configuring JMX interface to use SSL

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

configuring JMX interface to use SSL

Brian Reichert
Has anyone configured the JMX interface to employ SSL in jetty 9?

The docs for JMX under jetty 9 don't call it out at all:

  http://www.eclipse.org/jetty/documentation/current/jmx-chapter.html#using-jmx

And my efforts to set the related properties in my start.ini file
don't seem to be honored:

  http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

Out of the box, there seem to be no diagnostics about jetty's
processing of these properties.

We're using jetty 9.3.8.v20160314, FWIW.  Please let me know if
there are any other particulars that would be useful here.

Thanks in advance for any pointers you may have.

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Joakim Erdfelt-8
Setting up the remote JMX port for SSL/TLS would be entirely within the scope of the JVM options.

Jetty is not involved in the JMX service, it merely exposes components to the JMX layer.
The rest is handled by the JVM.

The instructions you have linked to are the only ones I'm aware of for setting up the SSL certificates for JMX.
It also states that SSL/TLS is the default behavior for the JMX remote agent.



Joakim Erdfelt / [hidden email]

On Tue, Feb 7, 2017 at 8:34 AM, Brian Reichert <[hidden email]> wrote:
Has anyone configured the JMX interface to employ SSL in jetty 9?

The docs for JMX under jetty 9 don't call it out at all:

  http://www.eclipse.org/jetty/documentation/current/jmx-chapter.html#using-jmx

And my efforts to set the related properties in my start.ini file
don't seem to be honored:

  http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

Out of the box, there seem to be no diagnostics about jetty's
processing of these properties.

We're using jetty 9.3.8.v20160314, FWIW.  Please let me know if
there are any other particulars that would be useful here.

Thanks in advance for any pointers you may have.

--
Brian Reichert                          <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Tue, Feb 07, 2017 at 09:10:37AM -0700, Joakim Erdfelt wrote:
> Setting up the remote JMX port for SSL/TLS would be entirely within the
> scope of the JVM options.
>
> Jetty is not involved in the JMX service, it merely exposes components to
> the JMX layer.

But, jetty renames some of the properties, e.g.:

  com.sun.management.jmxremote.port -> jetty.jmxremote.rmiport
  com.sun.management.jmxremote.password.file -> jmx.remote.x.password.file
  com.sun.management.jmxremote.access.file -> jmx.remote.x.access.file

> The rest is handled by the JVM.
>
> The instructions you have linked to are the only ones I'm aware of for
> setting up the SSL certificates for JMX.
> It also states that SSL/TLS is the default behavior for the JMX remote
> agent.
>
> http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html#gdemv

Heck, let's ignore my config, and go right to stock jetty code, firing up
JMX remote, and SSL:

  # cd /usr/jetty-distribution/demo-base
  # java -jar ../start.jar --module=jmx,jmx-remote,ssl
  2017-02-07 17:44:21.783:INFO::main: Logging initialized @373ms
  2017-02-07 17:44:23.199:WARN::main: demo test-realm is deployed. DO NOT USE
  IN PRODUCTION!
  2017-02-07 17:44:23.201:INFO:oejs.Server:main: jetty-9.3.8.v20160314
  2017-02-07 17:44:23.357:INFO:oejj.ConnectorServer:main: JMX Remote URL:
  service:jmx:rmi://localhost:1099/jndi/rmi://test-02.example.com:1099/jmxrmi
  ...
  2017-02-07 18:05:59.279:INFO:oejs.ServerConnector:main: Started
  ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
  2017-02-07 18:05:59.280:INFO:oejs.Server:main: Started @3939ms

So, I can see that the web app on port 8443 is on an SSL interface:

  # openssl s_client -connect localhost:8443 < /dev/null
  ...subject=/C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting Pty.
  Ltd./OU=Jetty/CN=jetty.eclipse.org
  issuer=/C=Unknown/ST=Unknown/L=Unknown/O=Mort Bay Consulting Pty.
  Ltd./OU=Jetty/CN=jetty.eclipse.org
  ...

But, the JMX interface does not:

  # openssl s_client -connect localhost:1099 < /dev/null
  CONNECTED(00000003)
  140439511435080:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
  failure:s23_lib.c:184:
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 0 bytes and written 247 bytes
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  ---

According to Oracle, this should be protected with SSL by default.

