ActiveMQ Configuration for Puppet

The architecture of MCollective is based around three main components: servers, clients, and the middleware.
Apache ActiveMQ is the primary middleware that is recommended with MCollective. 

MCollective connects to ActiveMQ over the Stomp protocol, and presents certain credentials:
  • It provides a username and password, with which ActiveMQ can do what it pleases.
  • If TLS is in use, it will also present a certificate (and verify the ActiveMQ server certificate).                                                                                                                                                                    
Once allowed to connect, MCollective will use the Stomp protocol to create subscriptions. It will then produce and consume a lot of traffic on queues and topics whose names begin with mcollective. 

ActiveMQ’s config is usually called activemq.xml, and is kept in ActiveMQ’s configuration directory

Recommended Settings:


ActiveMQ must listen over the network for Stomp connections; otherwise, MCollective can’t reach it. Enable this with a element inside the element. It is recommended to use TLS.


TLS Credentials:

If you are using TLS in either your Stomp or OpenWire transport connectors, ActiveMQ needs a keystore file, a truststore file, and a password for each:

   keyStore="keystore.jks" keyStorePassword="keystorepswd"     
   trustStore="truststore.jks" trustStorePassword="truststore

Authentication (Users and Groups)

When they connect, MCollective clients and servers provide a username, password, and optionally an SSL certificate. ActiveMQ can use any of these to authenticate them.
By default, ActiveMQ ignores all of these and has no particular concept of “users.” Enabling authentication means ActiveMQ will only allow users with proper credentials to connect.

Authentication can be setup by adding the appropriate element to the element.

simpleAuthenticationPlugin defines users directly in activemq.xml. It also requires you to edit activemq.xml and restart the broker everytime we added a new user.

The example below uses simpleAuthenticationPlugin

           <authenticationUser username="mcollective" password="marionette" groups="mcollective,everyone"/>;
          <authenticationUser username="admin" password="secret" groups="mcollective,admins,everyone"/>;
Unless We set up authorization (see below), these users have the exact same capabilities. 


We will now go into installation and configuration of Apache ActiveMQ. We are using Apache Activemq-5.10.2 
Step 1: 
         sudo tar zxvf apache-activemq-5.10.2-bin.tar.gz -C /opt
Step 2: 
         sudo ln -sf /opt/apache-activemq-5.10.2/  /opt/activemq
Step 3: 
       sudo adduser --system activemq  

Step 4:     

       $id activemq
       uid=497(activemq) gid=497(activemq) groups=497(activemq)

Step 5:

 Download activemq.xml from and copy to /opt/activemq/conf/activemq.xml

Step 6:

Add the following in activemq.xml


Step 7: 

Change the password for mcollective/admin user in activemq.conf with a strong password as shown below

" groups="mcollective,everyone"/>
" groups="mcollective,admins,everyone"/>

Step 8:

   # puppet cert generate  ""
   Notice: Signed certificate request for ca
   Notice: has a waiting certificate request
   Notice: Signed certificate request for
   Notice: Removing file Puppet::SSL::CertificateRequest at '/etc/puppetlabs/puppet/ssl/ca/requests/'
Notice: Removing file Puppet::SSL::CertificateRequest at '/etc/puppetlabs/puppet/ssl/certificate_requests/'

Step 9: Generate keystore and Truststore

 #keytool -import -alias "My CA" -file /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem  -keystore truststore.jks
     Enter keystore password:
      Re-enter new password:
      Owner: CN=Puppet CA: server1
      Issuer: CN=Puppet CA: server1
      Serial number: 1
      Valid from: Sun Jun 26 15:56:17AEST 2016 until:Sat Jun 15:56:17 AEST 2021
      Certificate fingerprints:


      Trust this certificate? [no]:  yes
      Certificate was added to keystore 

Step 10

 # cat /etc/puppetlabs/puppet/ssl/private_keys/ /etc/puppetlabs/puppet/ssl/certs/ > temp.pem

# openssl pkcs12 -export -in temp.pem -out activemq.p12 -name
Enter Export Password:
Verifying - Enter Export Password:

# keytool -importkeystore  -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:

# cp keystore.jks /opt/activemq/conf/
# cp truststore.jks /opt/activemq/conf/

# sudo chown puppet:puppet /opt/activemq/conf/keystore.jks       # sudo chown puppet:puppet /opt/activemq/conf/truststore.jks

Step 11:

Add the entries for keystore and truststore in activemq.xml as shown below

       keyStore="keystore.jks" keyStorePassword="keystorepswd"
     trustStore="truststore.jks" trustStorePassword="truststorep"

Step 12:

Generate /etc/default/activemq as shown below 

#/opt/activemq/bin/activemq setup /etc/default/activemq
INFO: Creating configuration file: /etc/default/activemq
INFO: It's recommend to limit access to '/etc/default/activemq' to the priviledged user
INFO: (recommended: chown 'root':nogroup '/etc/default/activemq'; chmod 600 '/etc/default/activemq')

Step 13: 

Create startup scripts for activemq start/stop as shown below

$ cat /etc/init.d/
export JAVA_HOME=/usr
/opt/activemq/bin/activemq start

$ cat /etc/init.d/
export JAVA_HOME=/usr
/opt/activemq/bin/activemq stop


With this step, we are done configuring activemq. We are start/stop using the startup steps created above to veirfy activemq functionality. For issues , we can checl log file for activemq to identify issues.

Log Location:$ tail -f /opt/activemq/data/activemq.log 




Popular posts from this blog

PSSH : Parallel SSH to execute commands on a number of hosts

How to add check_http as a service in Nagios Monitoring using NRPE

Configuring Nagios to monitor services using NRPE