Authenticate and Encrypt ActiveMQ Communication

By default, the communication between the Data Aggregator and Data Collector is unencrypted and unauthenticated. To secure communications, secure the communication between the ActiveMQ brokers on these servers.
capm350
By default, the communication between the Data Aggregator and Data Collector is unencrypted and unauthenticated. To secure communications, secure the communication between the ActiveMQ brokers on these servers.
The following ports enable ActiveMQ communication between the Data Aggregator and the Data Collectors:
  • TCP 61616
    Enables only ActiveMQ traffic
  • TCP 61618
    Enables poll response delivery traffic
  • TCP 61620
    Enables distributed IREP traffic
  • TCP 61622
    Enables large data transfers
    This port also enables the simplified upgrade for Data Collectors. For more information, see Upgrade the Data Collectors.
The Data Aggregator does not communicate directly with the Data Collector. Each host server has an ActiveMQ broker. The Data Aggregator and Data Collector each communicate to the local broker over the loopback interface on port 61616. In the default configuration, the ActiveMQ brokers communicate on the same port over a network interface.
The following diagram shows the communication between the services, brokers, and hosts:
Diagram that shows the communication architecture between the Data Aggregator and Data Collectors.
Diagram that shows the communication architecture between the Data Aggregator and Data Collectors.
To secure the communication between the brokers, use TLS and communicate on a different port. This procedure uses 61617, 61619, 61621, and 61623. Leave ports 61616, 61618, 616120, and 61622 unencrypted and restrict communication on these ports to the loopback interface.
Throughout the documentation 8182, 8382, 61617, 61619, 61621, and 61623 appear as suggested port numbers for secured communications. In the instances where these ports appear, you are free to use any value you want as long as no other processes are using it.
Communication between the ActiveMQ broker and the Data Aggregator or Data Collector java process is not encrypted or authenticated. Because this traffic occurs only on the loopback interface, this communication is not vulnerable to sniffing.
If
CA Performance Management
was installed to be run as a sudo user, run these commands as that sudo user.
To secure communications between the Data Aggregator and Data Collectors, complete the following procedures:
2
Save a backup copy of the activemq.xml file from the Data Aggregator and each Data Collector. To revert the authentication configuration, replace the updated XML files with the backups.
A restart of the Data Aggregator and Data collectors, is not required during this process. The configuration changes take effect after restarting the ActiveMQ brokers. Restart the brokers after the configuration changes are complete.
When you configure the Data Aggregator broker for TLS, configure all the Data Collector brokers for TLS too. Set up the configuration on each host, shut down all brokers. Then, restart the brokers, starting with the Data Aggregator.
Open Ports on Firewalls
On all relevant firewalls between the Data Aggregator host and Data Collector hosts, open port 61617 for TLS communications.
Generate Keys and Establish Trust
To establish a trusted connection, generate private/public key pairs for the Data Aggregator and each Data Collector and set up trust stores. Each Data Collector must trust itself and the Data Aggregator. The Data Aggregator must trust itself and all the Data Collectors.
Each system needs two private keys: one for the ActiveMQ broker, and one for the client, which is the Data Aggregator or Data Collector process. On each system, you replace two
.ks
files and one
.ts
files. Each file has a nonsecure password that is stored in clear text in activemq.xml. Because of the passwords, and the general sensitivity of encryption keys, the files activemq.xml
*.ts
*.ks
require 400 permission. The user that runs the ActiveMQ broker must own these files.
The local local security policy dictates how to generate the key pairs. After you generate the keys, copy the public keys to the other hosts. All the Data Collectors need the Data Aggregator key, and the Data Aggregator needs all the Data Collector keys.
Example
This example procedure uses the JDK keytool. The following command generates a self-signed key using the JDK keytool:
keytool -genkey -alias
KEY_ALIAS
-keyalg RSA -keystore broker.ks -ext SAN=dns:
fully_qualified_hostname
  • KEY_ALIAS
    is a string that identifies the key.
The keytool is interactive and requires a series of inputs. The following example shows the interaction for the keytool:
For the first and last name prompt, you must enter the host name of the system where you are creating the certification.
