Re: Cannot login on Artemis in Docker container based on FIPS-compliant Ubuntu image

Ievgenii Lopushen Wed, 26 Nov 2025 05:55:42 -0800

Hi Domenico
Thank you for your reply

ran a check from inside the container:


artemis check node
NOTE: Picked up JDK_JAVA_OPTIONS:
--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED
--add-exports=java.base/sun.security.provider=ALL-UNNAMED
--add-opens=java.base/java.security=ALL-UNNAMED
-Djavax.net.ssl.trustStoreType=FIPS
Picked up JAVA_TOOL_OPTIONS: --module-path=/usr/share/java/bouncycastle-fips
Connection brokerURL = tcp://localhost:61616
Connection failed::AMQ229031: Unable to validate user from 127.0.0.1:58194.
Username: null; SSL certificate subject DN: unavailable

--user:
Type the username for a retry
artemis

--password: is mandatory with this configuration:
Type the password for a retry

NodeCheck failed. Reason:
org.apache.activemq.artemis.api.core.ActiveMQSecurityException:
[errorType=SECURITY_EXCEPTION message=AMQ229031: Unable to validate user
from 127.0.0.1:40246. Username: artemis; SSL certificate subject DN:
unavailable]

The check does not go through even though I used the credentials that i've
specified when creating the instance.

I have no jcmd in my container, but from ps I see:

ps aux | grep java
artemis        1  0.8  6.2 8467620 511192 ?      Ssl  02:50   5:40
[rosetta] /usr/lib/jvm/java-21-openjdk-amd64/bin/java
/usr/lib/jvm/java-21-openjdk-amd64/bin/java
-Djava.security.auth.login.config=/var/lib/artemis-instance/etc/login.config
-Dhawtio.realm=activemq -Dhawtio.role=amq
-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
-Djolokia.policyLocation=/var/lib/artemis-instance/etc/jolokia-access.xml
-Dhawtio.roles=amq
-Djava.security.auth.login.config=/var/lib/artemis-instance/etc/login.config
-classpath /opt/activemq-artemis/lib/artemis-boot.jar
-Dartemis.home=/opt/activemq-artemis
-Dartemis.instance=/var/lib/artemis-instance
-Djava.library.path=/opt/activemq-artemis/bin/lib/linux-x86_64
-Djava.io.tmpdir=/var/lib/artemis-instance/tmp
-Ddata.dir=/var/lib/artemis-instance/data
-Dartemis.instance.etc=/var/lib/artemis-instance/etc
-Dhawtio.authenticationEnabled=false
-Djava.security.debug=loginconfig,config,parser,access,failure
org.apache.activemq.artemis.boot.Artemis run
root        1545  0.0  0.0   3640  2244 ?        S+   13:32   0:00 grep
--color=auto java

So
-Djava.security.auth.login.config=/var/lib/artemis-instance/etc/login.config
and the contents of /var/lib/artemis-instance/etc/login.config is:

activemq {
   org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
sufficient
       debug=false
       reload=true
       org.apache.activemq.jaas.properties.user="artemis-users.properties"
       org.apache.activemq.jaas.properties.role="artemis-roles.properties";

   org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule
sufficient
       debug=false
       org.apache.activemq.jaas.guest.user="artemis"
       org.apache.activemq.jaas.guest.role="amq";
};

Thank you!



On Wed, Nov 26, 2025 at 8:33 AM Domenico Francesco Bruscino <
[email protected]> wrote:

> Hi Yevhenii,
>
> the error "No LoginModules configured for" is usually due to a wrong login
> configuration.Can you double-check you are able to connect to an acceptor
> by using the artemis CLI?
> If the artemis CLI works, can you share the content of the file defined by
> the java.security.auth.login.config system property in the container?
> By default, the java.security.auth.login.config system property is defined
> in the bin/artemis script. You could use jcmd to double-check the property
> value in the container, i.e. jcmd <PID> VM.system_properties.
>
> Regards,
> Domenico
>
> On Tue, 25 Nov 2025 at 19:02, Ievgenii Lopushen <[email protected]>
> wrote:
>
> > Hi
> > I'm trying to build a Docker image with Artemis in it. The image is based
> > on Ubuntu 22.04 with FIPS turned on and JRE 21 installed. For Java I am
> > using Bouncycastle as my security provider, hence overriding the
> > java.security file with such providers:
> >
> >
> >
> security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> >
> security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> > fips:BCFIPS
> > security.provider.3=SUN
> >
> > When starting the container, Artemis does launch and I'm able to create
> an
> > Artemis instance. However, I cannot login to the web console. No matter
> the
> > credentials I specify I get:
> >
> > [io.hawt.system.Authenticator] Login failed due to: No LoginModules
> > configured for activemq
> >
> > Even though on identical default installation on host machine with Ubuntu
> > or MacOS works fine.
> > Is there any additional configuration that should be applied to login or
> > can it be related to FIPS?
> > --
> >
> > All the best,
> >
> > Yevhenii
> >
>


-- 

All the best,

Yevhenii Lopushen

Re: Cannot login on Artemis in Docker container based on FIPS-compliant Ubuntu image

Reply via email to