All Apps and Add-ons

How to configure Monitoring of Java Virtual Machines with JMX with SSL/TLS using keytool?

s4tlarson
Engager

Looking through the options of the config.xml, I see the options to use jmxuser and jmxpass, but nothing about the transport encryption settings. In the jvm.config, I would like to use these arguments:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Dcom.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2
-Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-Dcom.sun.management.jmxremote.authenticate=true

Generating an asynchronous key to match the cipher suite has been a chore, then I realized that no option in the config.xml for the APP would utilize these settings. Any advice from your experience to properly setup a secure connection?

0 Karma

Damien_Dallimor
Ultra Champion
%JAVA_HOME%

The JMX App can not do Windows Env Variable expansion , it is not a DOS shell 🙂

0 Karma

s4tlarson
Engager

Which directory should I store the keystore/truststore for the JMX APP?

Also when Splunking the java error I receive this notification that I am currently troubleshooting:

ERROR ExecProcessor - message from "python "D:\Program Files\Splunk\etc\apps\SPLUNK4JMX\bin\jmx.py"" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures

With the same settings on my webserver, jconsole connects without error using the same truststore.

0 Karma

Damien_Dallimor
Ultra Champion

I believe you can use any directory on your filesystem for the keystore/truststore files.

0 Karma

Damien_Dallimor
Ultra Champion

Try following the steps here for the JConsole client connecting via SSL, which should be the same logic that the JMX App needs.

Once you have setup your keystore, you can then pass the JVM system arguments using the "additional_jvm_propertys" parameter

additional_jvm_propertys=javax.net.ssl.trustStore=mytruststore,javax.net.ssl.trustStorePassword=somepass

alt text

s4tlarson
Engager

OK I have made some good progress, I am able to monitor the ColdFusion JVM JMX data using jconsole from a remote machine with SSL using these settings on the webserver:

-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.keyStore=JVMJMX.keystore

Then use these flags on the client:

>jconsole.exe -J-Djavax.net.ssl.trustStore=JVMJMX.truststore -J-Djavax.net.ssl.trustStorePassword=password hostname:3333

However, when I use the same flags in your JMX APP, I still have no connectivity (able to get it to work without SSL easily).

additional_jvm_propertys = javax.net.ssl.trustStore=%JAVA_HOME%/JVMJMX.truststore,javax.net.ssl.trustStorePassword=password

The hostname and the port haven't changed in the config.xml and worked when SSL was disabled.

I am still unable to use your JMX APP with SSL enabled, something is missing and my webserver is set up properly since I successfully connect using jconsole. Please advise.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...