I'm using ActiveMQ Artemis 2.16.0 and the management console is based on Hawtio. I've successfully integrated it with Keycloak (OpenID Connect) using this instructions.
Now I've upgraded to ActiveMQ Artemis 2.17.0 and it stop working. Hawtio version seems the same:
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
Since ActiveMQ Artemis is quite easy to upgrade I can easily switch from one version to another. I did it and the logs seems to output the same:
[org.apache.activemq.artemis.core.server] AMQ221001: Apache ActiveMQ Artemis Message Broker version 2.17.0 [node1.some.domain, nodeID=bcf5b788-c0fd-11ea-9c54-0050568bf82b]
[org.apache.activemq.artemis.core.server] AMQ221053: Disallowing use of vulnerable protocol 'SSLv2Hello' on acceptor 'artemis'. See http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html for more details.
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=activemq-branding
[org.apache.activemq.hawtio.branding.PluginContextListener] Initialized activemq-branding plugin
[io.hawt.web.plugin.HawtioPlugin] Registering plugin hawtio:type=plugin,name=artemis-plugin
[org.apache.activemq.hawtio.plugin.PluginContextListener] Initialized artemis-plugin plugin
[io.hawt.HawtioContextListener] Initialising hawtio services
[io.hawt.system.ConfigManager] Failed to look up environment context: null
[io.hawt.system.ConfigManager] Configuration will be discovered via system properties
[io.hawt.jmx.JmxTreeWatcher] Welcome to Hawtio 2.11.0
[io.hawt.system.ConfigManager] Property realm is set to value hawtio
[io.hawt.system.ConfigManager] Property role is set to value null
[io.hawt.system.ConfigManager] Property roles is set to value amq,artemis_admin,artemis_manager,artemis_viewer
[io.hawt.system.ConfigManager] Property rolePrincipalClasses is set to value org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.ConfigManager] Property authenticationEnabled is set to value true
[io.hawt.system.ConfigManager] Property noCredentials401 is set to value false
[io.hawt.system.ConfigManager] Property keycloakEnabled is set to value true
[io.hawt.system.ConfigManager] Property authenticationContainerDiscoveryClasses is set to value io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery
[io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] Realm explicit configured hawtio. Apache Tomcat userdata authentication integration not in use.
[io.hawt.web.auth.AuthenticationConfiguration] Starting hawtio authentication filter, JAAS realm: "hawtio" authorized role(s): "amq,artemis_admin,artemis_manager,artemis_viewer" role principal classes: "org.keycloak.adapters.jaas.RolePrincipal"
[io.hawt.system.ConfigManager] Property keycloakClientConfig is set to value file:/opt/artemis-broker/etc/keycloak-client-hawtio.json
[io.hawt.web.filters.ContentSecurityPolicyFilter] Found Keycloak URL: https://auth.some.domain/auth
[io.hawt.system.ConfigManager] Property http.strictTransportSecurity is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] HTTP Strict Transport Security is disabled
[io.hawt.system.ConfigManager] Property http.publicKeyPins is set to value null
[io.hawt.web.filters.PublicKeyPinningFilter] Public Key Pinning is disabled
[io.hawt.system.ConfigManager] Property sessionTimeout is set to value 1800
[io.hawt.system.ConfigManager] Property disableProxy is set to value false
[io.hawt.system.ConfigManager] Property proxyAllowlist is set to value localhost,
[io.hawt.system.ConfigManager] Property localAddressProbing is set to value true
[io.hawt.system.ProxyAllowlist] Probing local addresses ...