Authentication is enabled by default (and I can get that
configured/working), but setting:

  -Dcom.sun.management.jmxremote.authenticate=false

doesn't suppress the demand for credentials.

So, it _seems_ to me that jetty, somehow, subverts how some of these
properties are processed by the JVM.


> Joakim Erdfelt / [hidden email]

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Simone Bordet-3
Hi,

On Tue, Feb 7, 2017 at 7:06 PM, Brian Reichert <[hidden email]> wrote:
> But, jetty renames some of the properties, e.g.:

File an issue. We should at least verify that this is doable, and if
so document it properly.
There is some machinery to put in place for RMI to use TLS which we
may not be doing.

We accept contributions :)

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Wed, Feb 08, 2017 at 11:44:33AM +0100, Simone Bordet wrote:
> Hi,
>
> On Tue, Feb 7, 2017 at 7:06 PM, Brian Reichert <[hidden email]> wrote:
> > But, jetty renames some of the properties, e.g.:
>
> File an issue. We should at least verify that this is doable, and if
> so document it properly.

That I'm willing to do, but I was hoping for, at least, some
confirmation that my expectations are correct.

- should this, out of the box, spin up a SSL-protected JXM interface?

        java -jar start.jar --module=jmx,jmx-remote,ssl

- should I be able to disable authentication by setting

        -Dcom.sun.management.jmxremote. authenticate=false?

> There is some machinery to put in place for RMI to use TLS which we
> may not be doing.
>
> We accept contributions :)
>
> --
> Simone Bordet
> ----
> http://cometd.org
> http://webtide.com
> Developer advice, training, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Simone Bordet-3
Hi,

On Wed, Feb 8, 2017 at 5:12 PM, Brian Reichert <[hidden email]> wrote:
> That I'm willing to do, but I was hoping for, at least, some
> confirmation that my expectations are correct.
>
> - should this, out of the box, spin up a SSL-protected JXM interface?
>
>         java -jar start.jar --module=jmx,jmx-remote,ssl

No. the "ssl" module is for connectors, not for jmx. The fact that JMX
may open a server socket is not influenced by the ssl module.

> - should I be able to disable authentication by setting
>
>         -Dcom.sun.management.jmxremote. authenticate=false?

I'd say yes.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Wed, Feb 08, 2017 at 05:38:21PM +0100, Simone Bordet wrote:

> Hi,
>
> On Wed, Feb 8, 2017 at 5:12 PM, Brian Reichert <[hidden email]> wrote:
> > That I'm willing to do, but I was hoping for, at least, some
> > confirmation that my expectations are correct.
> >
> > - should this, out of the box, spin up a SSL-protected JXM interface?
> >
> >         java -jar start.jar --module=jmx,jmx-remote,ssl
>
> No. the "ssl" module is for connectors, not for jmx. The fact that JMX
> may open a server socket is not influenced by the ssl module.

True, 'ssl' does what you say; I kicked it into play to otherwise
demonstrate that my jetty-based server does have the trustStore/keyStore
properly configured, implying that they would be utilized by the
SSL-enabled JMX interface.

According to Oracle:

https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

  SSL is enabled by default when you enable remote monitoring and
  management.  To use SSL, you need to set up a digital certificate
  on the system where the JMX agent (the MBean server) is running
  and then configure SSL properly.

My expectation was that my successful SSL test would satisfy the
above requirements.

Was I incorrect in that matter?

>
> > - should I be able to disable authentication by setting
> >
> >         -Dcom.sun.management.jmxremote. authenticate=false?
>
> I'd say yes.
>
> --
> Simone Bordet
> ----
> http://cometd.org
> http://webtide.com
> Developer advice, training, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Simone Bordet-3
Hi,

On Wed, Feb 8, 2017 at 6:02 PM, Brian Reichert <[hidden email]> wrote:

> According to Oracle:
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
>
>   SSL is enabled by default when you enable remote monitoring and
>   management.  To use SSL, you need to set up a digital certificate
>   on the system where the JMX agent (the MBean server) is running
>   and then configure SSL properly.
>
> My expectation was that my successful SSL test would satisfy the
> above requirements.
>
> Was I incorrect in that matter?

