Hi, Binding JMX to a specified address is unfortunately not trivial. For details see this blog post: http://vafer.org/blog/20061010091658
You will probably be better off using firewall to whitelist only your transport socket. On Tue, 24 Aug 2010 14:47:07 -0700 (PDT) Eraos <r...@broemeling.org> wrote: > > Hi, I'm a new ActiveMQ user (ActiveMQ 5.4.0 on Ubuntu Lucid Lynx) and > have been trying to lock-down/secure an ActiveMQ instance for this > entire afternoon without really getting anywhere appreciable. I was > hoping someone here could help me. > > Specifically, what I want is for ActiveMQ to: > > 1) Bind all administrative and miscellaneous sockets to localhost. > 2) Bind only the STOMP transport to a private network. > > I've achieved #2, but #1 really elludes me badly. The bindings of my > ActiveMQ server currently look like this, according to netstat: > > -----SNIP----- > Proto Recv-Q Send-Q Local Address Foreign Address > State PID/Program name > tcp6 0 0 10.179.68.234:61617 :::* > LISTEN 5119/java > tcp6 0 > 0 :::33689 :::* LISTEN 5119/java > tcp6 0 > 0 :::11099 :::* LISTEN 5119/java > tcp6 0 > 0 :::11100 :::* LISTEN 5119/java > -----SNIP----- > > As you can see, the transport binding (port 61617) is correctly on the > private network; but the other three are wildcard bindings that I > really want turned into localhost bindings, but I cannot for the life > of me figure out how to do it. > > The command-line that ActiveMQ is currently executed as is: > > -----SNIP----- > /usr/bin/java > -Xms256M > -Xmx256M > -Dorg.apache.activemq.UseDedicatedTaskRunner=true > -Djava.util.logging.config.file=logging.properties > -Dcom.sun.management.jmxremote > -Djava.rmi.server.hostname=127.0.0.1 > -Dactivemq.classpath=/opt/apache-activemq-5.4.0/conf; > -Dactivemq.home=/opt/apache-activemq-5.4.0 > -Dactivemq.base=/opt/apache-activemq-5.4.0 > -jar /opt/apache-activemq-5.4.0/bin/run.jar > xbean:file:/etc/activemq.xml > -----SNIP----- > > ... and my /etc/activemq.xml file looks like this (comments trimmed > out): > > -----SNIP----- > <beans > xmlns="http://www.springframework.org/schema/beans"; > xmlns:amq="http://activemq.apache.org/schema/core"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation=" > http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd > http://activemq.apache.org/schema/core > http://activemq.apache.org/schema/core/activemq-core.xsd";> > > <bean > class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> > <property name="locations"> > <value>file:${activemq.base}/conf/credentials.properties</value> > </property> > </bean> > <broker xmlns="http://activemq.apache.org/schema/core"; > brokerName="localhost" dataDirectory="${activemq.base}/data" > persistent="false" useJmx="true"> > <destinationPolicy> > <policyMap> > <policyEntries> > <policyEntry topic=">" producerFlowControl="false"> > <pendingSubscriberPolicy> > <vmCursor /> > </pendingSubscriberPolicy> > </policyEntry> > <policyEntry queue=">" producerFlowControl="false"> > </policyEntry> > </policyEntries> > </policyMap> > </destinationPolicy> > <managementContext> > <managementContext connectorPort="11099" > jmxDomainName="org.apache.activemq" rmiServerPort="11100"/> > </managementContext> > <persistenceAdapter> > <kahaDB directory="${activemq.base}/data/kahadb"/> > </persistenceAdapter> > <transportConnectors> > <transportConnector name="stomp" > uri="stomp://10.179.68.234:61617?transport.closeAsync=false"/> > </transportConnectors> > </broker> > </beans> > -----SNIP----- > > I am reasonably certain that the "extra" ports (i.e. ports 33689, > 11099, and 11100 in the above netstat output) are due to jmx/rmi but > I cannot for the life of me figure out how to secure them by forcing > them to bind localhost instead of binding to the wildcard address. > Can anyone point me in the right direction as to how to achieve this, > please? > > Thanks.
