Hi Yevhenii, the log line "configfile: Reading Policy from ~/.java.login.config" confirms that sun.security.provider.ConfigFile is reading the login configuration only from ~/.java.login.config. This may be due to the value of the security property "policy.allowSystemProperty". If this property is false sun.security.provider.ConfigFile ignores the system property "java.security.auth.login.config", see https://github.com/openjdk/jdk21u/blob/jdk-21%2B35/src/java.base/share/classes/sun/security/provider/ConfigFile.java#L239
You can add "properties" to the "java.security.debug" system property to print the values of all security properties as they are loaded and processed, i.e. -Djava.security.debug=configfile,configparserproperties Regards, Domenico On Wed, 26 Nov 2025 at 21:00, Ievgenii Lopushen <[email protected]> wrote: > Hi Domenico > > It's Artemis 2.44.0 > Changed login config to > activemq { > org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule > required > debug=true > org.apache.activemq.jaas.guest.user="artemis" > org.apache.activemq.jaas.guest.role="amq"; > }; > > and added -Djava.security.debug=configfile,configparser to my JAVA_ARGS so > that they look like > JAVA_ARGS="-XX:AutoBoxCacheMax=20000 -XX:+PrintClassHistogram -XX:+UseG1GC > -XX:+UseStringDeduplication -Xms512M -Xmx2G -Dhawtio.disableProxy=true > -Dhawtio.realm=activemq -Dhawtio.offline=true > > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > > -Dhawtio.http.strictTransportSecurity=max-age=31536000;includeSubDomains;preload > -Djolokia.policyLocation=classpath:jolokia-access.xml > -Dlog4j2.disableJmx=true --add-opens > java.base/jdk.internal.misc=ALL-UNNAMED > -Djava.security.debug=configfile,configparser " > > The behaviour is pretty much the same. > The logs are: > + ARTEMIS_HOME=/opt/activemq-artemis > + ARTEMIS_INSTANCE=/var/lib/artemis-instance > + INSTANCE_SCRIPT=/var/lib/artemis-instance/bin/artemis > + '[' '!' -d /var/lib/artemis-instance/etc ']' > + '[' -f /var/lib/artemis-instance/bin/artemis ']' > + echo 'Starting ActiveMQ Artemis from Instance: > /var/lib/artemis-instance/bin/artemis' > Starting ActiveMQ Artemis from Instance: > /var/lib/artemis-instance/bin/artemis > + exec /var/lib/artemis-instance/bin/artemis run > NOTE: Picked up JDK_JAVA_OPTIONS: > --add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED > --add-exports=java.base/sun.security.provider=ALL-UNNAMED > -Djavax.net.ssl.trustStoreType=FIPS > Picked up JAVA_TOOL_OPTIONS: > --module-path=/usr/share/java/bouncycastle-fips > _ _ _ > / \ ____| |_ ___ __ __(_) _____ > / _ \| _ \ __|/ _ \ \/ | |/ __/ > / ___ \ | \/ |_/ __/ |\/| | |\___ \ > /_/ \_\| \__\____|_| |_|_|/___ / > Apache ActiveMQ Artemis 2.44.0 > > > 2025-11-26 19:58:09,844 INFO > [org.apache.activemq.artemis.integration.bootstrap] AMQ101000: Starting > ActiveMQ Artemis Server version 2.44.0 > 2025-11-26 19:58:09,905 INFO [org.apache.activemq.artemis.core.server] > AMQ221000: Primary message broker is starting with configuration Broker > Configuration > > (clustered=false,journalDirectory=data/journal,bindingsDirectory=data/bindings,largeMessagesDirectory=data/large-messages,pagingDirectory=data/paging) > 2025-11-26 19:58:09,965 INFO [org.apache.activemq.artemis.core.server] > AMQ221012: Using AIO Journal > 2025-11-26 19:58:10,076 INFO [org.apache.activemq.artemis.core.server] > AMQ221057: Global Max Size is being adjusted to 1/2 of the JVM max size > (-Xmx). being defined as 1073741824 > 2025-11-26 19:58:10,125 INFO [org.apache.activemq.artemis.core.server] > AMQ221043: Protocol module found: [artemis-server]. Adding protocol support > for: CORE > 2025-11-26 19:58:10,126 