[io.hawt.system.ProxyAllowlist] Initial proxy allowlist: [localhost, 127.0.0.1, 10.3.84.148, node01.some.domain]
[io.hawt.web.servlets.JolokiaConfiguredAgentServlet] Jolokia overridden property: [key=policyLocation, value=file:/opt/artemis-broker/etc/jolokia-access.xml]
[org.apache.activemq.artemis] AMQ241001: HTTP Server started at https://0.0.0.0:8443
[org.apache.activemq.artemis] AMQ241002: Artemis Jolokia REST API available at https://0.0.0.0:8443/console/jolokia
[org.apache.activemq.artemis] AMQ241004: Artemis Console available at https://0.0.0.0:8443/console
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Using provider 'secret' for authentication of client 'artemis'
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider jwt
[org.keycloak.adapters.authentication.ClientCredentialsProviderUtils] Loaded clientCredentialsProvider secret-jwt
[org.keycloak.adapters.KeycloakDeployment] Resolving URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.KeycloakDeployment] Loaded URLs from https://auth.some.domain/auth/realms/myrealm/.well-known/openid-configuration
[org.keycloak.adapters.rotation.JWKPublicKeyLocator] Realm public keys successfully retrieved for client artemis. New kids: [kkFaKnnudVd5UxaVISthQL6VgTRIKYCUGanBKIiGGZg, kyipLFJfqsg9TxC94XAXy4VahWRbDRD0F_spMHJzhzk]
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
[io.hawt.web.auth.SessionExpiryFilter] Accessing [/console/jolokia/], hawtio path is [jolokia]
[io.hawt.web.auth.AuthenticationFilter] Handling request for path /jolokia
[io.hawt.web.auth.AuthenticationFilter] Doing authentication and authorization for path /jolokia
[io.hawt.system.Authenticator] doAuthenticate[realm=hawtio, role=amq,artemis_admin,artemis_manager,artemis_viewer, rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal, configuration=null, username=myuser, password=******]
[org.keycloak.adapters.jaas.BearerTokenLoginModule] Declared options: keycloak-config-file=/export/opt/artemis-broker/etc/keycloak-server-bearer.json, role-principal-class=org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Looking for rolePrincipalClass: org.keycloak.adapters.jaas.RolePrincipal
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.KeycloakPrincipal toString: 771b46db-5e22-4318-8ef3-0ffd4b10d223
[io.hawt.system.Authenticator] principal class org.keycloak.KeycloakPrincipal doesn't match org.keycloak.adapters.jaas.RolePrincipal, continuing
[io.hawt.system.Authenticator] Checking principal, classname: org.keycloak.adapters.jaas.RolePrincipal toString: amq
[io.hawt.system.Authenticator] Matched role and role principal class
and I'm using these parameters:
-Dhawtio.authenticationEnabled=true
-Dhawtio.offline=true -Dhawtio.realm=hawtio
-Dhawtio.keycloakEnabled=true -Dhawtio.roles=amq,artemis_admin,artemis_manager,artemis_viewer
-Dhawtio.rolePrincipalClasses=org.keycloak.adapters.jaas.RolePrincipal
-Dhawtio.keycloakClientConfig=${ARTEMIS_INSTANCE_ETC_URI}keycloak-client-hawtio.json
-Dhawtio.keycloakServerConfig=${ARTEMIS_INSTANCE_ETC}/keycloak-server-bearer.json
-Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml
and the management.xml is:
...
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="amq,artemis_admin"/>
<access method="get*" roles="amq,artemis_admin"/>
<access method="is*" roles="amq,artemis_admin"/>
<access method="set*" roles="amq,artemis_admin"/>
<access method="*" roles="amq,artemis_admin"/>
</match>
...
But seems the role that comes from OpenID Connect doesn't match it.
Any ideas? If you need more config details I can add here.
Since ActiveMQ Artemis 2.18 the integration with third-party login modules has improved, see ARTEMIS-3168.
A good example is available at https://github.com/apache/activemq-artemis/tree/2.20.0/examples/features/standard/security-keycloak
I have Keycloak on one server configured to connect to a remote PostgreSQL database, both the database and the Keycloak server start at the same time in the morning but the database takes a little more time before it's available which prevents the Keycloak service from starting:
WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 63) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
I tried adding the following lines to standalone.xml but it only seems to prevent Keycloak from crashing if it's already started and the database reboots:
<validation>
<check-valid-connection-sql>select 1</check-valid-connection-sql>
<validate-on-match>false</validate-on-match>
<background-validation>true</background-validation>
<background-validation-millis>15000</background-validation-millis>
</validation>
If anyone is looking for a solution and is using systemd, I ended up adding these two lines to my keycloak.service file in the [Service] block:
Restart=always
RestartSec=5min
I installed eap7.1 on RHEL73, everything works fine, but failed to use jconsole to connect server instance, I didn't find anything related with how to set jmx component on eap7.1, but found something for eap6, here is main points I found:
Should disable management binding and enable an remote binding:
Add option as eap server startup option:
-Djavax.management.builder.initial=org.jboss.system.server.jmx.MBeanServerBuilderImpl
-Djboss.platform.mbeanserver
Use $JBOSS_HOME/bin/jconsole.sh to startup jconsole
But I always failed with jconsole reponse as " the connection to service:jmx:remote://192.168.56.11:4447 did not succeed"
Here is key point of domain.xml
...
