Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Secure authentication with Red Hat AMQ 7.7 and ApacheDS LDAP server

August 11, 2020
Chandra Shekhar Pandey
Related topics:
JavaLinuxSecurity
Related products:
AMQ Clients

Share:

    In this article, we will integrate Red Hat AMQ 7.7 with the ApacheDS LDAP server. However, any version of the AMQ 7.x series can be integrated with the steps mentioned in this article.

    For this example integration, we'll use Apache Directory Studio, which is an LDAP browser and directory client for ApacheDS. You will learn how to set up the ApacheDS LDAP server from scratch, and how to integrate the new LDAP configuration changes that are required in AMQ 7.7. Finally, we'll test the integration with an AMQ 7.7 shell-based client, using Hawtio as a graphical user interface (GUI). This will be helpful to system administrators and developers as they can quickly create a proof of concept for LDAP and AMQ integration. This will help in enabling role-based access control(RBAC) for accessing AMQ 7.7.

    Note: Our example is based on security-ldap, which shows how to configure and use a secure Java Message Service (JMS) application layer with ActiveMQ Artemis and the ApacheDS LDAP server. This example ships with all AMQ 7.x distributions. I have tested the integration in Fedora 32 and the OpenJDK version of Java 8 (1.8.0_252).

    Part 1: Create the ApacheDS LDAP server with Apache Directory Studio

    The first thing we'll do is to create an ApacheDS server instance using Apache Directory Studio:

    1. Download Apache Directory Studio and unzip it.
    2. Once it has been extracted, from the Linux terminal execute ApacheDirectoryStudio/ApacheDirectoryStudio.
    3. Create the LDAP server by selecting New Server ->Finish, as shown in Figure 1.
      Dialog to create a new LDAP server.
      Setup New Ldap Server
      Figure 1: Create the new LDAP server in Apache Directory Studio.

    Set up the new LDAP server

    Before we start the server, we have the option to change its port. Right-click on the server and select Open Configuration. I've kept the default port. You can use Ctrl+S to save any changes that you make.

    Dialog to change the LDAP server port.
    2. Change ldap server port.
    Figure 2: Change the LDAP server port.

    Click the Run button at the bottom left of this screen to start the LDAP server.

    Create a new connection

    Next, we'll create a new connection, as shown in Figure 3.

    Dialog to create a new LDAP connection.
    3. Create ldap connection
    Figure 3: Create a new LDAP connection.

    After creating the connection, you will observe a directory tree in the LDAP browser. The tree is shown in the left-side panel in Figure 4.

    The new directory tree in the LDAP browser window.
    Figure 4: The directory tree in the LDAP browser.

    Create a server partition

    Next, we want to import the example.ldif file from the security-ldap example. Before doing that, we have to create a partition.

    Right-click on the LDAP server and select Open Configuration to open the Partitions tab, which is shown in Figure 5.

    The partitions tab.
    5. Partition
    Figure 5: The Partitions tab.

    Figure 6 shows the dialog to add a new partition. Enter activemq as the partition ID with the suffix of dc=activemq,dc=org. Enter Ctrl+S to save your changes.

    Dialog to add a new partition.
    6. Add Partition
    Figure 6: The dialog to add a new partition.

    If you want to see the reflected changes, try the F5 key.

    Import example.ldif

    Now, we are ready to import the example.ldif file, as shown in Figure 7.

    Dialog to import the LDIF file.
    7. Import ldif
    Figure 7: Import the example.ldif file.

    Figure 8 shows the import configurations for the file.

    Dialog to configure the LDIF connection and import file.
    8. ldif configuration
    Figure 8: Import configurations for the example.ldif file.

    To complete the import, stop the LDAP server and start it again so that the changes are reflected. After restarting, you will see that the example.ldif file has uploaded, as shown in Figure 9.

    A screenshot of the LDIF file in the LDAP browser.
    9. ldif configuration uploaded and reflected
    Figure 9: Check that the new example.ldif file has uploaded.

