Tuesday, September 16, 2014

How to secure a password file on Windows 7 (JMX interface of ActiveMQ, to be specific)

This took me a while to figure out, so here's a description of how to make use of a password-protected JMX interface with ActiveMQ (5.8 in my case).

1. Make sure your activemq.xml specifies that you actually want to allow JMX monitoring:
   <managementContext>
        <managementContext createConnector="true" connectorPort="1098"/>
   </managementContext>

2. Change activemq.bat startup script to specify an explicit password files:

set SUNJMX=-Dcom.sun.management.jmxremote.port=1098
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_BASE%/conf/jmx.password
-Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_BASE%/conf/jmx.access

when you start ActiveMQ, you will probably get this error now:

> activemq.bat
Error: Password file read access must be restricted: .../conf/jmx.password

ActiveMQ requires the password file to have specific user-only permissions, see here for more information. Unfortunately this link is for Windows XP, so here's what to do on Windows 7

I've actually found two solutions, one graphical, the other one from the command line:

Solution (using Windows Explorer):

1) change the owner to be 'you' (required step!!)
Select jmx.password, Right-Mouse-Cick -> Properties -> Security -> Advanced -> Owner -> Edit
and select the single owner of this to be your username.

Note: you need to click OK and exit out of Properties for this to be effective

2) Select jmx.password, Right-Mouse-Cick -> Properties -> Security -> Advanced -> Change Permissions 

- uncheck "Include inheritable permissions" and click Remove to remove all inherited permissions
- then click Add... to add read/write permissions for only your user: Enter your username as object name, and select for example 'Full Control'. Click Ok and exit out of properties.


Solution (using Windows command line):

1) open a windows command prompt in your ActiveMQ 'conf' folder.


2) use icacls (run 'icacls' without options for help) to change the owner to be 'you', in my case:

icacls jmx.password /setowner apodehl


3) remove all inherited permissions:

icacls jmx.password /inheritance:r


4) grant minimal permissions to your user (read/write in this case):

icacls jmx.password /grant:r apodehl:(r,w)



No comments:

Post a Comment