Looking through the options of the config.xml, I see the options to use jmxuser and jmxpass, but nothing about the transport encryption settings. In the jvm.config, I would like to use these arguments:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2
-Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-Dcom.sun.management.jmxremote.authenticate=true
Generating an asynchronous key to match the cipher suite has been a chore, then I realized that no option in the config.xml for the APP would utilize these settings. Any advice from your experience to properly setup a secure connection?
%JAVA_HOME%
The JMX App can not do Windows Env Variable expansion , it is not a DOS shell 🙂
Which directory should I store the keystore/truststore for the JMX APP?
Also when Splunking the java error I receive this notification that I am currently troubleshooting:
ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\SPLUNK4JMX\bin\jmx.py"" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures
With the same settings on my webserver, jconsole connects without error using the same truststore.
I believe you can use any directory on your filesystem for the keystore/truststore files.
Try following the steps here for the JConsole client connecting via SSL, which should be the same logic that the JMX App needs.
Once you have setup your keystore, you can then pass the JVM system arguments using the "additional_jvm_propertys" parameter
additional_jvm_propertys=javax.net.ssl.trustStore=mytruststore,javax.net.ssl.trustStorePassword=somepass
OK I have made some good progress, I am able to monitor the ColdFusion JVM JMX data using jconsole from a remote machine with SSL using these settings on the webserver:
-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.keyStore=JVMJMX.keystore
Then use these flags on the client:
>jconsole.exe -J-Djavax.net.ssl.trustStore=JVMJMX.truststore -J-Djavax.net.ssl.trustStorePassword=password hostname:3333
However, when I use the same flags in your JMX APP, I still have no connectivity (able to get it to work without SSL easily).
additional_jvm_propertys = javax.net.ssl.trustStore=%JAVA_HOME%/JVMJMX.truststore,javax.net.ssl.trustStorePassword=password
The hostname and the port haven't changed in the config.xml and worked when SSL was disabled.
I am still unable to use your JMX APP with SSL enabled, something is missing and my webserver is set up properly since I successfully connect using jconsole. Please advise.