How to Replace Embedded ActiveMQ with External Broker in IdentityIQ 8.4

Problem

The embedded ActiveMQ broker included with SailPoint IdentityIQ (IIQ) 8.4 often fails to start reliably, especially after system restarts or configuration changes. This instability can block the IdentityIQ application from fully initializing, delaying critical operations like provisioning or Data Extract execution.

In our case, the embedded broker frequently failed during Tomcat startup, resulting in long delays or requiring manual restarts. Log files also showed repeated messaging errors and queue lock issues.

Diagnosis

After several attempts to stabilize the embedded broker, we observed:

  • The embedded ActiveMQ instance tightly couples to the IIQ JVM, leading to memory and startup conflicts.
  • On RHEL 9.0, the embedded broker sometimes fails to bind to the default port or throws Java exceptions during initialization.
  • Messaging logs indicated problems with queue locks and lease renewal.
  • Embedded messaging lacks visibility and advanced configuration options (e.g., queue expiration, user authentication, statistics monitoring).

Solution

We replaced the embedded ActiveMQ broker with an external ActiveMQ 5.17.x instance running independently on RHEL 9.0.

This new setup uses JAAS-based authentication (file-based or Active Directory), separates broker lifecycle from IIQ/Tomcat, and offers full control over queue behavior and logging. IdentityIQ is configured to connect via the External Broker setting under Global Settings.

Key benefits:

  • Reliable startup and service control via systemd
  • Ability to restart and manage ActiveMQ independently from IIQ
  • Full access to ActiveMQ web console for troubleshooting and monitoring
  • Easier debugging and log control
  • Secure authentication (e.g., via users.properties or AD groups)

GitHub repository with full setup:

:right_arrow: https://github.com/yaseerhee/sailpoint-iiq-external-activemq

Includes:

  • activemq.xml with required queue definitions and JAAS integration
  • users.properties and groups.properties for role management
  • systemd service file
  • Full installation guide in README (English and Spanish)

SailPoint IIQ Settings Example:

  • Broker Type: External
  • Client Connection String: failover:(tcp://<host>:61616)?initialReconnectDelay=100&maxReconnectAttempts=5
  • Consumer/Producer/Admin usernames: From JAAS config
  • Statistics Queues:
    • queue://iiqBrokerStatsQueue
    • queue://iiqDestinationStatsQueue
    • queue://iiqSubscriptionStatsQueue

Let me know if you’d like to see a sample AD integration or the monitoring setup using the ActiveMQ console.

2 Likes