INFO [org.apache.activemq.artemis.core.server] > AMQ221043: Protocol module found: [artemis-amqp-protocol]. Adding protocol > support for: AMQP > 2025-11-26 19:58:10,127 INFO [org.apache.activemq.artemis.core.server] > AMQ221043: Protocol module found: [artemis-hornetq-protocol]. Adding > protocol support for: HORNETQ > 2025-11-26 19:58:10,128 INFO [org.apache.activemq.artemis.core.server] > AMQ221043: Protocol module found: [artemis-mqtt-protocol]. Adding protocol > support for: MQTT > 2025-11-26 19:58:10,128 INFO [org.apache.activemq.artemis.core.server] > AMQ221043: Protocol module found: [artemis-openwire-protocol]. Adding > protocol support for: OPENWIRE > 2025-11-26 19:58:10,129 INFO [org.apache.activemq.artemis.core.server] > AMQ221043: Protocol module found: [artemis-stomp-protocol]. Adding protocol > support for: STOMP > 2025-11-26 19:58:10,218 INFO [org.apache.activemq.artemis.core.server] > AMQ221034: Waiting indefinitely to obtain primary lock > 2025-11-26 19:58:10,219 INFO [org.apache.activemq.artemis.core.server] > AMQ221035: Primary Server Obtained primary lock > 2025-11-26 19:58:11,566 INFO [org.apache.activemq.artemis.core.server] > AMQ221080: Deploying address DLQ supporting [ANYCAST] > 2025-11-26 19:58:11,569 INFO [org.apache.activemq.artemis.core.server] > AMQ221003: Deploying ANYCAST queue DLQ on address DLQ > 2025-11-26 19:58:11,570 INFO [org.apache.activemq.artemis.core.server] > AMQ221080: Deploying address ExpiryQueue supporting [ANYCAST] > 2025-11-26 19:58:11,571 INFO [org.apache.activemq.artemis.core.server] > AMQ221003: Deploying ANYCAST queue ExpiryQueue on address ExpiryQueue > 2025-11-26 19:58:12,814 INFO [org.apache.activemq.artemis.core.server] > AMQ221020: Started EPOLL Acceptor at 0.0.0.0:61616 for protocols > [CORE,MQTT,AMQP,STOMP,HORNETQ,OPENWIRE] > 2025-11-26 19:58:12,822 INFO [org.apache.activemq.artemis.core.server] > AMQ221020: Started EPOLL Acceptor at 0.0.0.0:5445 for protocols > [HORNETQ,STOMP] > 2025-11-26 19:58:12,826 INFO [org.apache.activemq.artemis.core.server] > AMQ221020: Started EPOLL Acceptor at 0.0.0.0:5672 for protocols [AMQP] > 2025-11-26 19:58:12,830 INFO [org.apache.activemq.artemis.core.server] > AMQ221020: Started EPOLL Acceptor at 0.0.0.0:1883 for protocols [MQTT] > 2025-11-26 19:58:12,833 INFO [org.apache.activemq.artemis.core.server] > AMQ221020: Started EPOLL Acceptor at 0.0.0.0:61613 for protocols [STOMP] > 2025-11-26 19:58:12,836 INFO [org.apache.activemq.artemis.core.server] > AMQ221007: Server is now active > 2025-11-26 19:58:12,837 INFO [org.apache.activemq.artemis.core.server] > AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.44.0 [0.0.0.0, > nodeID=87ea5d58-caff-11f0-91be-f607a002d58e] > 2025-11-26 19:58:12,859 INFO [org.apache.activemq.artemis] AMQ241003: > Starting embedded web server > 2025-11-26 19:58:13,708 INFO [io.hawt.HawtioContextListener] Initialising > Hawtio services > 2025-11-26 19:58:13,741 INFO [io.hawt.jmx.JmxTreeWatcher] Welcome to > Hawtio 4.4.1 > 2025-11-26 19:58:13,751 INFO > [io.hawt.web.auth.AuthenticationConfiguration] Authentication throttling > is enabled > 2025-11-26 19:58:13,756 INFO > [io.hawt.web.auth.AuthenticationConfiguration] Starting Hawtio > authentication filter, JAAS realm: "activemq" authorized role(s): "amq" > role principal classes: > "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal" > 2025-11-26 19:58:13,756 INFO > [io.hawt.web.auth.AuthenticationConfiguration] Looking for OIDC > configuration file in: /var/lib/artemis-instance/etc/hawtio-oidc.properties > 2025-11-26 19:58:13,812 INFO [io.hawt.web.auth.ClientRouteRedirectFilter] > Hawtio ClientRouteRedirectFilter