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<endpoint/>
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector use-management-endpoint="false"/>
</subsystem>
...
<socket-binding-group name="ha-sockets" default-interface="public">
...
<socket-binding name="remoting" port="4447"/>
...
</socket-binding-group>
server startup successfully with the following log
"INFO [org.jboss.as.remoting] (MSC service thread 1-1) WFLYRMT0001: Listening on 192.168.56.11:4447"
netstat -an shows 4447 is ready.
The following is some guides on eap6 I followed:
https://access.redhat.com/solutions/149973
https://access.redhat.com/solutions/443033
https://access.redhat.com/solutions/413283
https://kb.novaordis.com/index.php/JMX_Access_to_Domain_Mode_EAP_7_Server_Node(this is for eap7)
Is there anything special on JMX for eap7.1?
Best regards
Lan
I have the same problems as you. My quick fix is:
change this:
<connector name="remoting-connector" socket-binding="remoting" **security-realm="ApplicationRealm"**/>
to this:
<connector name="remoting-connector" socket-binding="remoting" security-realm="ManagementRealm"/>
or remove realm:
<connector name="remoting-connector" socket-binding="remoting"/>
Probably I have a wrong user in ApplicationRealm or don't have the permission. I use this in zabbix jmx monitoring in domain mode with wildfly 10, 10.1 and 11.
You can connect the jconsole to EAP 7.1 with default configuration using the management realm. You just have to:
add a management user, via $JBOSS_HOME/bin/add-user.sh
start EAP
connect to jmx service address
service:jmx:remote+http://127.0.0.1:9990 via
$JBOSS_HOME/bin/jconsole.sh using credentials defined in above step
n.b.: The protokoll may differ from previous versions of eap
Context
I have a test Acceptor and Initiator. I am using QuickFix/N 1.7 release. Everything works fine, if I configure both Acceptor and Initiator to FIX 4.4.
Doing nothing, just connecting, then logging the incoming/outgoing heartbeat messages to the debug console. All OK, see below.
I change nothing just the two configuration files accordingly from FIX 4.4 to FIX 5.0. All works (I mean the heartbeat messages still coming and going), but the message parameter of the callback is not a typed (heartbeat) runtime instance message anymore, instead the base class.
Diagnostics:
All referenced specification files are in place. If I intentionally ruin a character either in TransportDataDictionary path or AppDataDictionary I got the expected exception
Using the out of the box specification files, no customization at all.
Question:
Why the message instance is not a typed runtime instance message in the FIX 5.0 case and typed in the FIX 4.4 case?
Is this the expected behavior or am I missing something?