Your SSL test had nothing to do with JMX.

The JVM uses system properties to enable internally what Jetty enables
with the jmx-remote module (namely, an RMIRegistry and a
JMXConnectorServer).
The 2 systems should be equivalent; if Jetty's does not have the
capabilities of the JVM's, then we should improve it.

If you want to have JMX over SSL, just enable the jmx module in Jetty.
This will expose the Jetty components as MBeans.

Then you enable all the relevant system properties reported by the
link above to enable remote monitoring via SSL.

The reason of the existence of the jmx-remote module is that the
default support by the JVM opens a random port for the
JMXConnectorServer, which is not friendly for firewalls.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Wed, Feb 08, 2017 at 06:43:32PM +0100, Simone Bordet wrote:
> If you want to have JMX over SSL, just enable the jmx module in Jetty.
> This will expose the Jetty components as MBeans.
>
> Then you enable all the relevant system properties reported by the
> link above to enable remote monitoring via SSL.

Ok, I've tried these invocations, and none of them yield an SSL
certificate when I connect to port 1099, when I use the 'demo-base'
app:

   # pwd
  /usr/jetty-distribution-9.3.8.v20160314/demo-base

  java -jar ../start.jar --module=jmx,jmx-remote

  # This should be the operational default, but just to make sure...
  java -Dcom.sun.management.jmxremote.ssl=true \
       -jar ../start.jar --module=jmx,jmx-remote

  # RMI Registry Authentication is 'false' by default
  java -Dcom.sun.management.jmxremote.ssl=true \
       -Dcom.sun.management.jmxremote.registry.ssl=true \
       -jar ../start.jar --module=jmx,jmx-remote

Should any of these have worked?  Or am I misunderstanding what
you're saying?

> The reason of the existence of the jmx-remote module is that the
> default support by the JVM opens a random port for the
> JMXConnectorServer, which is not friendly for firewalls.

Pretty neat. :)

> --
> Simone Bordet
> ----
> http://cometd.org
> http://webtide.com
> Developer advice, training, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Simone Bordet-3
Hi,

On Thu, Feb 9, 2017 at 8:57 PM, Brian Reichert <[hidden email]> wrote:

> On Wed, Feb 08, 2017 at 06:43:32PM +0100, Simone Bordet wrote:
>> If you want to have JMX over SSL, just enable the jmx module in Jetty.
>> This will expose the Jetty components as MBeans.
>>
>> Then you enable all the relevant system properties reported by the
>> link above to enable remote monitoring via SSL.
>
> Ok, I've tried these invocations, and none of them yield an SSL
> certificate when I connect to port 1099, when I use the 'demo-base'
> app:
>
>    # pwd
>   /usr/jetty-distribution-9.3.8.v20160314/demo-base
>
>   java -jar ../start.jar --module=jmx,jmx-remote
>
>   # This should be the operational default, but just to make sure...
>   java -Dcom.sun.management.jmxremote.ssl=true \
>        -jar ../start.jar --module=jmx,jmx-remote
>
>   # RMI Registry Authentication is 'false' by default
>   java -Dcom.sun.management.jmxremote.ssl=true \
>        -Dcom.sun.management.jmxremote.registry.ssl=true \
>        -jar ../start.jar --module=jmx,jmx-remote
>
> Should any of these have worked?  Or am I misunderstanding what
> you're saying?

Keep only the jmx module, remove the jmx-remote module.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Thu, Feb 09, 2017 at 09:23:16PM +0100, Simone Bordet wrote:
> Keep only the jmx module, remove the jmx-remote module.

BTW, I do appreciate your guidance here.