is using 1800 sec. HttpSession timeout > 2025-11-26 19:58:13,860 INFO [org.apache.activemq.artemis] AMQ241001: HTTP > Server started at http://0.0.0.0:8161 > 2025-11-26 19:58:13,861 INFO [org.apache.activemq.artemis] AMQ241002: > Artemis Jolokia REST API available at http://0.0.0.0:8161/console/jolokia > 2025-11-26 <http://0.0.0.0:8161/console/jolokia2025-11-26> 19:58:13,862 > INFO [org.apache.activemq.artemis] AMQ241004: > Artemis Console available at http://0.0.0.0:8161/console > 2025-11-26 19:58:39,138 INFO [io.hawt.web.auth.LoginServlet] Hawtio login > is using 1800 sec. HttpSession timeout > configfile: Reading Policy from ~/.java.login.config > 2025-11-26 19:58:39,189 WARN [io.hawt.system.Authenticator] Login failed > due to: No LoginModules configured for activemq > 2025-11-26 19:58:39,810 WARN [io.hawt.system.Authenticator] Login failed > due to: No LoginModules configured for activemq > 2025-11-26 19:58:40,763 WARN [io.hawt.system.Authenticator] Login failed > due to: No LoginModules configured for activemq > > Tried to login 3 times with the credentials I've created the instance with > > Thanks > > > On Wed, Nov 26, 2025 at 5:53 PM Domenico Francesco Bruscino < > [email protected]> wrote: > > > Hi Yevhenii, > > > > what artemis version are you using? Can you try to include only the > > GuestLoginModule in your /var/lib/artemis-instance/etc/login.config file? > > Can you share the broker log with > > -Djava.security.debug=configfile,configparser to debug JAAS ConfigFile > > loading and parsing? > > > > Regards, > > Domenico > > > > On Wed, 26 Nov 2025 at 14:57, Ievgenii Lopushen <[email protected]> > > wrote: > > > > > Hi Domenico > > > Thank you for your reply > > > > > > ran a check from inside the container: > > > > > > artemis check node > > > NOTE: Picked up JDK_JAVA_OPTIONS: > > > --add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED > > > --add-exports=java.base/sun.security.provider=ALL-UNNAMED > > > --add-opens=java.base/java.security=ALL-UNNAMED > > > -Djavax.net.ssl.trustStoreType=FIPS > > > Picked up JAVA_TOOL_OPTIONS: > > > --module-path=/usr/share/java/bouncycastle-fips > > > Connection brokerURL = tcp://localhost:61616 > > > Connection failed::AMQ229031: Unable to validate user from > > 127.0.0.1:58194 > > > . > > > Username: null; SSL certificate subject DN: unavailable > > > > > > --user: > > > Type the username for a retry > > > artemis > > > > > > --password: is mandatory with this configuration: > > > Type the password for a retry > > > > > > NodeCheck failed. Reason: > > > org.apache.activemq.artemis.api.core.ActiveMQSecurityException: > > > [errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate > user > > > from 127.0.0.1:40246. Username: artemis; SSL certificate subject DN: > > > unavailable] > > > > > > The check does not go through even though I used the credentials that > > i've > > > specified when creating the instance. > > > > > > I have no jcmd in my container, but from ps I see: > > > > > > ps aux | grep java > > > artemis 1 0.8 6.2 8467620 511192 ? Ssl 02:50 5:40 > > > [rosetta] /usr/lib/jvm/java-21-openjdk-amd64/bin/java > > > /usr/lib/jvm/java-21-openjdk-amd64/bin/java > > > > > > > > > -Djava.security.auth.login.config=/var/lib/artemis-instance/etc/login.config > > > -Dhawtio.realm=activemq -Dhawtio.role=amq > > > > > > > > > -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal > > > > -Djolokia.policyLocation=/var/lib/artemis-instance/etc/jolokia-access.xml > > > -Dhawtio.roles=amq > > > > > > > > > -Djava.security.auth.login.config=/var/lib/artemis-instance/etc/login.config > > > -classpath /opt/activemq-artemis/lib/artemis-boot.jar > > > -Dartemis.home=/opt/activemq-artemis > > > -Dartemis.instance=/var/lib/artemis-instance > > > -Djava.library.path=/opt/activemq-artemis/bin/lib/linux-x86_64 > > > -Djava.io.tmpdir=/var/lib/artemis-instance/tmp > > > -Ddata.dir=/var/lib/artemis-instance/data > > > -Dartemis.instance.etc=/var/lib/artemis-instance/etc > > > -Dhawtio.authenticationEnabled=false > > > -Djava.security.debug=loginconfig,config,parser,access,failure > > > org.apache.activemq.artemis.boot.Artemis run > > > root 1545 0.0 0.0 3640 2244 ? S+ 13:32 0:00 grep > > > --color=auto java > > > > > > So > > > > > > > > > -Djava.security.auth.login.config=/var/lib/artemis-instance/etc/login.config > > > and the contents of /var/lib/artemis-instance/etc/login.config is: > > > > > > activemq { > > > > > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule > > > sufficient > > > debug=false > > > reload=true > > > > > org.apache.activemq.jaas.properties.user="artemis-users.properties" > > > > > org.apache.activemq.jaas.properties.role="artemis-roles.properties"; > > > > > > org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule > > > sufficient > > > debug=false > > > org.apache.activemq.jaas.guest.user="artemis" > > > org.apache.activemq.jaas.guest.role="amq"; > > > }; > > > > > > Thank you! > > > > > > > > > > > > On Wed, Nov 26, 2025 at 8:33 AM Domenico Francesco Bruscino < > > > [email protected]> wrote: > > > > > > > Hi Yevhenii, > > > > > > > > the error "No LoginModules configured for" is usually due to a wrong > > > login > > > > configuration.Can you double-check you are able to connect to an > > acceptor > > > > by using the artemis CLI? > > > > If the artemis CLI works, can you share the content of the file > defined > > > by > > > > the java.security.auth.login.config system property in the container? > > > > By default, the java.security.auth.login.config system property is > > > defined > > > > in the bin/artemis script. You could use jcmd to double-check the > > > property > > > > value in the container, i.e. jcmd <PID> VM.system_properties. > > > > > > > > Regards, > > > > Domenico > > > > > > > > On Tue, 25 Nov 2025 at 19:02, Ievgenii Lopushen <[email protected]> > > > > wrote: > > > > > > > > > Hi > > > > > I'm trying to build a Docker image with Artemis in it. The image is > > > based > > > > > on Ubuntu 22.04 with FIPS turned on and JRE 21 installed. For Java > I > > am > > > > > using Bouncycastle as my security provider, hence overriding the > > > > > java.security file with such providers: > > > > > > > > > > > > > > > > > > > > > > > > > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > > > > > > > > > > > > > > > security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider > > > > > fips:BCFIPS > > > > > security.provider.3=SUN > > > > > > > > > > When starting the container, Artemis does launch and I'm able to > > create > > > > an > > > > > Artemis instance. However, I cannot login to the web console. No > > matter > > > > the > > > > > credentials I specify I get: > > > > > > > > > > [io.hawt.system.Authenticator] Login failed due to: No LoginModules > > > > > configured for activemq > > > > > > > > > > Even though on identical default installation on host machine with > > > Ubuntu > > > > > or MacOS works fine. > > > > > Is there any additional configuration that should be applied to > login > > > or > > > > > can it be related to FIPS? > > > > > -- > > > > > > > > > > All the best, > > > > > > > > > > Yevhenii > > > > > > > > > > > > > > > > > > -- > > > > > > All the best, > > > > > > Yevhenii Lopushen > > > > > > > > -- > > All the best, > > Yevhenii Lopushen >
