activemq-artemis/examples/features/standard/jmx-ssl/readme.md

# JMX Management Example

To run the example, simply type **mvn verify** from this directory, or **mvn -PnoServer verify** if you want to start and create the broker manually.

This example shows how to manage ActiveMQ Artemis using [JMX over SSL](http://www.oracle.com/technetwork/java/javase/tech/javamanagement-140525.html)

## Example configuration

ActiveMQ Artemis exposes its managed resources by default on the platform MBeanServer.

To access this MBeanServer remotely, add the following to the management.xml configuration:

    <connector connector-port="1099" connector-host="localhost"/>

With these properties, ActiveMQ Artemis broker will be manageable remotely using standard JMX URL on port `1099`.

The various keystore files are generated using the following commands:

```shell
#!/bin/bash
set -e

KEY_PASS=securepass
STORE_PASS=securepass
CA_VALIDITY=365000
VALIDITY=36500

# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:
# -----------------------------------------------------------------------------------------------------------
keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt

# Create trust store with the server CA cert:
# -------------------------------------------
keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt

# Create a key pair for the server, and sign it with the CA:
# ----------------------------------------------------------
keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1

keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr
keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1

keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt
keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt

# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:
# -----------------------------------------------------------------------------------------------------------
keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt

# Create trust store with the client CA cert:
# -------------------------------------------
keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true
keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt

# Create a key pair for the client, and sign it with the CA:
# ----------------------------------------------------------
keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1

keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr
keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1

keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt
keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt
```

## More information

*   [Java management guide](https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html)
ARTEMIS-1562 Refactor example documentation This commit contains these changes: * Change example documentation to use markdown * Generate HTML doc based on markdown during release * Fix XML formatting in some examples * Repair out-of-date documentation 2017-10-24 15:20:37 -04:00			`# JMX Management Example`

NO-JIRA fix JMX examples 2018-02-22 16:19:01 -05:00			`To run the example, simply type mvn verify from this directory, or mvn -PnoServer verify if you want to start and create the broker manually.`
ARTEMIS-1562 Refactor example documentation This commit contains these changes: * Change example documentation to use markdown * Generate HTML doc based on markdown during release * Fix XML formatting in some examples * Repair out-of-date documentation 2017-10-24 15:20:37 -04:00
NO-JIRA fix JMX examples 2018-02-22 16:19:01 -05:00			`This example shows how to manage ActiveMQ Artemis using [JMX over SSL](http://www.oracle.com/technetwork/java/javase/tech/javamanagement-140525.html)`
ARTEMIS-1562 Refactor example documentation This commit contains these changes: * Change example documentation to use markdown * Generate HTML doc based on markdown during release * Fix XML formatting in some examples * Repair out-of-date documentation 2017-10-24 15:20:37 -04:00
			`## Example configuration`

			`ActiveMQ Artemis exposes its managed resources by default on the platform MBeanServer.`

			`To access this MBeanServer remotely, add the following to the management.xml configuration:`

			`<connector connector-port="1099" connector-host="localhost"/>`

			With these properties, ActiveMQ Artemis broker will be manageable remotely using standard JMX URL on port `1099`.

NO-JIRA fix-up examples 2018-03-01 12:20:41 -05:00			`The various keystore files are generated using the following commands:`

ARTEMIS-3367 Set verifyHost true for connectors by default 2021-08-03 14:11:20 -04:00			```shell
			`#!/bin/bash`
			`set -e`

			`KEY_PASS=securepass`
			`STORE_PASS=securepass`
			`CA_VALIDITY=365000`
			`VALIDITY=36500`

			`# Create a key and self-signed certificate for the CA, to sign server certificate requests and use for trust:`
			`# -----------------------------------------------------------------------------------------------------------`
			`keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias server-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true`
			`keytool -storetype pkcs12 -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -exportcert -rfc > server-ca.crt`

			`# Create trust store with the server CA cert:`
			`# -------------------------------------------`
			`keytool -keystore server-ca-truststore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt`

			`# Create a key pair for the server, and sign it with the CA:`
			`# ----------------------------------------------------------`
			`keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias server -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=sA -ext san=dns:localhost,ip:127.0.0.1`

			`keytool -keystore server-keystore.jks -storepass $STORE_PASS -alias server -certreq -file server.csr`
			`keytool -keystore server-ca-keystore.p12 -storepass $STORE_PASS -alias server-ca -gencert -rfc -infile server.csr -outfile server.crt -validity $VALIDITY -ext bc=ca:false -ext san=dns:localhost,ip:127.0.0.1`

			`keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server-ca -file server-ca.crt -noprompt`
			`keytool -keystore server-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias server -file server.crt`

			`# Create a key and self-signed certificate for the CA, to sign client certificate requests and use for trust:`
			`# -----------------------------------------------------------------------------------------------------------`
			`keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true`
			`keytool -keystore client-ca-keystore.jks -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt`

			`# Create trust store with the client CA cert:`
			`# -------------------------------------------`
			`keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -keypass $KEY_PASS -alias client-ca -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client Certification Authority, OU=Artemis, O=ActiveMQ" -validity $CA_VALIDITY -ext bc:c=ca:true`
			`keytool -storetype pkcs12 -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -exportcert -rfc > client-ca.crt`

			`# Create a key pair for the client, and sign it with the CA:`
			`# ----------------------------------------------------------`
			`keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -alias client -genkey -keyalg "RSA" -keysize 2048 -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1`

			`keytool -keystore client-keystore.jks -storepass $STORE_PASS -alias client -certreq -file client.csr`
			`keytool -keystore client-ca-keystore.p12 -storepass $STORE_PASS -alias client-ca -gencert -rfc -infile client.csr -outfile client.crt -validity $VALIDITY -ext bc=ca:false -ext eku=cA -ext san=dns:localhost,ip:127.0.0.1`

			`keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client-ca -file client-ca.crt -noprompt`
			`keytool -keystore client-keystore.jks -storepass $STORE_PASS -keypass $KEY_PASS -importcert -alias client -file client.crt`
			```
NO-JIRA fix-up examples 2018-03-01 12:20:41 -05:00
ARTEMIS-1562 Refactor example documentation This commit contains these changes: * Change example documentation to use markdown * Generate HTML doc based on markdown during release * Fix XML formatting in some examples * Repair out-of-date documentation 2017-10-24 15:20:37 -04:00			`## More information`

NO-JIRA fix warnings from w3c/link-checker in docs also update URLs and `s/http/https` in docs wherever possible 2017-12-22 16:25:21 -05:00			`* [Java management guide](https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html)`