I've tried this:

  java -jar ../start.jar --module=jmx

That only opened up the two configured HTTP[S] ports:

  # lsof -P -n -p 20378 | grep TCP
  java    20378 root   90u  IPv6            1257602      0t0     TCP *:8080 (LISTEN)
  java    20378 root   97u  IPv6            1257607      0t0     TCP *:8443 (LISTEN)

From the startup messages:
  ServerConnector@27f674d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
  ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}

> --
> Simone Bordet
> ----
> http://cometd.org
> http://webtide.com
> Developer advice, training, services and support
> from the Jetty & CometD experts.
> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Simone Bordet-3
Hi,

On Thu, Feb 9, 2017 at 9:17 PM, Brian Reichert <[hidden email]> wrote:

> On Thu, Feb 09, 2017 at 09:23:16PM +0100, Simone Bordet wrote:
>> Keep only the jmx module, remove the jmx-remote module.
>
> BTW, I do appreciate your guidance here.
>
> I've tried this:
>
>   java -jar ../start.jar --module=jmx
>
> That only opened up the two configured HTTP[S] ports:
>
>   # lsof -P -n -p 20378 | grep TCP
>   java    20378 root   90u  IPv6            1257602      0t0     TCP *:8080 (LISTEN)
>   java    20378 root   97u  IPv6            1257607      0t0     TCP *:8443 (LISTEN)
>
> From the startup messages:
>   ServerConnector@27f674d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
>   ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}

Sure.

You have to add the JMX system properties as described in
https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html.

The Jetty JMX module exports Jetty components as MBeans, but those
stay within the JVM.
If you want to be able to connect to the JVM from remote via JMX, then
you have to either A) enable the jmx-remote module, or B) add the
system properties as above.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Joakim Erdfelt-8
Here you go.

Using Jetty 9.4.1 demo-base ...

$ cd /path/to/jetty-distribution-9.4.1.v20170120/demo-base
$ keytool -genkeypair -keyalg RSA -keystore jmxkeystore.jks -dname cn=test,ou=localhost,dc=example,dc=com

(I created the keystore with password 'changeme')

$ mkdir modules
$ vim modules/jmx-ssl.mod

--(snip)--
[depend]
jmx

[exec]
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1616
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.registry.ssl=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStore=${jetty.base}/jmxkeystore.jks
-Djavax.net.ssl.keyStorePassword=changeme
-Djavax.net.ssl.trustStore=${jetty.base}/jmxkeystore.jks
-Djavax.net.ssl.trustStorePassword=changeme
--(/snip)--

$ vim jconsole-ssl.sh

--(snip)--
#!/bin/bash

jconsole \
 -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.keyStorePassword=changeme \
 -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.trustStorePassword=changeme \
 localhost:1616
--(/snip)--

(run demo-base server)

$ java -jar ../start.jar --module=jmx-ssl

(in other console window ...)

$ ./jconsole-ssl.sh

- Joakim


Joakim Erdfelt / [hidden email]

On Thu, Feb 9, 2017 at 1:50 PM, Simone Bordet <[hidden email]> wrote:
Hi,

On Thu, Feb 9, 2017 at 9:17 PM, Brian Reichert <[hidden email]> wrote:
> On Thu, Feb 09, 2017 at 09:23:16PM +0100, Simone Bordet wrote:
>> Keep only the jmx module, remove the jmx-remote module.
>
> BTW, I do appreciate your guidance here.
>
> I've tried this:
>
>   java -jar ../start.jar --module=jmx
>
> That only opened up the two configured HTTP[S] ports:
>
>   # lsof -P -n -p 20378 | grep TCP
>   java    20378 root   90u  IPv6            1257602      0t0     TCP *:8080 (LISTEN)
>   java    20378 root   97u  IPv6            1257607      0t0     TCP *:8443 (LISTEN)
>
> From the startup messages:
>   ServerConnector@27f674d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
>   ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}

Sure.

You have to add the JMX system properties as described in
https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html.

The Jetty JMX module exports Jetty components as MBeans, but those
stay within the JVM.
If you want to be able to connect to the JVM from remote via JMX, then
you have to either A) enable the jmx-remote module, or B) add the
system properties as above.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Thu, Feb 09, 2017 at 02:11:23PM -0700, Joakim Erdfelt wrote:
> Here you go.

Thanks for this feedback; I look forward to reproducing this effort
in my environment.