[[email protected] conf]# keytool -genkey -alias dc1 -keyalg RSA -keystore broker.ks -ext SAN=dns:
fully_qualified_hostname
Enter keystore password: 123456 Re-enter new password: 123456 What is your first and last name? [Unknown]:
Host_Name
What is the name of your organizational unit? [Unknown]: Team1 What is the name of your organization? [Unknown]: CGPM What is the name of your City or Locality? [Unknown]: Framingham What is the name of your State or Province? [Unknown]: MA What is the two-letter country code for this unit? [Unknown]: US Is CN=
Host_Name
, OU=Team1, O=CGPM, L=Framingham, ST=MA, C=US correct? [no]: yes Enter key password for <dc1> (RETURN if same as keystore password):
Generate Keys and Establish Trust on the Data Collectors
Complete this procedure on each Data Collector host. Each keytool command is interactive and requests a password for each
.ks
and
.ts
file.
DC_ALIAS
is a user defined unique identifier for each Data Collector host and can be any string as long as it is unique for each Data Collector.
Follow these steps:
  1. Change directories:
    cd /opt/IMDataCollector/broker/apache-activemq-
    version
    /conf
  2. Remove existing security files:
    rm -f *.ks *.ts *.cert
  3. Generate the broker keystore and private key:
    keytool -genkey -alias
    DC_ALIAS
    -keyalg RSA -keystore broker.ks -ext SAN=dns:
    fully_qualified_hostname
  4. Export the broker key for the Data Collector:
    keytool -export -alias
    DC_ALIAS
    -keystore broker.ks -file
    DC_ALIAS
    .cert
  5. Import the client key for the Data Collector:
    keytool -import -alias
    DC_ALIAS
    -keystore client.ts -file
    DC_ALIAS
    .cert
  6. Copy the Data Collector key to the Data Aggregator for import when you establish trust on the Data Aggregator:
    scp
    DC_ALIAS
    .cert [email protected]$DA_HOST:/tmp/
    DC_ALIAS
    .cert
Generate Keys and Establish Trust on the Data Aggregator
Follow these steps:
  1. Change directories:
    cd /opt/IMDataAggregator/broker/apache-activemq-
    version
    /conf
  2. Remove existing security files:
    rm -f *.ks *.ts *.cert
  3. Generate the broker keystore and private key:
    keytool -genkey -alias
    DA_ALIAS
    -keyalg RSA -keystore broker.ks -ext SAN=dns:
    fully_qualified_hostname
  4. Export the broker key for the Data Aggregator:
    keytool -export -alias
    DA_ALIAS
    -keystore broker.ks -file
    DA_ALIAS
    .cert
  5. Import the client key for the Data Aggregator:
    keytool -import -alias
    DA_ALIAS
    -keystore client.ts -file
    DA_ALIAS
    .cert
  6. Import the client keys for
    each
    Data Collector:
    keytool -import -alias
    DC_ALIAS
    -keystore client.ts -file /tmp/
    DC_ALIAS
    .cert
    Repeat the keytool import command for each Data Collector with each DC_ALIAS.
  7. Remove CERT files from the /tmp directory:
    rm /tmp/*.cert
  8. Copy the broker key for the Data Aggregator to the /tmp directory:
    cp
    DA_ALIAS
    .cert /tmp
  9. Grant the appropriate permissions to the security files:
    chmod 400 *.ks *.ts *.cert
Establish Trust from the Data Collectors to the Data Aggregator
Complete this procedure on
each
Data Collector host.
Follow these steps:
  1. Change directories:
    cd /opt/IMDataCollector/broker/apache-activemq-
    version
    /conf
  2. Copy the Data Aggregator key to the Data Collector host:
    scp [email protected]$DA_HOST:/tmp/
    DA_ALIAS
    .cert .
  3. Import the Data Aggregator key to the Data Collector keystore:
    keytool -import -alias
    DA_ALIAS
    -keystore client.ts -file
    DA_ALIAS
    .cert
  4. Grant the appropriate permissions to the security files:
    chmod 400 *.ks *.ts *.cert
Configure ActiveMQ on the Data Aggregator
On the Data Aggregator, enable TLS with client authentication, and restrict OpenWire to localhost only.