    Test the LDAP server connection

    We're almost done setting up the LDAP server. Our last step is to test the LDAP server connection. The following command requests a search for the user andrew:

    $ ldapsearch -H ldap://localhost:10390 -x -b "uid=andrew,dc=activemq,dc=org"|less
    

    The output provides the following user details, which also ensures that LDAP connectivity is fine:

    # extended LDIF
    #
    # LDAPv3
    # base <uid=andrew,dc=activemq,dc=org> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # andrew, activemq.org
    dn: uid=andrew,dc=activemq,dc=org
    objectClass: top
    objectClass: simpleSecurityObject
    objectClass: account
    userPassword:: e1NTSEF9RnQzOGppd3pKVWUwWElsN0VBbm5aQWUxTXJCOWlBUWg0YTRkM2c9PQ=
    =
    uid: andrew
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1

    Part 2: Integrate AMQ 7.7 with ApacheDS

    In this section, we'll integrate AMQ 7.7 with the ApacheDS LDAP server. I'll also guide you through the required configuration changes for AMQ 7.7.

    Download and install AMQ 7.7

    To start, we'll download and install AMQ 7.7.

    1. Download AMQ 7.7 from the Red Hat download portal. Alternatively, you could download the latest version of Apache Artemis, which is the AMQ community distribution.
    2. Unzip the distribution that you have selected. Create a new folder AMQ_INSTANCE_770 alongside the extracted distribution.
    3. Change the directory to AMQ_INSTANCE_770 and create an AMQ Broker instance called brokerInstanceldap:
      $ ../amq-broker-7.7.0/bin/artemis create brokerInstanceldap
      Creating ActiveMQ Artemis instance at: /home/chandrashekhar/Development/AMQ_RH/AMQ_INSTANCE_770/brokerInstanceldap
      
      --user: is a mandatory property!
      Please provide the default username:
      admin
      
      --password: is mandatory with this configuration:
      Please provide the default password:
      
      --allow-anonymous | --require-login: is a mandatory property!
      Allow anonymous access?, valid values are Y,N,True,False
      Y
      
      Auto tuning journal ...
      done! Your system can make 5.68 writes per millisecond, your journal-buffer-timeout will be 176000
      

    Configure the new AMQ 7.7 instance

    You will find the complete configuration in the Git repository for this article. Enter the following to clone this repository and get the files that you need:

    $ git clone https://github.com/1984shekhar/Artemis_POC
    

    Copy these files from the Git repository into your AMQ_INSTANCE_770/brokerInstanceldap/etc folder:

    • artemis.profile
    • broker.xml
    • logging.properties
    • login.config
    • management.xml

    Note: The broker configuration files are located in the Artemis_POC/ldapIntegration/etc folder. You can also find them in the Git repository.

    Configuration details

    See the following files for the configuration details:

    • The login.config file has the LDAP server integration details.
    • The broker.xml file has security settings. These settings allow the roles of user, europe-user,  news-user, and us-user to access, produce, and consume to and from various queues, which are also listed in the file.
    • The example.ldif file holds the definition of the LDAP server roles and their associated users and passwords.

    Additional configurations

    In addition to the LDAP server roles, we have to define a special role to access Hawtio, which we do in the artemis.profile configuration. In this case, we replace the default of amq with -Dhawtio.role=user.

    We also want to configure the LDAP server operations for verbose logging, so we set the following in the logging.properties file:

    loggers=[default entries],org.apache.activemq.artemis.spi.core.security
    logger.org.apache.activemq.artemis.spi.core.security.level=DEBUG
    

    Also, note that the Hawtio GUI uses the Java Management Extensions (JMX) framework for various operations. So, we also have to provide role-based access control (RBAC) configurations for JMX. You will find the following RBAC config in the management.xml file:

    <match domain="org.apache.activemq.artemis">
                <access method="list*" roles="amq,user"/>
                <access method="get*" roles="amq,user"/>
                <access method="is*" roles="amq,user"/>
                <access method="set*" roles="amq,user"/>
                <access method="*" roles="amq,user"/>
    </match>
    

    Part 3: Test the LDAP integration with AMQ 7.7

    Our final step is to test the integration.