>
> Using Jetty 9.4.1 demo-base ...
>
> $ cd /path/to/jetty-distribution-9.4.1.v20170120/demo-base
> $ keytool -genkeypair -keyalg RSA -keystore jmxkeystore.jks -dname
> cn=test,ou=localhost,dc=example,dc=com
>
> (I created the keystore with password 'changeme')
>
> $ mkdir modules
> $ vim modules/jmx-ssl.mod
>
> --(snip)--
> [depend]
> jmx
>
> [exec]
> -Dcom.sun.management.jmxremote
> -Dcom.sun.management.jmxremote.port=1616
> -Dcom.sun.management.jmxremote.authenticate=false
> -Dcom.sun.management.jmxremote.registry.ssl=true
> -Dcom.sun.management.jmxremote.ssl=true
> -Dcom.sun.management.jmxremote.ssl.need.client.auth=false
> -Djavax.net.ssl.keyStore=${jetty.base}/jmxkeystore.jks
> -Djavax.net.ssl.keyStorePassword=changeme
> -Djavax.net.ssl.trustStore=${jetty.base}/jmxkeystore.jks
> -Djavax.net.ssl.trustStorePassword=changeme
> --(/snip)--
>
> $ vim jconsole-ssl.sh
>
> --(snip)--
> #!/bin/bash
>
> jconsole \
>  -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
>  -J-Djavax.net.ssl.keyStorePassword=changeme \
>  -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
>  -J-Djavax.net.ssl.trustStorePassword=changeme \
>  localhost:1616
> --(/snip)--
>
> (run demo-base server)
>
> $ java -jar ../start.jar --module=jmx-ssl
>
> (in other console window ...)
>
> $ ./jconsole-ssl.sh
>
> - Joakim
>
>
> Joakim Erdfelt / [hidden email]
>
> On Thu, Feb 9, 2017 at 1:50 PM, Simone Bordet <[hidden email]> wrote:
>
> > Hi,
> >
> > On Thu, Feb 9, 2017 at 9:17 PM, Brian Reichert <[hidden email]>
> > wrote:
> > > On Thu, Feb 09, 2017 at 09:23:16PM +0100, Simone Bordet wrote:
> > >> Keep only the jmx module, remove the jmx-remote module.
> > >
> > > BTW, I do appreciate your guidance here.
> > >
> > > I've tried this:
> > >
> > >   java -jar ../start.jar --module=jmx
> > >
> > > That only opened up the two configured HTTP[S] ports:
> > >
> > >   # lsof -P -n -p 20378 | grep TCP
> > >   java    20378 root   90u  IPv6            1257602      0t0     TCP
> > *:8080 (LISTEN)
> > >   java    20378 root   97u  IPv6            1257607      0t0     TCP
> > *:8443 (LISTEN)
> > >
> > > From the startup messages:
> > >   ServerConnector@27f674d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
> > >   ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
> >
> > Sure.
> >
> > You have to add the JMX system properties as described in
> > https://docs.oracle.com/javase/8/docs/technotes/
> > guides/management/agent.html.
> >
> > The Jetty JMX module exports Jetty components as MBeans, but those
> > stay within the JVM.
> > If you want to be able to connect to the JVM from remote via JMX, then
> > you have to either A) enable the jmx-remote module, or B) add the
> > system properties as above.
> >
> > --
> > Simone Bordet
> > ----
> > http://cometd.org
> > http://webtide.com
> > Developer advice, training, services and support
> > from the Jetty & CometD experts.
> > _______________________________________________
> > jetty-users mailing list
> > [hidden email]
> > To change your delivery options, retrieve your password, or unsubscribe
> > from this list, visit
> > https://dev.eclipse.org/mailman/listinfo/jetty-users
> >

> _______________________________________________
> jetty-users mailing list
> [hidden email]
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users


--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
In reply to this post by Joakim Erdfelt-8
On Thu, Feb 09, 2017 at 02:11:23PM -0700, Joakim Erdfelt wrote:
> Here you go.
>
> Using Jetty 9.4.1 demo-base ...

Thanks for such an explicit test case. :)

Following along, with jetty-distribution-9.3.8.v20160314.

- created SSL keystore, successfully, just as you did.

