ActiveMQ: Enable JMX with authentication

ActiveMQ: Enable JMX with authentication

PART 1: ActiveMQ Broker Authentication (Mandatory)

Objective

  • Enforce username/password authentication
  • Disable anonymous access
  • Encrypt credentials at rest

Step 1: Encrypt the ActiveMQ Password

Open Command Prompt as Administrator and navigate to the ActiveMQ bin directory:

cd <ACTIVEMQ_HOME>\bin

Run the encryption command:

activemq encrypt --password activemq --input <your_password>

Example:

activemq encrypt --password activemq --input snehal

Sample Output:

Encrypted text: sUBa0wl6rQQeW8HU6TFIUw==

Note: Save the encrypted value. It will be used in configuration files.

Step 2: Configure Encrypted Credentials

File:

<ACTIVEMQ_HOME>\conf\credentials-enc.properties

Add or update the following entries:

aeuser.password=ENC(sUBa0wl6rQQeW8HU6TFIUw==)
activemq.username=admin
activemq.password=ENC(sUBa0wl6rQQeW8HU6TFIUw==)

Step 3: Remove Default Plain-Text Placeholder (CRITICAL STEP)

File:

<ACTIVEMQ_HOME>\conf\activemq.xml

REMOVE the following block completely (if present):

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
    <property name="locations">
        <value>file:${activemq.conf}/credentials.properties</value>
    </property></bean>

Why this step is mandatory

  • Loads plain-text credentials
  • Conflicts with encrypted properties
  • Prevents password decryption
  • Causes authentication failures

Step 4: Enable Encrypted Property Support (Jasypt)

File:

<ACTIVEMQ_HOME>\conf\activemq.xml

Add the following Spring beans under <beans>:

<bean id="environmentVariablesConfiguration"class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
    <property name="algorithm" value="PBEWithMD5AndDES"/>
    <property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD"/></bean>
<bean id="configurationEncryptor"class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
    <property name="config" ref="environmentVariablesConfiguration"/></bean>
<bean id="propertyConfigurer"class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer">
    <constructor-arg ref="configurationEncryptor"/>
    <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/></bean>

Step 5: Enable Broker Authentication

Inside the <broker> section of activemq.xml, add:

<plugins>
    <simpleAuthenticationPlugin anonymousAccessAllowed="false">
        <users>
            <authenticationUserusername="admin"password="${aeuser.password}"groups="admins,users"/>
        </users>
    </simpleAuthenticationPlugin></plugins>

✔ Anonymous access disabled
✔ Authentication enforced

Step 6: Set Encryption Secret (OS Level)

Set the encryption password as a SYSTEM environment variable:

setx ACTIVEMQ_ENCRYPTION_PASSWORD "activemq" /M

Important: Restart the server or ActiveMQ service after setting this variable.

Step 7: Configure AutomationEdge

File:

<AE_HOME>\ae.properties

Add or verify:

activemq.broker.url=tcp://localhost:61616
mq.username=admin
mq.password=snehal

Note: AE uses the plain password; ActiveMQ validates it against the encrypted value.

Step 8: Restart Services (Correct Order)

net stop AutomationEdge
net stop ActiveMQ

net start ActiveMQ
net start AutomationEdge

⚠ Ensure only one ActiveMQ instance is running on port 61616.

Verification – Broker Authentication

  • Open ActiveMQ Console:
  • Login using:
  • Verify AE logs show successful broker connection.

PART 2: Enable JMX with Authentication

Objective

  • Secure JMX monitoring access
  • Prevent unauthenticated access
  • Meet audit / VAPT requirements

Step 9: Enable JMX in ActiveMQ

File:

<ACTIVEMQ_HOME>\conf\activemq.xml

Ensure broker has:

<broker useJmx="true" ...>

Step 10: Configure JMX Access Roles

File:

<ACTIVEMQ_HOME>\conf\jmx.access
admin readwrite
monitor readonly

Step 11: Configure JMX Passwords

File:

<ACTIVEMQ_HOME>\conf\jmx.password
admin Jmx@123
monitor Monitor@123

⚠ Passwords are stored in clear text by JVM design.

Step 12: Secure JMX Password File (MANDATORY)

Run CMD as Administrator:

cd <ACTIVEMQ_HOME>\conf
icacls jmx.password /inheritance:r
icacls jmx.password /grant "%USERNAME%:R"
icacls jmx.password /grant "Administrators:R"

✔ Only owner and administrators have read access
✔ ActiveMQ will fail to start if permissions are weak (expected behavior)

Step 13: Configure JMX JVM Options

File:

<ACTIVEMQ_HOME>\bin\activemq.bat

Add:

set ACTIVEMQ_OPTS=%ACTIVEMQ_OPTS% ^
 -Dcom.sun.management.jmxremote ^
 -Dcom.sun.management.jmxremote.port=1234 ^
 -Dcom.sun.management.jmxremote.rmi.port=1234 ^
 -Djava.rmi.server.hostname=localhost ^
 -Dcom.sun.management.jmxremote.authenticate=true ^
 -Dcom.sun.management.jmxremote.ssl=false ^
 -Dcom.sun.management.jmxremote.password.file="%ACTIVEMQ_CONF%\jmx.password" ^
 -Dcom.sun.management.jmxremote.access.file="%ACTIVEMQ_CONF%\jmx.access"

Step 14: Restart ActiveMQ

net stop ActiveMQ
net start ActiveMQ

Verification – JMX Authentication

Using JConsole:

Connection URL:

service:jmx:rmi:///jndi/rmi://localhost:1234/jmxrmi

Credentials:

Username: admin Password: Jmx@123

✔ Successful connection
✔ Invalid credentials are rejected

      Links to better reach 

            Bot Store

             EPD