Follow these steps:
  1. On the Data Aggregator host, edit the following file:
    /opt/IMDataAggregator/broker/apache-activemq-
    version
    /conf/activemq.xml
  2. Add the following XML section before <transportConnectors> parameter:
    <sslContext>
    <sslContext
    keyStore="broker.ks" keyStorePassword="123456"
    trustStore="client.ts" trustStorePassword="123456"/>
    </sslContext>
  3. Restrict the existing OpenWire transport connector to the local host only:
    <transportConnector name="openwire" uri="tcp://127.0.0.1:61616"/>
  4. Change the permissions for the file:
    chmod 400 activemq.xml
Configure ActiveMQ on the Data Collectors
On the Data Collectors, enable TLS, update the URL for the Data Aggregator, and restrict OpenWire to localhost only.
Complete the procedure on
each
Data Collector host.
Follow these steps:
  1. On the Data Aggregator host, edit the following file:
    /opt/IMDataCollector/broker/apache-activemq-
    version
    /conf/activemq.xml
  2. Add the following XML section before <transportConnectors> parameter:
    <sslContext>
    <sslContext
    keyStore="broker.ks" keyStorePassword="123456"
    trustStore="client.ts" trustStorePassword="123456"/>
    </sslContext>
  3. Restrict the existing OpenWire transport connector to the local host only:
    <transportConnector name="openwire" uri="tcp://127.0.0.1:61616?maximumConnections=100&amp;wireFormat.maxFrameSize=104857600"/>
  4. For all
    <networkConnector>
    entries, change
    tcp://
    dahostname
    to
    ssl://
    dahostname
    and update the ports.
    Example:
    The following example is a
    <networkConnector>
    entry that you might see:
    <networkConnector name="da_manager" uri="static:(
    tcp
    ://dahostname:
    61616
    )" duplex="true" suppressDuplicateTopicSubscriptions="false">
    Replace
    tcp
    with
    ssl
    as shown in the following example:
    <networkConnector name="da_manager" uri="static:(
    ssl
    ://dahostname:
    61617
    )" duplex="true" suppressDuplicateTopicSubscriptions="false">
  5. Change the permissions for the file:
    chmod 400 activemq.xml
    The user running the ActiveMQ service must own this file.
Restart ActiveMQ Brokers
The ActiveMQ brokers reread the configuration when the broker restarts. Restart all the brokers simultaneously. Do not restart the Data Aggregator or Data Collector processes.
During the shutdown, the Data Collectors cache incoming traffic. To minimize data loss, perform the shutdowns and restarts in this order:
  1. Shut down the ActiveMQ broker on each Data Collector:
    service activemq stop
  2. Shut down the ActiveMQ broker on the Data Aggregator:
    service activemq stop
  3. Start the ActiveMQ broker on the Data Aggregator:
    service activemq start
    If you do not, the Data Aggregator starts the broker automatically.
  4. The Data Collectors automatically restart the ActiveMQ brokers. Use the following command to restart the brokers manually:
    service activemq start
Block Port 61616
On all relevant firewalls, restrict the communication on port 61616 to the loopback interface.
Verify Communication and Polling
After you secure communications, confirm that the system is polling.
Follow these steps:
  1. Log in to
    CA Performance Center
    .
  2. Select
    Administration
    ,
    Data Collector List
    .
  3. Verify that the status for each Data Collector is
    Collecting Data
    .
  4. Wait 5 minutes, then click the
    Refresh
    button.
  5. Verify that the status for each Data Collector is still
    Collecting Data
    .
  6. (Optional) For further validation, look at a device on each Data Collector, and confirm that polled data is being loaded.
If any Data Collector does not have the
Collecting Data
status, use the following options to troubleshoot the Data Collector:
  • On the Data Collector host, verify the ActiveMQ status:
    service activemq status
  • Check for errors in Data Collector
    Karaf
    log:
    /opt/IMDatacollector/apache-karaf-<
    vers
    >/karaf.log
  • Check for errors in Data Collector
    ActiveMQ
    log:
    /opt/IMDataCollector/broker/apache-activemq-
    version
    /data/activemq.log
  • Check the permissions on activemq.conf and the
    .ks
    and
    .ts
    files. These files must be readable by the user that is attempting to run them.
  • Verify the contents of the
    .ks
    and
    .ts
    files:
    keytool -list -keystore client.ts