collector host.
Follow these steps:
  1. On the data collector host, edit the following file:
    /opt/IMDataCollector/broker/apache-activemq-
    version
    /conf/activemq.xml
  2. Add the following XML section before
    <transportConnectors>
    parameter:
    <sslContext>
    <sslContext
    keyStore="broker.ks" keyStorePassword="123456"
    trustStore="client.ts" trustStorePassword="123456"/>
    </sslContext>
  3. Restrict the existing OpenWire transport connector to the local host only:
    <transportConnector name="openwire" uri="tcp://127.0.0.1:61616?maximumConnections=100&amp;wireFormat.maxFrameSize=104857600"/>
  4. For all
    <networkConnector>
    entries, change
    tcp://
    dahostname
    to
    ssl://
    dahostname
    and update the ports.
    Example:
    The following example is a
    <networkConnector>
    entry that you might see:
    <networkConnector name="da_manager" uri="static:(
    tcp
    ://dahostname:
    6k6
    )" duplex="true" suppressDuplicateTopicSubscriptions="false">
    Replace
    tcp
    with
    ssl
    as shown in the following example:
    <networkConnector name="da_manager" uri="static:(
    ssl
    ://dahostname:
    61617
    )" duplex="true" suppressDuplicateTopicSubscriptions="false">
  5. Change the permissions for the file by issuing the following command:
    chmod 400 activemq.xml
    The user running the ActiveMQ service must own this file.
Restart the ActiveMQ Brokers
The ActiveMQ brokers reread the configuration when the broker restarts. Restart the brokers simultaneously.
During the shutdown, the data collectors cache incoming traffic. To minimize data loss, perform the shutdowns and restarts in this order:
  1. Shut down the ActiveMQ broker on each data collector by issuing the following command:
    service activemq stop
  2. Shut down the ActiveMQ broker on the data aggregator by issuing the following command:
    service activemq stop
  3. Start the ActiveMQ broker on the data aggregator by issuing the following command:
    service activemq start
    If you do not, the data aggregator starts the broker automatically.
  4. The data collectors automatically restart the ActiveMQ brokers. Use the following command to restart the brokers manually:
    service activemq start
Block Port 61616
On all relevant firewalls, restrict the communication on port 61616 to the loopback interface.
Verify Communication and Polling
After you secure communications, confirm that the system is polling.
Follow these steps:
  1. Log in to
    NetOps Portal
    .
  2. Hover over
    Administration
    ,
    Monitored Items Management
    , and then click
    Data Collectors
    .
    The
    Data Collectors
    list appears.
  3. Verify that the
    Polling Status
    for each data collector is
    Collecting Data
    .
  4. Wait 5 minutes, then click
    Refresh
    .
  5. Verify that the status for each data collector is still
    Collecting Data
    .
  6. (Optional) For further validation, look at a device on each data collector, and confirm that polled data is being loaded.
If any data collector does not have the
Collecting Data
status, use the following options to troubleshoot the data collector:
  • On the data collector host, verify the ActiveMQ status by issuing the following command:
    service activemq status
  • Check for errors in data collector Karaf log by issuing the following command:
    /opt/IMDatacollector/apache-karaf-<
    vers
    >/karaf.log
  • Check for errors in data collector ActiveMQ log by issuing the following command:
    /opt/IMDataCollector/broker/apache-activemq-
    version
    /data/activemq.log
  • Check the permissions in the
    activemq.conf
    file and in the
    .ks
    and
    .ts
    files. These files must be readable by the user that is attempting to run them.
  • Verify the contents of the
    .ks
    and
    .ts
    files by issuing the following command:
    keytool -list -keystore client.ts