- created modules/jmx-ssl.mod.  One change; for some reason, this
  version of jetty did not honor the use of '${jetty.base}' in the module:

    java -jar ../start.jar --module=jmx-ssl

    ...
    Caused by: java.io.FileNotFoundException: ${jetty.base}/jmxkeystore.jks
    (No such file or directory)
        at java.io.FileInputStream.open0(Native Method)
        at java.io.FileInputStream.open(FileInputStream.java:195)
        at java.io.FileInputStream.<init>(FileInputStream.java:138)
        at java.io.FileInputStream.<init>(FileInputStream.java:93)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(SSLContextImpl.java:827)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(SSLContextImpl.java:824)

  The configuration otherwise seems set:

    java -jar ../start.jar --list-config | grep jetty.base
     jetty.base = /usr/jetty-distribution-9.3.8.v20160314/demo-base
     ${jetty.base} -> /usr/jetty-distribution-9.3.8.v20160314/demo-base
     8:      1.4.1.v201005082020 |
    ${jetty.base}/lib/ext/javax.mail.glassfish-1.4.1.v201005082020.jar
     9:          9.3.8.v20160314 |
    ${jetty.base}/lib/ext/test-mock-resources-9.3.8.v20160314.jar
    10:                    (dir) | ${jetty.base}/resources
     ${jetty.base}/etc/demo-rewrite-rules.xml

  I worked past this by supplying an absolute pathname in the module, e.g.:

    -Djavax.net.ssl.keyStore=/usr/jetty-distribution-9.3.8.v20160314/demo-base/jmxkeystore.jks

Now, I do get port 1616 opened up, and there is an SSL interface
there, and this port is exposed on the external NIC, all of which
is desirable.

But, when I connect remotely using jconsole, I get this error:

  non-JRMP server at remote endpoint

I also explored using a command-line JMX console tool to connect locally:

  http://wiki.cyclopsgroup.org/jmxterm/

but it got the same error.

I've tried setting the port to 1099, in case something had a baked-in
default, to no avail.

Googling that error doesn't give me any pointers that seem applicable
to my situation. :/

I'll keep digging, but I did want to report back.

>
> - Joakim
>
>
> Joakim Erdfelt / [hidden email]

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Joakim Erdfelt-8
You'll need to use jconsole with the same keystore/truststore you used for the jmx server side.
Or you'll need to use an ssl certificate that's from a trusted CA already found in the default JVM keystore.

Note: the prior example is all using Java 8 update 112 btw.

$ vim jconsole-ssl.sh

--(snip)--
#!/bin/bash

jconsole \
 -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.keyStorePassword=changeme \
 -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.trustStorePassword=changeme \
 localhost:1616
--(/snip)--


Joakim Erdfelt / [hidden email]

On Tue, Feb 14, 2017 at 3:30 PM, Brian Reichert <[hidden email]> wrote:
On Thu, Feb 09, 2017 at 02:11:23PM -0700, Joakim Erdfelt wrote:
> Here you go.
>
> Using Jetty 9.4.1 demo-base ...

Thanks for such an explicit test case. :)

Following along, with jetty-distribution-9.3.8.v20160314.

- created SSL keystore, successfully, just as you did.

- created modules/jmx-ssl.mod.  One change; for some reason, this
  version of jetty did not honor the use of '${jetty.base}' in the module:

    java -jar ../start.jar --module=jmx-ssl

    ...
    Caused by: java.io.FileNotFoundException: ${jetty.base}/jmxkeystore.jks
    (No such file or directory)
        at java.io.FileInputStream.open0(Native Method)
        at java.io.FileInputStream.open(FileInputStream.java:195)
        at java.io.FileInputStream.<init>(FileInputStream.java:138)
        at java.io.FileInputStream.<init>(FileInputStream.java:93)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(SSLContextImpl.java:827)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(SSLContextImpl.java:824)

  The configuration otherwise seems set:

    java -jar ../start.jar --list-config | grep jetty.base
     jetty.base = /usr/jetty-distribution-9.3.8.v20160314/demo-base
     ${jetty.base} -> /usr/jetty-distribution-9.3.8.v20160314/demo-base
     8:      1.4.1.v201005082020 |
    ${jetty.base}/lib/ext/javax.mail.glassfish-1.4.1.v201005082020.jar
     9:          9.3.8.v20160314 |
    ${jetty.base}/lib/ext/test-mock-resources-9.3.8.v20160314.jar
    10:                    (dir) | ${jetty.base}/resources
     ${jetty.base}/etc/demo-rewrite-rules.xml

  I worked past this by supplying an absolute pathname in the module, e.g.:

    -Djavax.net.ssl.keyStore=/usr/jetty-distribution-9.3.8.v20160314/demo-base/jmxkeystore.jks

Now, I do get port 1616 opened up, and there is an SSL interface
there, and this port is exposed on the external NIC, all of which
is desirable.

