You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

1. If we don't need authorization, just add the following to CATALINA_OPTS:

"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"

2. If we want to add user name and password

  • change the options to:

       "-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access"

  • add the following line to jmxremote.access file:

          monitorRole readonly
          controlRole readwrite

  • add the following line to jmxremote.password

          monitorRole [passwd]
          controlRole [passwd]

  • the jmxremote.password file should only be readable and writable by owner (owner should be the same that runs the web server process).

          remove other permission by doing

          chmod 600 jmxremote.password

3. If we want to use ssl to encrypt the messages between jmx client and server:

  • change the options to

      "-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStore=/home/www/etc/keystore/server.jks -Dcom.sun.management.jmxremo
te -Dcom.sun.management.jmxremote.port="9001" -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dco
m.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access -Dcom.sun.management.jmxremote.ssl="true""

  • generate the keystore:

          convert the server's certificate and key to pkcs12 format (please note that the ca.crt is the ca that signed the server certificate, so it is the server CA, not the client CA)

          openssl pkcs12 -in server.crt -inkey server.key -export -out server.p12 -nodes -CAfile ca.crt

          afterwards, you should be able to look at the pkcs12 keystore using: /usr/local/jdk1.6.0/bin/keytool -list -keystore server.p12 -storetype pkcs12

         

          convert the pkcs12 keystore to jks keystore:

          /usr/local/jdk1.6.0/bin/keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12 -deststoretype jks

  • the client has to trust the server CA by importing the ca certificate to its own keystore

          the default java keystore is normally at JAVA_HOME\jre\lib\security\cacerts

          keytool -import -file c:\ca.crt -keystore ..\jre\lib\security\cacerts -alias MITCA

   

  • No labels