ActiveMQ Configuration for Puppet
The architecture of MCollective is based around three main components: servers, clients, and the middleware.
Apache ActiveMQ is the primary middleware that is recommended with MCollective.
MCollective connects to ActiveMQ over the Stomp protocol, and presents certain credentials:
Once allowed to connect, MCollective will use the Stomp protocol to
create subscriptions. It will then produce and consume a lot of traffic
on queues and topics whose names begin with Apache ActiveMQ is the primary middleware that is recommended with MCollective.
MCollective connects to ActiveMQ over the Stomp protocol, and presents certain credentials:
- It provides a username and password, with which ActiveMQ can do what it pleases.
- If TLS is in use, it will also present a certificate (and verify the ActiveMQ server certificate).
mcollective.
ActiveMQ’s config is usually called activemq.xml, and is kept in ActiveMQ’s configuration directory
Recommended Settings:
Stomp
ActiveMQ must listen over the network for Stomp connections; otherwise, MCollective can’t reach it. Enable this with a
TLS Credentials:
If you are using TLS in either your Stomp or OpenWire transport connectors, ActiveMQ needs a keystore file, a truststore file, and a password for each:keyStore="keystore.jks" keyStorePassword="keystorepswd"
trustStore="truststore.jks" trustStorePassword="truststore
/>
Authentication (Users and Groups)
When they connect, MCollective clients and servers provide a username, password, and optionally an SSL certificate. ActiveMQ can use any of these to authenticate them.By default, ActiveMQ ignores all of these and has no particular concept of “users.” Enabling authentication means ActiveMQ will only allow users with proper credentials to connect.
Authentication can be setup by adding the appropriate element to the
simpleAuthenticationPlugin defines users directly in activemq.xml. It also requires you to edit activemq.xml and restart the broker everytime we added a new user.
The example below uses simpleAuthenticationPlugin. <plugins>;
<simpleAuthenticationPlugin>;
<users>;
<authenticationUser username="mcollective" password="marionette" groups="mcollective,everyone"/>;
<authenticationUser username="admin" password="secret" groups="mcollective,admins,everyone"/>;
</users>;
</simpleAuthenticationPlugin>; Unless We set up authorization (see below), these users have the exact same capabilities.
We will now go into installation and configuration of Apache ActiveMQ. We are using Apache Activemq-5.10.2 Step 1: sudo tar zxvf apache-activemq-5.10.2-bin.tar.gz -C /opt Step 2: sudo ln -sf /opt/apache-activemq-5.10.2/ /opt/activemq
Step 3:
sudo adduser --system activemq
Step 4:
$id activemq
uid=497(activemq) gid=497(activemq) groups=497(activemq)
Step 5:
Download activemq.xml from https://raw.githubusercontent.com/puppetlabs/marionette-collective/master/ext/activemq/examples/single-broker/activemq.xml and copy to /opt/activemq/conf/activemq.xml
Step 6:
Add the following in activemq.xml
Step 7:
Change the password for mcollective/admin user in activemq.conf with a strong password as shown below
strongpswd
strongpswd " groups="mcollective,admins,everyone"/>
Step 8:
# puppet cert generate "activemq.example.com"
Notice: Signed certificate request for ca
Notice: activemq.example.com has a waiting certificate request
Notice: Signed certificate request for activemq.example.com
Notice: Removing file Puppet::SSL::CertificateRequest activemq.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/activemq.example.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest activemq.jacaranda.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/activemq.example.com.pem'
Step 9: Generate keystore and Truststore
#keytool -import -alias "My CA" -file /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -keystore truststore.jks
Enter keystore password:
Re-enter new password:
Owner: CN=Puppet CA: server1
Issuer: CN=Puppet CA: server1
Serial number: 1
Valid from: Sun Jun 26 15:56:17AEST 2016 until:Sat Jun 15:56:17 AEST 2021
Certificate fingerprints:
.............
.............
Trust this certificate? [no]: yes
Certificate was added to keystore
Step 10:
# cat /etc/puppetlabs/puppet/ssl/private_keys/activemq.example.com.pem /etc/puppetlabs/puppet/ssl/certs/activemq.example.com.pem > temp.pem
# openssl pkcs12 -export -in temp.pem -out activemq.p12 -name activemq.example.com
Enter Export Password:
Verifying - Enter Export Password:
# keytool -importkeystore -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias activemq.example.com
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
# cp keystore.jks /opt/activemq/conf/
# cp truststore.jks /opt/activemq/conf/
# sudo chown puppet:puppet /opt/activemq/conf/keystore.jks # sudo chown puppet:puppet /opt/activemq/conf/truststore.jks
Step 11:
Add the entries for keystore and truststore in activemq.xml as shown below
keyStore="keystore.jks" keyStorePassword="keystorepswd"
trustStore="truststore.jks" trustStorePassword="truststorep"
/>
trustStore="truststore.jks" trustStorePassword="truststorep"
/>
Comments