But, when I connect remotely using jconsole, I get this error:

  non-JRMP server at remote endpoint

I also explored using a command-line JMX console tool to connect locally:

  http://wiki.cyclopsgroup.org/jmxterm/

but it got the same error.

I've tried setting the port to 1099, in case something had a baked-in
default, to no avail.

Googling that error doesn't give me any pointers that seem applicable
to my situation. :/

I'll keep digging, but I did want to report back.

>
> - Joakim
>
>
> Joakim Erdfelt / [hidden email]

--
Brian Reichert                          <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Tue, Feb 14, 2017 at 04:11:34PM -0700, Joakim Erdfelt wrote:
> You'll need to use jconsole with the same keystore/truststore you used for
> the jmx server side.
> Or you'll need to use an ssl certificate that's from a trusted CA already
> found in the default JVM keystore.

I am supplying those properties when I used the locally-run jmxconcole.

I'll specifically copy over the jmxkeystore.jks to where I'm firing
up jconsole, to try as you suggest.

I would have expected SSL errors, if this was a trust issue.

> Note: the prior example is all using Java 8 update 112 btw.

I'm using Java 8 as well, but different builds, depending on the
environment.

>
> $ vim jconsole-ssl.sh
>
> --(snip)--
> #!/bin/bash
>
> jconsole \
>  -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
>  -J-Djavax.net.ssl.keyStorePassword=changeme \
>  -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
>  -J-Djavax.net.ssl.trustStorePassword=changeme \
>  localhost:1616
> --(/snip)--
>
>
> Joakim Erdfelt / [hidden email]

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Wed, Feb 15, 2017 at 10:01:56AM -0500, Brian Reichert wrote:

> On Tue, Feb 14, 2017 at 04:11:34PM -0700, Joakim Erdfelt wrote:
> > You'll need to use jconsole with the same keystore/truststore you used for
> > the jmx server side.
> > Or you'll need to use an ssl certificate that's from a trusted CA already
> > found in the default JVM keystore.
>
> I am supplying those properties when I used the locally-run jmxconcole.
>
> I'll specifically copy over the jmxkeystore.jks to where I'm firing
> up jconsole, to try as you suggest.

And that indeed works!  Thanks for patiently walking me through
this; I do recall accomplishing this using jetty 6 a few years ago,
but have apparently not retained enough knowledge.

(I had higher hopes for that jmxconsole utility, but it's my fault
for testing with a nonstandard tool.)

I wanted to expand on this, and explore the jmx-remote module. In your
jmx-ssl.mod, I:

- added jmx-remote to the 'depend' section
- commented out the com.sun.management.jmxremote.port

When I spun the demo app back up, the JMX interface was no longer
protected with SSL.

Is that expected?


--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Brian Reichert
On Wed, Feb 15, 2017 at 10:35:27AM -0500, Brian Reichert wrote:
> (I had higher hopes for that jmxconsole utility, but it's my fault
> for testing with a nonstandard tool.)

And I meant 'jmxterm', and I just found their developer page that
calls out that SSL is on the roadmap, and hence not in place.

--
Brian Reichert <[hidden email]>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: configuring JMX interface to use SSL

Simone Bordet-3
In reply to this post by Brian Reichert
Hi,

On Tue, Feb 7, 2017 at 4:34 PM, Brian Reichert <[hidden email]> wrote:
> Has anyone configured the JMX interface to employ SSL in jetty 9?

We have reworked the JMX support in
https://github.com/eclipse/jetty.project/issues/1517.
It now supports also TLS out of the box.
The documentation has been rewritten as well to include the setup
required for TLS too.

I recommend you to look also into connecting via SSH tunnel (also in
the documentation).
Sometimes it is a much cleaner solution than using TLS.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users