Problem
The embedded ActiveMQ broker included with SailPoint IdentityIQ (IIQ) 8.4 often fails to start reliably, especially after system restarts or configuration changes. This instability can block the IdentityIQ application from fully initializing, delaying critical operations like provisioning or Data Extract execution.
In our case, the embedded broker frequently failed during Tomcat startup, resulting in long delays or requiring manual restarts. Log files also showed repeated messaging errors and queue lock issues.
Diagnosis
After several attempts to stabilize the embedded broker, we observed:
- The embedded ActiveMQ instance tightly couples to the IIQ JVM, leading to memory and startup conflicts.
- On RHEL 9.0, the embedded broker sometimes fails to bind to the default port or throws Java exceptions during initialization.
- Messaging logs indicated problems with queue locks and lease renewal.
- Embedded messaging lacks visibility and advanced configuration options (e.g., queue expiration, user authentication, statistics monitoring).
Solution
We replaced the embedded ActiveMQ broker with an external ActiveMQ 5.17.x instance running independently on RHEL 9.0.
This new setup uses JAAS-based authentication (file-based or Active Directory), separates broker lifecycle from IIQ/Tomcat, and offers full control over queue behavior and logging. IdentityIQ is configured to connect via the External Broker setting under Global Settings.
Key benefits:
- Reliable startup and service control via systemd
- Ability to restart and manage ActiveMQ independently from IIQ
- Full access to ActiveMQ web console for troubleshooting and monitoring
- Easier debugging and log control
- Secure authentication (e.g., via
users.properties
or AD groups)
GitHub repository with full setup:
https://github.com/yaseerhee/sailpoint-iiq-external-activemq
Includes:
activemq.xml
with required queue definitions and JAAS integrationusers.properties
andgroups.properties
for role managementsystemd
service file- Full installation guide in README (English and Spanish)
SailPoint IIQ Settings Example:
- Broker Type: External
- Client Connection String:
failover:(tcp://<host>:61616)?initialReconnectDelay=100&maxReconnectAttempts=5
- Consumer/Producer/Admin usernames: From JAAS config
- Statistics Queues:
queue://iiqBrokerStatsQueue
queue://iiqDestinationStatsQueue
queue://iiqSubscriptionStatsQueue
Let me know if you’d like to see a sample AD integration or the monitoring setup using the ActiveMQ console.