I want to securize my ENTM and my ActiveMQ. How can I do it ?

Document ID : KB000124091
Last Modified Date : 03/01/2019
Show Technical Document Details
Introduction:
After scanning a CA PAM SC 14.0 installation it was found that the ActiveMQ administration console (https: // IP: 8161 /)  is accessible publicly.. This must be restricted in two ways
  • Totally disabling access to the ActiveMQ administration URL
  • Replacing the self-signed certificate by a certificate issued by a trusted certification authority
The same operation, replacing the ssl self-signed certificate, is required for the jboss component of ENTM
Environment:
CA PAM SC 14.0 and CA PIM 14.0
Instructions:
To totally disable access to the ActiveMQ console, please perform the following options
  • Stop the activemq service 
  • Navigate to <ActiveMQ_HOME>/conf location 
  • Open activemq.xml for editing and comment out the following line: 
<import resource="jetty.xml"/> e.g.: 
<!--<import resource="jetty.xml"/>--> 
  • Restart the activemq service 
To create a certificate signed by a third party certification authority and to replace the self-signed certificate in ActiveMQ, the steps are the following (The openssl command is found under <ActiveMQ_HOME>/install/windowsX64/ in Windows, and the keytool under the bin of the java folder)
  • Use openssl or keytool to generate a certificate request: 
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
or
keytool -genkey -alias acmq -keyalg RSA -keystore KeyStore.jks -keysize 2048
keytool -certreq -alias acmq -keystore KeyStore.jks -file server.csr

In the process of generating the key it will request details of your OU, CN, Name, etc. 
  • Once you have the certificate signing request, csr, you need to submit it to your certification authority and get back a certificate (in .crt or .cer format) signed for your csr. Let's call it server.crt
Note: if you use keytool, the private key, server.key, is not directly exportable from the jks keystore. The procedure is to convert it to pkcs12 and then use openssl. To do so
keytool -importkeystore -srckeystore KeyStore.jks -destkeystore KeyStore.p12 -deststoretype PKCS12
openssl pkcs12 -in KeyStore.p12  -nodes -nocerts -out server.key
  • You will also need your root authority certificate, root.cer and intermediate certificate authorities in the chain of certification, let's call them intermediate.cer
  • You can do a sanity check to make sure that the key, the csr and the certificate match by doing the following
openssl x509 -noout -modulus -in server.crt | openssl md5 
openssl rsa -noout -modulus -in server.key | openssl md5 
openssl req -noout -modulus -in server.csr | openssl md5 
The hashes of all three must match
  • Next create a file comprising the root CA certificate, the intermediate CA certificate(s) and the certificate signed by the CA
cat root.cer intermediate.cer server.crt > myserver.crt (UNIX/Linux)
copy /B root.cer+intermediate.cer+server.crt > myserver.crt (Windows)
  • Stop the Access Control Services
  • Stop the Active MQ Service
  • Navigate to <ActiveMQ_HOME>\install
  • Backup the following files
    • MY.crt
    • MY.csr
    • MY.key
These are the self signed certificate as well as the key which ActiveMQ is using so far
  • Navigate to following location
  • Backup the keystore file keystore.p12 file under <ActiveMQ_HOME>\conf and then delete the original one
  • Copy the  server.key and myserver.crt files to the <ActiveMQ_HOME>\install location
  • Run the following command to generate the keystore file called keystore.p12
    • Windows:
<ActiveMQ_HOME>/install/windowsX64/openssl.exe pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -in <ActiveMQ_HOME>/install/myserver.crt -inkey <ActiveMQ_HOME>/install/server.key -outC:\ActiveMQ/conf/keystore.p12 -password pass:COMMUNICATION_PASSWORD -name acmq
Here COMMUNICATION_PASSWORD is the password specified during installation for communications between ENTM, endpoints and the ActiveMQ
  • Unix:
    openssl pkcs12 -export -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -in <ACTIVEMQ_HOME>/install/ myserver.crt -inkey <ACTIVEMQ_HOME>\install\server.key -out <ACTIVEMQ_HOME>/conf/keystore.p12 -password pass:COMMUNICATION_PASSWORD -name acmq
     
