Friday, September 25, 2009

JMSTester online

The last couple of weeks I have spent some time on site working with ActiveMQ users helping them to get a decent benchmark in place for their JMS layer. I already had some code for a JMS benchmarking framework from earlier assignments and used the chance to get that a bit polished and documented.

Essentially it is designed to run a set of distributed JMS clients with a defined load profile. The framework will then measure the throughput and also allows to measure key performance indicators via JMX or on the OS level during the benchmark. This gives nice hints, whether the JMS server machines are CPU bound, lack IO capacity or have to less memory etc.

For all metrics graphs are created and if you want to run even more sophisticated analysises, all metrics are pushed into a CSV file that can be used in your favorite spreadsheet calculator.

The JMSTest framework is now a public project at FUSE Source.

Have fun trying it out if you want, any feedback is more than welcome.

Wednesday, September 2, 2009

Enabling Security for ActiveMQ web apps

Recently I was working with for a company to harden their set up of Active MQ. Though not the ultimate monitoring solution for Avtive MQ, they wanted to use the web console for providing some kind of ad hoc visibility on key properties. The ActiveMQ web page describes the set up that is pretty straight forward when an external servlet engine is used, but configuring the embedded jetty is a bit different.

From the ActiveMQ web console documentation we could see that we need 3 things:

  1. An User Realm that can be plugged into the Jetty engine.

  2. Credentials definitions.

  3. A security aware web application.

Let's have a look at each of these things:

We start with rewriting the jetty bean definition in the default activemq.xml with the following activemq.xml:

Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

<!-- Allows us to use system properties as variables in this configuration file -->
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">

<broker xmlns="" brokerName="TRT_INT" dataDirectory="${activemq.base}/data">

<!-- Destination specific policies using destination names or wildcards -->
<policyEntry queue=">" producerFlowControl="true"/>
<policyEntry topic=">" producerFlowControl="true"/>

<!-- Define Virtual Destinations for Topics -->
<!-- All topics will have a corresponding queue corresponding to the name pattern below
where consumers can connect to in order to act as subscription groups. -->
<virtualTopic name=">" prefix="VTopic.*." />

<!-- predefine Queues corresponding to Virtual topics so that no messages get lost due
to unregistered consumers. -->
<!-- The Subscriber group App1 is the name of a queue that ALL instances of App1
would use to consume messages from the topic "X". All
consumers using the same queue name act as ONE subscriber and the messages
will be load balanced across the group. -->
<!-- queue physicalName="VTopic.App1.X" / -->

<!-- Use the following to configure how ActiveMQ is exposed in JMX -->
<managementContext createConnector="true"/>

<!-- The store and forward broker networks ActiveMQ will listen to -->
<!-- by default just auto discover the other brokers -->
<!--<networkConnector name="default-nc" uri="multicast://default"/>-->
<!-- Example of a static configuration:
<networkConnector name="host1 and host2" uri="static://(tcp://host1:61616,tcp://host2:61616)"/>

<!-- Using the Kaha DB store for persistence now -->
<kahaDB directory="${activemq.base}/data/kahadb" />

<!-- Don't have ssl
<sslContext keyStore="file:${activemq.base}/conf/broker.ks" keyStorePassword="password" trustStore="file:${activemq.base}/conf/broker.ts" trustStorePassword="password"/>
</sslContext -->

<!-- The maximum about of space the broker will use before slowing down producers -->
<memoryUsage limit="350 mb"/>
<storeUsage limit="20 gb" name="foo"/> <!-- used for persistent messages -->
<tempUsage limit="100 mb"/> <!-- used for non persistent messages -->

<!-- The transport connectors ActiveMQ will listen to -->
<transportConnector name="openwire" uri="tcp://"/>

<jetty:nioConnector port="8161"/>
<jetty:webAppContext contextPath="/admin" resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true"/>
<bean class="">
<property name="name" value="ActiveMQ Realm" />
<property name="config" value="${activemq.base}/conf/" />

Next you need to create the file in the conf directory of ActiveMQ.The file contains one line per user with the format

useName: password, [roleName]*

For example:

myAdmin: THESECRET, amqAdmin

Finally you need to amend the web.xml files of the ActiveMQ web applications (${activemq.base}/webapps/*/WEB-INF/web.xml) with the following xml fragment:

<web-resource-name>A Protected Page</web-resource-name>

<realm-name>ActiveMQ Realm</realm-name>

Make sure, the Realm name matches the one you have set in the Realm definition and the role name match roles you have named in the properties file.