Needed messages adresses must be added to the main configuration file template: broker.xml.tmpl. This customization is done within <addresses> element. The location of this addition is indicated by the comment: “Add here the configuration of your addresses”. The following example add an address called functionalTrace.accounting:
<address name="functionalTrace.accounting"/>
We may setting a role-based security policy through a customization of the <security-settings> element. The default configuration, simply allows some rights for default amq role. Adding other roles and/or modifying existing configuration should done in this element within configuration file template. The location of this addition is indicated by the comment: “Add here the configuration of your additional role-based security settings”. The following example add security setting for added functionalTrace.accounting address, assuming that functrace is an additional role (see below):
<security-setting match="functionalTrace.accounting"/>
<permission type="createNonDurableQueue" roles="functrace"/>
<permission type="createDurableQueue" roles="functrace"/>
....
....
</security-setting>
For further details about configuring messages addresses and role-based security in the broker.xml configuration file see this topic at the Artemis documents.
The users list and users/roles mapping are setting through two files (file names are mandatory):
- artemis-users.properties: Contains authorized users credentials list, one per line
- artemis-roles.properties: Contains roles/users mapping, one role per line
This configuration is done through parameters stored in the container configuration file. This file is supplied through CONTAINER_CONFIG environment variable. Those parameters are:
TLS parameter | Content | Possible values | JVM parameter | Content | Possible values |
---|---|---|---|---|---|
kspwd | Server certificate keystore password | strong strength password value | minmem | JVM heap minimum memory allocation | Value that depends on the RAM allocated to the container |
tspwd | Server trusted certificates keystore password | strong strength password value | maxmem | JVM heap maximum memory allocation | Value that depends on the RAM allocated to the container |
ksipwd | Cluster internal certificate keystore password | strong strength password value | jvmgc | JVM Garbage collector setting | G1GC or ConcMarkSweepGC |
twowayauth | Enabling Two-Way client authentication | true or false | ipv4 | IP v4 preference enabling | true or false |
verifyhost | Client host domain verification | true or false |
When Two-Way client authentication is enabled, the clients who want to connect and use the servers cluster must provide a certificate that trusted by servers. In addition, if client host domain verification is enabled, the client must be running on a host in the domaine contained in the provided certificate.