  • Start back ACtiveMQ and PAM SC
     
To create a certificate signed by a third party certification authority and to replace the self-signed certificate in jboss, the steps are the following:
  • Go to C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\custom\ppm\truststore 
  • Extract the key from the keystore. We will be needing it 
keytool -importkeystore -srckeystore ssl.keystore -destkeystore ssl.p12 -deststoretype PKCS12 -srcalias entm -deststorepass <password> -destkeypass <password> 
openssl pkcs12 -in ssl.p12 -nodes -nocerts -out sslkey.pem 
You will have here a key.pem which you can use to create a csr 
  • Now create a certificate request 
openssl req -new -key sslkey.pem -out sslreq.pem 
  • Submit the certificate request to your certification authority. Let's assume you have received a certificate called sslcert.pem 
  • Verify all (csr, key and crt received) are consistent. Let's call the signed certificat sslcert.pem
openssl x509 -noout -modulus -in sslcert.pem | openssl md5 
openssl rsa -noout -modulus -in sslkey.pem | openssl md5 
openssl req -noout -modulus -in sslreq.pem | openssl md5 
  • Once we are sure if this, we need also the root and intermediate certification authorities certificate in pem (or cer base64, doesn't matter much) mode and we create a file with all. Let's imagine they are called CAcert.pem. 
  • If you get all the root and intermediate certification authorities (let's say they are root.cer, subca1.pem and subca2.pem), you can use for instance
copy /B root.pem+subca1.pem+subca2.pem CAcert.pem (Windows)
cat root.pem subca1.pem subca2.pem > CAcert.pem
  • Now it is time to combine the root CA and the certificate and its key in a p12 store. Run 
openssl pkcs12 -export -out entm.keystore.p12 -inkey sslkey.pem -in sslcert.pem -certfile CAcert.pem 
  • And now finally we merge together the new store and the old one 
Keytool –importkeystore -srckeystore entm.keystore.p12 –destkeystore ssl.keystore –srcstoretype pkcs12 –deststoretype jks -alias original_alias –destalias entm –deststorepass <keystore password> –destkeypass <key password> 
  • Make sure you get copies of all the certificates, the old keystore, etc before you do any action 
  • Now we need to mangle the keystore password and save it in keystore.password. In the following example:
welcometojboss is the Salt
13 is the IterationCount,
hangeme is the new keystore password.
  • Use the same values for Salt and IterationCount defined in jboss-service.xml file
java  -cp  E:/jboss-4.2.3.GA/server/default/lib/jbosssx.jar  org.jboss.security.plugins.FilePassword  welcometojboss  13  <keystore password>  keystore.password
  • Delete all files except ssl.keystore and keystore.password from the truststore directory:

              JBoss_HOME/server/default/deploy/IdentityMinder.ear/custom/ppm/truststore

  • Navigate to the following directory and locate the server.xml file:

         JBoss_HOME/server/default/deploy/jboss-web.deployer

  • Locate the Connector tag for port 18443. It should appear as follows:

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" emptySessionPath="true" keyAlias="entm" keystoreFile="E:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\custom\ppm\truststore\ssl.keystore" keystorePass="secret" maxThreads="150" port="18443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/> 
Update this tag to look like the following: 
<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" emptySessionPath="true" keyAlias="entm" maxThreads="150" port="18443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" securityDomain="java:/jaas/encrypt-keystore-password" SSLImplementation="org.jboss.net.ssl.JBossImplementation"/> 
  • Locate the jboss-service.xml file, navigate to the following directory:

JBoss_HOME/server/default/deploy/jboss-web.deployer/META-INF

  • Add the following mbean between the <server> and </server> tags:
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"name="jboss.security:service=PBESecurityDomain">
<constructor>
<arg type="java.lang.String" value="encrypt-keystore-password"></arg>
</constructor>
<attribute name="KeyStoreURL">${jboss.server.home.dir}/deploy/IdentityMinder.ear/custom/ppm/truststore/ssl.keystore</attribute><attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/deploy/IdentityMinder.ear/custom/ppm/truststore/keystore.password</attribute>
<attribute name="Salt">welcometojboss</attribute>
<attribute name="IterationCount">13</attribute>
</mbean>

Important: Verify that Salt and IterationCount use the same values used to mangle the password.

  • Save and close the jboss-service.xml.

  • Start the JBoss application server service.


 
Additional Information:
Please see

https://docops.ca.com/ca-privileged-identity-manager/14-0/en/implementing/communication-encryption/replace-the-default-ssl-certificates

for more information. The present document provides a step by step way of replacing the certificates, to further clarify the steps in the documentation