ActiveMQ Configuration for Puppet

The architecture of MCollective is based around three main components: servers, clients, and the middleware.
Apache ActiveMQ is the primary middleware that is recommended with MCollective. 

MCollective connects to ActiveMQ over the Stomp protocol, and presents certain credentials:
  • It provides a username and password, with which ActiveMQ can do what it pleases.
  • If TLS is in use, it will also present a certificate (and verify the ActiveMQ server certificate).                                                                                                                                                                    
Once allowed to connect, MCollective will use the Stomp protocol to create subscriptions. It will then produce and consume a lot of traffic on queues and topics whose names begin with mcollective. 


ActiveMQ’s config is usually called activemq.xml, and is kept in ActiveMQ’s configuration directory


Recommended Settings:

Stomp

ActiveMQ must listen over the network for Stomp connections; otherwise, MCollective can’t reach it. Enable this with a element inside the element. It is recommended to use TLS.

  
   
 

TLS Credentials:

If you are using TLS in either your Stomp or OpenWire transport connectors, ActiveMQ needs a keystore file, a truststore file, and a password for each:


 xt
   keyStore="keystore.jks" keyStorePassword="keystorepswd"     
   trustStore="truststore.jks" trustStorePassword="truststore
 /> 


Authentication (Users and Groups)

When they connect, MCollective clients and servers provide a username, password, and optionally an SSL certificate. ActiveMQ can use any of these to authenticate them.
By default, ActiveMQ ignores all of these and has no particular concept of “users.” Enabling authentication means ActiveMQ will only allow users with proper credentials to connect.

Authentication can be setup by adding the appropriate element to the element.

simpleAuthenticationPlugin defines users directly in activemq.xml. It also requires you to edit activemq.xml and restart the broker everytime we added a new user.

The example below uses simpleAuthenticationPlugin

<plugins>;
      <simpleAuthenticationPlugin>;
        <users>;
           <authenticationUser username="mcollective" password="marionette" groups="mcollective,everyone"/>;
          <authenticationUser username="admin" password="secret" groups="mcollective,admins,everyone"/>;
        </users>;
      </simpleAuthenticationPlugin>; 
 
 
Unless We set up authorization (see below), these users have the exact same capabilities. 

 

We will now go into installation and configuration of Apache ActiveMQ. We are using Apache Activemq-5.10.2 
 
 
Step 1: 
 
         sudo tar zxvf apache-activemq-5.10.2-bin.tar.gz -C /opt
 
Step 2: 
         sudo ln -sf /opt/apache-activemq-5.10.2/  /opt/activemq
 
 
Step 3: 
       sudo adduser --system activemq  

Step 4:     

       $id activemq
       uid=497(activemq) gid=497(activemq) groups=497(activemq)

Step 5:

 Download activemq.xml from  https://raw.githubusercontent.com/puppetlabs/marionette-collective/master/ext/activemq/examples/single-broker/activemq.xml and copy to /opt/activemq/conf/activemq.xml

Step 6:

Add the following in activemq.xml


       

Step 7: 

Change the password for mcollective/admin user in activemq.conf with a strong password as shown below


    
           strongpswd
" groups="mcollective,everyone"/>
           strongpswd
" groups="mcollective,admins,everyone"/>
    




Step 8:

   # puppet cert generate  "activemq.example.com"
   Notice: Signed certificate request for ca
   Notice: activemq.example.com has a waiting certificate request
   Notice: Signed certificate request for activemq.example.com
   Notice: Removing file Puppet::SSL::CertificateRequest activemq.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/activemq.example.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest activemq.jacaranda.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/activemq.example.com.pem'
 

Step 9: Generate keystore and Truststore

 #keytool -import -alias "My CA" -file /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem  -keystore truststore.jks
     Enter keystore password:
      Re-enter new password:
      Owner: CN=Puppet CA: server1
      Issuer: CN=Puppet CA: server1
      Serial number: 1
      Valid from: Sun Jun 26 15:56:17AEST 2016 until:Sat Jun 15:56:17 AEST 2021
      Certificate fingerprints:

      .............

      .............
      Trust this certificate? [no]:  yes
      Certificate was added to keystore 

Step 10

 # cat /etc/puppetlabs/puppet/ssl/private_keys/activemq.example.com.pem /etc/puppetlabs/puppet/ssl/certs/activemq.example.com.pem > temp.pem


# openssl pkcs12 -export -in temp.pem -out activemq.p12 -name activemq.example.com
Enter Export Password:
Verifying - Enter Export Password:
 

# keytool -importkeystore  -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias activemq.example.com
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:

# cp keystore.jks /opt/activemq/conf/
# cp truststore.jks /opt/activemq/conf/

# sudo chown puppet:puppet /opt/activemq/conf/keystore.jks       # sudo chown puppet:puppet /opt/activemq/conf/truststore.jks


Step 11:

Add the entries for keystore and truststore in activemq.xml as shown below


       keyStore="keystore.jks" keyStorePassword="keystorepswd"
     trustStore="truststore.jks" trustStorePassword="truststorep"
  />

Step 12:

Generate /etc/default/activemq as shown below 

#/opt/activemq/bin/activemq setup /etc/default/activemq
INFO: Creating configuration file: /etc/default/activemq
INFO: It's recommend to limit access to '/etc/default/activemq' to the priviledged user
INFO: (recommended: chown 'root':nogroup '/etc/default/activemq'; chmod 600 '/etc/default/activemq')

Step 13: 

Create startup scripts for activemq start/stop as shown below

$ cat /etc/init.d/activemqstart.sh
#!/bin/bash
export JAVA_HOME=/usr
/opt/activemq/bin/activemq start

$ cat /etc/init.d/activemqstop.sh
#!/bin/bash
export JAVA_HOME=/usr
/opt/activemq/bin/activemq stop

 

With this step, we are done configuring activemq. We are start/stop using the startup steps created above to veirfy activemq functionality. For issues , we can checl log file for activemq to identify issues.

Log Location:$ tail -f /opt/activemq/data/activemq.log 

 

 

Comments

Popular Posts