Security scanning tools find Activemq port 61613, 61616, 61617, and 61222 using an expired SSL Certificate on MAG

  • 7010673
  • 23-Aug-2012
  • 27-Aug-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
NetIQ Access Manager 3.2

Situation

Security scanning tools find Activemq port 61617 is using an expired SSL Certificate.

Resolution

Open the following file in a editing utility:
/opt/novell/activemq/conf/activemq.xml

Find the following lines:
        <transportConnector name="ssl" uri="ssl://localhost:61617"/>
        <transportConnector name="stomp" uri="stomp://localhost:61613"/>
        <transportConnector name="xmpp" uri="xmpp://localhost:61222"/>

Change the lines to:       
            <transportConnector name="ssl" uri="ssl://127.0.0.1:61617"/>
            <transportConnector name="stomp" uri="stomp://127.0.0.1:61613"/>
            <transportConnector name="xmpp" uri="xmpp://127.0.0.1:61222"/>


Restart activemq: /etc/init.d/novell-activemq restart

Check to see if the ports are still listening on :::* or re-scan using your security scanning software.

Cause

This is due to a bug in activemq. Even though we specify in the config file to listen on localhost only, it still listens on the public interface. The problem has been reported to engineering.