Add support for SSL

README.markdown

@@ -51,3 +51,8 @@ To disable this behavior, pass in webconsole => false to the class.  e.g.
       }
     }
 
+# SSL Support #
+
+This package includes support for SSL. To enable SSL, follow the process
+outlined in the [ActiveMQ SSL documentation](http://activemq.apache.org/how-do-i-use-ssl.html),
+and then set the ssl class parameter to true. The default is no ssl, or false.

manifests/init.pp

@@ -38,21 +38,27 @@
   $mq_cluster_username     = $activemq::params::mq_cluster_username,
   $mq_cluster_password     = $activemq::params::mq_cluster_password,
   $mq_cluster_brokers      = $activemq::params::mq_cluster_brokers,
+  $mco_middleware_password = $activemq::params::mco_middleware_password,
+  $keystore_password       = $activemq::params::keystore_password,
+  $ssl                     = $activemq::params::ssl,
 ) inherits activemq::params {
 
   validate_re($ensure, '^running$|^stopped$')
   validate_re($version, '^present$|^latest$|^[~+._0-9a-zA-Z:-]+$')
   validate_bool($webconsole)
 
-  $package_real = $package
-  $version_real = $version
-  $ensure_real  = $ensure
-  $webconsole_real = $webconsole
+  $package_real                 = $package
+  $version_real                 = $version
+  $ensure_real                  = $ensure
+  $webconsole_real              = $webconsole
+  $ssl_real                     = $ssl
   $mq_admin_username_real       = $mq_admin_username
   $mq_admin_password_real       = $mq_admin_password
   $mq_cluster_username_real     = $mq_cluster_username
   $mq_cluster_password_real     = $mq_cluster_password
   $mq_cluster_brokers_real      = $mq_cluster_brokers
+  $mco_middleware_password_real = $mco_middleware_password
+  $keystore_password_real       = $keystore_password
 
   if $mq_admin_username_real == 'admin' {
     warning '$mq_admin_username is set to the default value.  This should be changed.'
@@ -62,6 +68,14 @@
     warning '$mq_admin_password is set to the default value.  This should be changed.'
   }
 
+  if $mco_middleware_password_real == 'marionette' {
+    warning '$mco_middleware_password is set to the default value.  This should be changed.'
+  }
+
+  if $keystore_password_real == 'mcollective' {
+    warning '$keystore_password is set to the default value.  This should be changed.'
+  }
+
   if size($mq_cluster_brokers_real) > 0 and $mq_cluster_username_real == 'amq' {
     warning '$mq_cluster_username is set to the default value.  This should be changed.'
   }

manifests/params.pp

@@ -13,6 +13,9 @@
   $mq_cluster_username     = 'amq'
   $mq_cluster_password     = 'secret'
   $mq_cluster_brokers      = []
+  $mco_middleware_password = 'marionette'
+  $keystore_password       = 'mcollective'
+  $ssl                     = false
 
   # Debian does not include the webconsole
   case $::osfamily {

templates/activemq.xml.erb

@@ -15,25 +15,49 @@
 
 <% end -%>
 <% if @version == 'present' or @version == 'latest' or scope.function_versioncmp([@version, '5.9']) < 0 -%>
-    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @mq_broker_name %>" useJmx="true">
+    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @mq_broker_name %>" useJmx="true" schedulePeriodForDestinationPurge="60000" destroyApplicationContextOnStop="true">
 <% else -%>
-    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @mq_broker_name %>" useJmx="true" dataDirectory="${activemq.data}">
+    <broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @mq_broker_name %>" useJmx="true" dataDirectory="${activemq.data}" schedulePeriodForDestinationPurge="60000">
 <% end -%>
+
+        <destinationPolicy>
+          <policyMap>
+            <policyEntries>
+              <policyEntry topic=">" producerFlowControl="false"/>
+              <policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" />
+            </policyEntries>
+          </policyMap>
+        </destinationPolicy>
+
         <managementContext>
             <managementContext createConnector="false"/>
         </managementContext>
+        <!--
+            Configure message persistence for the broker. The default persistence
+            mechanism is the KahaDB store (identified by the kahaDB tag).
+            For more information, see:
+
+            http://activemq.apache.org/persistence.html
+        -->
+        <persistenceAdapter>
+            <kahaDB directory="${activemq.data}/KahaDB"/>
+        </persistenceAdapter>
 