    Assuming that the configuration files are copied in the Artemis_POC/ldapIntegration/etc folder, enter the following command to start the broker:

    $ ./artemis run
    

    In a different Linux terminal, send and receive messages with the following commands:

    $ ./artemis producer --user andrew --password activemq1 --destination queue://news.europe.europeTopic --message-count 1
    Connection brokerURL = tcp://localhost:61616
    Producer ActiveMQQueue[news.europe.europeTopic], thread=0 Started to calculate elapsed time ...
    
    Producer ActiveMQQueue[news.europe.europeTopic], thread=0 Produced: 1 messages
    Producer ActiveMQQueue[news.europe.europeTopic], thread=0 Elapsed time in second : 0 s
    Producer ActiveMQQueue[news.europe.europeTopic], thread=0 Elapsed time in milli second : 87 milli seconds
    $
    $ ./artemis consumer --user frank --password activemq2 --destination queue://news.europe.europeTopic --message-count 1
    Connection brokerURL = tcp://localhost:61616
    Consumer:: filter = null
    Consumer ActiveMQQueue[news.europe.europeTopic], thread=0 wait until 1 messages are consumed
    Consumer ActiveMQQueue[news.europe.europeTopic], thread=0 Consumed: 1 messages
    Consumer ActiveMQQueue[news.europe.europeTopic], thread=0 Elapsed time in second : 0 s
    Consumer ActiveMQQueue[news.europe.europeTopic], thread=0 Elapsed time in milli second : 27 milli seconds
    Consumer ActiveMQQueue[news.europe.europeTopic], thread=0 Consumed: 1 messages
    Consumer ActiveMQQueue[news.europe.europeTopic], thread=0 Consumer thread finished
    $
    $ ./artemis producer --user frank --password activemq2 --destination queue://news.europe.europeTopic --message-count 1
    Connection brokerURL = tcp://localhost:61616
    Producer ActiveMQQueue[news.europe.europeTopic], thread=0 Started to calculate elapsed time ...
    
    javax.jms.JMSSecurityException: AMQ229032: User: frank does not have permission='SEND' on address news.europe.europeTopic
    at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:467)
    at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:361)
    at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.sendFullMessage(ActiveMQSessionContext.java:552)
    at org.apache.activemq.artemis.core.client.impl.ClientProducerImpl.sendRegularMessage(ClientProducerImpl.java:296)
    at org.apache.activemq.artemis.core.client.impl.ClientProducerImpl.doSend(ClientProducerImpl.java:268)
    at org.apache.activemq.artemis.core.client.impl.ClientProducerImpl.send(ClientProducerImpl.java:143)
    at org.apache.activemq.artemis.core.client.impl.ClientProducerImpl.send(ClientProducerImpl.java:125)
    at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.doSendx(ActiveMQMessageProducer.java:483)
    at org.apache.activemq.artemis.jms.client.ActiveMQMessageProducer.send(ActiveMQMessageProducer.java:193)
    at org.apache.activemq.artemis.cli.commands.messages.ProducerThread.sendMessage(ProducerThread.java:125)
    at org.apache.activemq.artemis.cli.commands.messages.ProducerThread.run(ProducerThread.java:91)
    Caused by: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ229032: User: frank does not have permission='SEND' on address news.europe.europeTopic]
    ... 11 more
    

    Now, browse to the console login (http://localhost:8161/console/login) and enter the user name andrew and the password activemq1.

    You should now be able to send a message through the Hawtio GUI, as shown in Figure 10.

    A screenshot of the Hawtio user interface with the option to send a message.
    10. Hawtio GUI- Send Message Operation
    Figure 10: Send a message via the Hawtio GUI.

    Sending the message verifies that the integration is complete.

    Conclusion

    I hope that you liked this article and that it has helped you to better understand LDAP authentication with Red Hat AMQ 7.x and Apache ActiveMQ Artemis.

    Last updated: November 17, 2023

    Recent Posts

    • More Essential AI tutorials for Node.js Developers

    • How to run a fraud detection AI model on RHEL CVMs

    • How we use software provenance at Red Hat

    • Alternatives to creating bootc images from scratch

    • How to update OpenStack Services on OpenShift

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue