Notes on configuring JMX remote
1. If we don't need authorization, just add the following to CATALINA_OPTS:
"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"
2. If we want to add user name and password
- change the options to:
"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access"
- add the following line to jmxremote.access file:
monitorRole readonly
controlRole readwrite
- add the following line to jmxremote.password
monitorRole [passwd]
controlRole [passwd]
- the jmxremote.password file should only be readable and writable by owner (owner should be the same that runs the web server process).
remove other permission by doing
chmod 600 jmxremote.password
3. If we want to use ssl to encrypt the messages between jmx client and server:
- change the options to
"-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStore=/home/www/etc/keystore/server.jks -Dcom.sun.management.jmxremo
te -Dcom.sun.management.jmxremote.port="9001" -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dco
m.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access -Dcom.sun.management.jmxremote.ssl="true""
- generate the keystore:
convert the server's certificate and key to pkcs12 format (please note that the ca.crt is the ca that signed the server certificate, so it is the server CA, not the client CA)
openssl pkcs12 -in server.crt -inkey server.key -export -out server.p12 -nodes -CAfile ca.crt
afterwards, you should be able to look at the pkcs12 keystore using: /usr/local/jdk1.6.0/bin/keytool -list -keystore server.p12 -storetype pkcs12
convert the pkcs12 keystore to jks keystore:
/usr/local/jdk1.6.0/bin/keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12 -deststoretype jks
- the client has to trust the server CA by importing the ca certificate to its own keystore
the default java keystore is normally at JAVA_HOME\jre\lib\security\cacerts
keytool -import -file c:\ca.crt -keystore ..\jre\lib\security\cacerts -alias MITCA