Security Hardening

Security Hardening is the process of enhancing a server's or application's security by following the best practices and standards, which results in a very secure operating environment.

For more information, see https://docs.bmc.com/docs/security/basic-tomcat-security-configuration-recommendations-924057229.html.

Configure Tomcat with TLS (HTTPS)

For configuring Tomcat with TLS(HTTPS), see the Apache Tomcat documentation at https://tomcat.apache.org/tomcat-10.1-doc/index.html.

Following are links to some useful topics in the documentation:

• https://tomcat.apache.org/tomcat-10.1-doc/security-howto.html

• https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html

Security settings for ActiveMQ

For configuring Apache ActiveMQ security settings, see the following links:

• https://activemq.apache.org/components/classic/documentation/how-do-i-use-ssl

• https://activemq.apache.org/components/classic/documentation/security

• https://activemq.apache.org/components/classic/documentation/encrypted-password

• https://activemq.apache.org/components/classic/documentation/using-activemq-classic

After completion of security hardening activities configure the ActiveMQ authentication setup for AE.

ActiveMQ authentication for AE

ActiveMQ authentication is not enabled by default for AE. Configure the following settings in the AE engine.

• Simple authentication plugin is used to set authentication for ActiveMQ. Encrypt the password and store it safely in configuration files. Following is the encrypt password command:

$bin/activemq encrypt --password activemq --input mypassword

• Where the password you want to encrypt is passed with the input argument, the password arguments is a secret used by the encryption.

• You get an encrypted password in the output. For example, Encrypted password: K6lz7RKJg9DzGiX8eRbvUw==

• In the \ ActiveMQ home\ /conf/credentials-enc.properties file, add the following:
  aeuser.password=ENC(K6lz7RKJg9DzGiX8eRbvUw==)

• You need to edit the \ ActiveMQ home\ /conf/activemq.xml file.

• Delete the following bean definition:

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="locations"> <value>file:${activemq.conf}/credentials.properties</value>  </property> </bean>

• Add the following bean definitions:

<bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> <property name="algorithm" value="PBEWithMD5AndDES" /> <property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD"/> </bean> <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="config" ref="environmentVariablesConfiguration" /> </bean> <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer"> <constructor-arg ref="configurationEncryptor" /> <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/> </bean>

• Add **\ simpleAuthenticationPlugin\ ** tag under broker element in the activemq.xml file.

<plugins> <simpleAuthenticationPlugin anonymousAccessAllowed="false"> <users> <authenticationUser username="admin" password="${aeuser.password}" groups="users,admins"/> </users> </simpleAuthenticationPlugin> </plugins>

• Set up ACTIVEMQ_ENCRYPTION_PASSWORD.

After you have configured the authentication for ActiveMQ, set the ACTIVEMQ_ENCRYPTION_PASSWORD environment variable.

• To set environment variable on Windows machine:

a. Under System Variables, add New variable.

b. Enter the variable name as ACTIVEMQ_ENCRYPTION_PASSWORD and enter activemq as the variable value. For example, ACTIVEMQ_ENCRYPTION_PASSWORD=activemq.

• To set environment variable on Linux machine:

tip

Ensure you have the root privilege to create a file under /etc/profile.d.

i. Create new file under directory /etc/profile.d which will set the environment variable. Following is the syntax for creating a file:

$cd /etc/profile.d/

$sudo touch automationedge.sh

tip

Creating the new file enables all users using Linux machines to access the environment variable with ease.

ii. Edit automationedge.sh and add the following:

export ACTIVEMQ_ENCRYPTION_PASSWORD=activemq

iii. Save the file and restart the machine.

• To edit ae.properties file in **\ AE home\ **.

i. Open ae.properties file and find properties mq.username and mq.password.

tip

mq.username and mq.password properties are empty by default.

ii. Enter the following details under ActiveMQ credentials.

#ActiveMQ credentials

mq.username=aeuser

mq.password=mypassword

• Restart services for ActiveMQ and Tomcat.

ActiveMQ: Enable JMX with authentication

To enable JMX follow the instructions at https://activemq.apache.org/components/classic/documentation/jmx

You must ensure that only the owner has read and write permissions on the JMX file, since it contains the passwords in clear text. For security reasons, the system checks that the file is only readable by the owner and exits with an error if it is not. Therefore, in a multiple-user environment, you should store the password file in private location such as your home directory.

• Linux

chmod 600 jmx.password

• Windows

https://docs.oracle.com/javase/1.5.0/docs/guide/management/security-windows.html

AE with SSL

AE supports secure URL. As AE is hosted on Apache Tomcat, modify the configuration to secure Tomcat server with TLS.

tip

mq.username and mq.password properties are empty by default.