Needed messages adresses must be added to the main configuration file template: broker.xml.tmpl. This customization is done within <addresses> element. The location of this addition is indicated by the comment: “Add here the configuration of your addresses”. The following example add an address called functionalTrace.accounting:
We may setting a role-based security policy through a customization of the <security-settings> element. The default configuration, simply allows some rights for default amq role. Adding other roles and/or modifying existing configuration should done in this element within configuration file template. The location of this addition is indicated by the comment: “Add here the configuration of your additional role-based security settings”. The following example add security setting for added functionalTrace.accounting address, assuming that functrace is an additional role (see below):
<permission type="createNonDurableQueue" roles="functrace"/>
<permission type="createDurableQueue" roles="functrace"/>
For further details about configuring messages addresses and role-based security in the broker.xml configuration file see this topic at the Artemis documents.
The users list and users/roles mapping are setting through two files (file names are mandatory):
- artemis-users.properties: Contains authorized users credentials list, one per line
- artemis-roles.properties: Contains roles/users mapping, one role per line
This configuration is done through parameters stored in the container configuration file. This file is supplied through CONTAINER_CONFIG environment variable. Those parameters are:
|TLS parameter||Content||Possible values||JVM parameter||Content||Possible values|
|kspwd||Server certificate keystore password||strong strength password value||minmem||JVM heap minimum memory allocation||Value that depends on the RAM allocated to the container|
|tspwd||Server trusted certificates keystore password||strong strength password value||maxmem||JVM heap maximum memory allocation||Value that depends on the RAM allocated to the container|
|ksipwd||Cluster internal certificate keystore password||strong strength password value||jvmgc||JVM Garbage collector setting||G1GC or ConcMarkSweepGC|
|twowayauth||Enabling Two-Way client authentication||true or false||ipv4||IP v4 preference enabling||true or false|
|verifyhost||Client host domain verification||true or false|
When Two-Way client authentication is enabled, the clients who want to connect and use the servers cluster must provide a certificate that trusted by servers. In addition, if client host domain verification is enabled, the client must be running on a host in the domaine contained in the provided certificate.