Code Exhibits:
Code in Initiator IApplication implementation which produces the output lines:
public void ToAdmin(Message message, SessionID sessionID)
{
Debug.WriteLine($#"(A)OUT: {message.GetType()}{message}");
}
public void FromAdmin(Message message, SessionID sessionID)
{
Debug.WriteLine($#"(A)IN: {message.GetType()}{message}");
}
When using the 4.4 configuration then I see this: (message type is QuickFix.FIX44.Heartbeat)
Logon - FIX.4.4:TEST01->MYACCEPTOR
(A)IN: QuickFix.FIX44.Heartbeat8=FIX.4.4 9=5335=034=249=MYACCEPTOR52=20170715-15:00:31.59656=TEST0110=179
(A) OUT: QuickFix.FIX44.Heartbeat8=FIX.4.4 9=5335=034=249=TEST0152=20170715-15:00:31.60456=MYACCEPTOR10=169
(A) OUT: QuickFix.FIX44.Heartbeat8=FIX.4.4 9=5335=034=349=TEST0152=20170715-15:00:36.61056=MYACCEPTOR10=172
(A) IN: QuickFix.FIX44.Heartbeat8=FIX.4.4 9=5335=034=349=MYACCEPTOR52=20170715-15:00:36.61556=TEST0110=177
When using the 5.0 and configuration then I see this: (message type is just QuickFix.FIX50.Message)
Logon - FIXT.1.1:TEST01->MYACCEPTOR
(A)IN: QuickFix.Message8=FIXT.1.19=5335=034=249=MYACCEPTOR52=20170715-15:06:16.92256=TEST0110=003
(A) OUT: QuickFix.Message8=FIXT.1.19=5335=034=249=TEST0152=20170715-15:06:16.93056=MYACCEPTOR10=002
(A) OUT: QuickFix.Message8=FIXT.1.19=5335=034=349=TEST0152=20170715-15:06:21.93656=MYACCEPTOR10=005
(A) IN: QuickFix.Message8=FIXT.1.19=5335=034=349=MYACCEPTOR52=20170715-15:06:21.94156=TEST0110=001
FIX5.0 configuration for Intiator:
[DEFAULT]
ConnectionType=initiator
ReconnectInterval=2
FileStorePath=store
FileLogPath=log
StartTime=00:00:00
EndTime=00:00:00
UseDataDictionary=Y
TransportDataDictionary=..\spec\FIXT11.xml
AppDataDictionary=..\spec\FIX50.xml
SocketConnectHost=127.0.0.1
SocketConnectPort=1111
LogoutTimeout=5
ResetOnLogon=Y
ResetOnDisconnect=Y
[SESSION]
BeginString=FIXT.1.1
DefaultApplVerID=FIX.5.0
SenderCompID=TEST01
TargetCompID=MYACCEPTOR
HeartBtInt=5
FIX5.0 configuration for Acceptor:
[DEFAULT]
ConnectionType=acceptor
SocketAcceptPort=1111
StartTime=00:00:00
EndTime=00:00:00
FileLogPath=log
UseDataDictionary=Y
ResetOnLogon=Y
ResetOnLogout=Y
ResetOnDisconnect=Y
[SESSION]
BeginString=FIXT.1.1
DefaultApplVerID=FIX.5.0
SenderCompID=MYACCEPTOR
TargetCompID=TEST01
FileStorePath=store
TransportDataDictionary=..\spec\FIXT11.xml
AppDataDictionary=..\spec\FIX50.xml
The data dictionary for FIX4.4 at quickfixn repository contains -
<message name="Heartbeat" msgtype="0" msgcat="admin">
<field name="TestReqID" required="N" />
</message>
which is the formal definition of Heartbeat message.
This definition is missing in the FIX 5.0 data dictionary, causing the quickfix engine to consider it as a generic message.
Adding the heartbeat message definition to the FIX 5.0 data dictionary should solve your problem.
I cannot seem to get configuring port-offsets via properties file on the domain managed setup to start multiple server instances in a server group.
I have the following configuration in host.xml:
<servers>
<server name="instance-one" group="main-server-group" auto-start="true">
<socket-bindings port-offset="${jboss.instance1.offset}"/>
</server>
<server name="instance-two" group="main-server-group" auto-start="true">
<!-- server-two avoids port conflicts by incrementing the ports in
the default socket-group declared in the server-group -->
<socket-bindings port-offset="${jboss.instance2.offset}"/>
</server>
</servers>
The properties are configured via properties file (custom-domain.properties):
jboss.domain.base.dir=custom-domain
jboss.instance1.offset=10300
jboss.instance2.offset=20300
And I try to startup the domain using
./domain.sh -P=custom-domain.properties
The problem is that jboss.instance1.offset and jboss.instance2.offset are not being applied to the corresponding properties in host.xml. If I have hardcoded values in the host.xml it appears to start up instance 1 and instance 2 on the hardcoded port offsets.
Does custom property configuration not work in domain setup?
Thanks for any help.