topic Re: How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool? in All Apps and Add-ons

How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

s4tlarson — Tue, 29 Sep 2020 07:25:26 GMT

Looking through the options of the config.xml, I see the options to use jmxuser and jmxpass, but nothing about the transport encryption settings. In the jvm.config, I would like to use these arguments:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2
-Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-Dcom.sun.management.jmxremote.authenticate=true

Generating an asynchronous key to match the cipher suite has been a chore, then I realized that no option in the config.xml for the APP would utilize these settings. Any advice from your experience to properly setup a secure connection?

Re: How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

Damien_Dallimor — Tue, 29 Sep 2020 07:24:43 GMT

Try following the steps here for the JConsole client connecting via SSL, which should be the same logic that the JMX App needs.

Once you have setup your keystore, you can then pass the JVM system arguments using the "additional_jvm_propertys" parameter

additional_jvm_propertys=javax.net.ssl.trustStore=mytruststore,javax.net.ssl.trustStorePassword=somepass

Re: How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

s4tlarson — Mon, 02 Nov 2015 17:02:36 GMT

OK I have made some good progress, I am able to monitor the ColdFusion JVM JMX data using jconsole from a remote machine with SSL using these settings on the webserver:

-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.keyStore=JVMJMX.keystore

Then use these flags on the client:

>jconsole.exe -J-Djavax.net.ssl.trustStore=JVMJMX.truststore -J-Djavax.net.ssl.trustStorePassword=password hostname:3333

However, when I use the same flags in your JMX APP, I still have no connectivity (able to get it to work without SSL easily).

additional_jvm_propertys = javax.net.ssl.trustStore=%JAVA_HOME%/JVMJMX.truststore,javax.net.ssl.trustStorePassword=password

The hostname and the port haven't changed in the config.xml and worked when SSL was disabled.

I am still unable to use your JMX APP with SSL enabled, something is missing and my webserver is set up properly since I successfully connect using jconsole. Please advise.

Re: How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

Damien_Dallimor — Tue, 03 Nov 2015 03:05:02 GMT

%JAVA_HOME%

The JMX App can not do Windows Env Variable expansion , it is not a DOS shell 🙂

Re: How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

s4tlarson — Tue, 03 Nov 2015 17:13:01 GMT

Which directory should I store the keystore/truststore for the JMX APP?

Also when Splunking the java error I receive this notification that I am currently troubleshooting:

ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\SPLUNK4JMX\bin\jmx.py"" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures

With the same settings on my webserver, jconsole connects without error using the same truststore.

Re: How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

Damien_Dallimor — Tue, 03 Nov 2015 17:23:45 GMT

I believe you can use any directory on your filesystem for the keystore/truststore files.