 <% if @mq_cluster_brokers_real.length > 1 -%>
         <!--
-          Configure network connectors for a network of brokers. 
+          Configure network connectors for a network of brokers.
           In this config, all brokers are connected to each other.
         -->
         <networkConnectors>
   <%- @mq_cluster_brokers_real.each do |broker| -%>
     <%- if broker != mq_broker_name -%>
           <networkConnector
                 name="<%= @mq_broker_name %>-<%= broker %>-topics"
+                <% if @ssl_real -%>
+                uri="static:(ssl://<%= broker -%>:61617)"
+                <% else -%>
                 uri="static:(tcp://<%= broker %>:61616)"
+                <% end -%>
                 userName="<%= @mq_cluster_username_real %>"
                 password="<%= @mq_cluster_password_real %>"
                 duplex="false"
@@ -46,7 +70,11 @@
           </networkConnector>
           <networkConnector
                 name="<%= @mq_broker_name %>-<%= broker %>-queues"
+                <% if @ssl_real -%>
+                uri="static:(ssl://<%= broker %>:61617)"
+                <% else -%>
                 uri="static:(tcp://<%= broker %>:61616)"
+                <% end -%>
                 userName="<%= @mq_cluster_username_real %>"
                 password="<%= @mq_cluster_password_real %>"
                 duplex="false"
@@ -70,7 +98,7 @@
 <% if @mq_cluster_brokers_real.length > 1 -%>
               <authenticationUser username="<%= @mq_cluster_username_real %>" password="<%= @mq_cluster_password_real %>" groups="admins,everyone"/>
 <% end -%>
-              <authenticationUser username="mcollective" password="marionette" groups="mcollective,everyone"/>
+              <authenticationUser username="mcollective" password="<%= @mco_middleware_password_real %>" groups="mcollective,everyone"/>
               <authenticationUser username="<%= @mq_admin_username_real %>" password="<%= @mq_admin_password_real %>" groups="mcollective,admins,everyone"/>
             </users>
           </simpleAuthenticationPlugin>
@@ -102,10 +130,23 @@
                 </tempUsage>
             </systemUsage>
         </systemUsage>
-
+		<% if @ssl_real -%>
+			<!--
+			configures keystores.
+			-->
+        <sslContext>
+          <sslContext
+             keyStore="keystore.jks" keyStorePassword="<%= @keystore_password %>"
+             trustStore="truststore.jks" trustStorePassword="<%= @keystore_password %>"
+          />
+        </sslContext>
+		<% end -%>
         <transportConnectors>
             <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
-            <transportConnector name="stomp+nio" uri="stomp://0.0.0.0:61613"/>
+            <% if @ssl_real -%>
+      			<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61614?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
+       			<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?needClientAuth=true&amp;transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/>
+            <% end -%>
         </transportConnectors>
     </broker>
 

templates/default/activemq.xml

@@ -10,12 +10,21 @@
         <managementContext>
             <managementContext createConnector="false"/>
         </managementContext>
+        <!--
+            Configure message persistence for the broker. The default persistence
+            mechanism is the KahaDB store (identified by the kahaDB tag).
+            For more information, see:
 
+            http://activemq.apache.org/persistence.html
+        -->
+        <persistenceAdapter>
+            <kahaDB directory="${activemq.data}/KahaDB"/>
+        </persistenceAdapter>
         <plugins>
           <statisticsBrokerPlugin/>
           <simpleAuthenticationPlugin>
             <users>
-              <authenticationUser username="mcollective" password="marionette" groups="mcollective,everyone"/>
+              <authenticationUser username="mcollective" password="<%= @mco_middleware_password_real %>" groups="mcollective,everyone"/>
               <authenticationUser username="admin" password="secret" groups="mcollective,admin,everyone"/>
             </users>
           </simpleAuthenticationPlugin>