1. If we don't need authorization, just add the following to CATALINA_OPTS:
"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"
2. If we want to add user name and password
"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access"
monitorRole readonly
controlRole readwrite
monitorRole \[passwd\] controlRole \[passwd\] |
remove other permission by doing
chmod 600 jmxremote.password
3. If we want to use ssl to encrypt the messages between jmx client and server:
"-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStore=/home/www/etc/keystore/server.jks -Dcom.sun.management.jmxremo
te -Dcom.sun.management.jmxremote.port="9001" -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dco
m.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access -Dcom.sun.management.jmxremote.ssl="true""
convert the server's certificate and key to pkcs format:
openssl pkcs12 -in server.crt -inkey server.key -export -out server.p12 -nodes -CAfile ca.crt
convert the pkcs12 keystore to jks keystore:
/usr/local/jdk1.6.0/bin/keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12 -deststoretype jks
the default java keystore is normally at JAVA_HOME\jre\lib\security\cacerts
keytool -import -file c:\ca.crt -keystore ..\jre\lib\security\cacerts -alias MITCA