mq
  1. mq
  2. MQ-326

Embedded broker JMX support using GlassFish server secured RMI Registry

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 5.1 (RI-Bug-Fix)
    • Component/s: mq-ra
    • Labels:
      None

      Description

      GF supports starting secured RMI Registry for JMX. In that case EMBEDDED broker can reuse it instead of starting its own to avoid opening extra port.

        Issue Links

          Activity

          Hide
          David Zhao added a comment - - edited

          The steps to enable secure jmx connector in GF:

          asadmin set configs.config.server-config.admin-service.jmx-connector.system.security-enabled=true
          asadmin change-admin-password (respond to the prompts)
          asadmin enable-secure-admin
          asadmin restart-domain (as prompted in the output from enable-secure-admin)
          asadmin list-jms-resources (users first need to run any asadmin command that contacts the DAS which now has secure admin enabled. This caches the DAS cert in the local GlassFish truststore (in the ~/.gfclient/truststore file).)

          jconsole -J-Djavax.net.ssl.trustStore=$

          {HOME}

          /.gfclient/truststore (Use Remote Process with URL "localhost:8686", and the admin username/passowrd).

          You can refer to GLASSFISH-20671 for more details.

          Show
          David Zhao added a comment - - edited The steps to enable secure jmx connector in GF: asadmin set configs.config.server-config.admin-service.jmx-connector.system.security-enabled=true asadmin change-admin-password (respond to the prompts) asadmin enable-secure-admin asadmin restart-domain (as prompted in the output from enable-secure-admin) asadmin list-jms-resources (users first need to run any asadmin command that contacts the DAS which now has secure admin enabled. This caches the DAS cert in the local GlassFish truststore (in the ~/.gfclient/truststore file).) jconsole -J-Djavax.net.ssl.trustStore=$ {HOME} /.gfclient/truststore (Use Remote Process with URL "localhost:8686", and the admin username/passowrd). You can refer to GLASSFISH-20671 for more details.
          Hide
          amyk added a comment - - edited

          added JMX support from broker to use GlassFish server secure rmi registry port, custom JMX clients can do following
          to connect to the ssljmxrmi service of a JMSRA managed broker that uses GlassFish server secure rmi registry

          env.put(JMXConnector.CREDENTIALS, credentials);
          env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
          final JMXServiceURL jmxURL = new JMXServiceURL(jmxServiceURL);
          final JMXConnector jmxConnector = JMXConnectorFactory.connect(jmxURL, env);
          
          where jmxServiceURL is the JMX service URL for broker ssljmxrmi service which can be obtained either from the broker log on startup or by getJMXServiceURL() method from com.sun.messaging.AdminConnectionConfiguration
          

          1. Before start broker, run imqkeytool to setup keystore so that broker ssljmx service can use it
          2. JMSRA need to pass the following to broker in order to have broker use GlassFish secure RMI registry port
          -useRmiRegistry
          -rmiRegistryPort <GlassFish-server-rmi-registry-port>
          -Dimq.jmx.connector.activelist=ssljmxrmi <== This turns off broker jmxrmi service and enables ssljmxrmi service

          as well as imq.keystore.password

          3. JMX application client user needs to do following
          a) Using Java keytool, import broker's certificate to $HOME/.gfclient/truststore
          b) run JMX application client with Java system property
          -Djavax.net.ssl.trustStore=$

          {HOME}

          /.gfclient/truststore

          Because of a jconsole bug mentioned in GLASSFISH-20671, jconsole can not be used to access broker mbeans when broker uses GlassFish server secure RMI registry. Therefore, David, GlassFish JMS module should not make this a default, instead only turn it on when user wanted

          Show
          amyk added a comment - - edited added JMX support from broker to use GlassFish server secure rmi registry port, custom JMX clients can do following to connect to the ssljmxrmi service of a JMSRA managed broker that uses GlassFish server secure rmi registry env.put(JMXConnector.CREDENTIALS, credentials); env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory()); final JMXServiceURL jmxURL = new JMXServiceURL(jmxServiceURL); final JMXConnector jmxConnector = JMXConnectorFactory.connect(jmxURL, env); where jmxServiceURL is the JMX service URL for broker ssljmxrmi service which can be obtained either from the broker log on startup or by getJMXServiceURL() method from com.sun.messaging.AdminConnectionConfiguration 1. Before start broker, run imqkeytool to setup keystore so that broker ssljmx service can use it 2. JMSRA need to pass the following to broker in order to have broker use GlassFish secure RMI registry port -useRmiRegistry -rmiRegistryPort <GlassFish-server-rmi-registry-port> -Dimq.jmx.connector.activelist=ssljmxrmi <== This turns off broker jmxrmi service and enables ssljmxrmi service as well as imq.keystore.password 3. JMX application client user needs to do following a) Using Java keytool, import broker's certificate to $HOME/.gfclient/truststore b) run JMX application client with Java system property -Djavax.net.ssl.trustStore=$ {HOME} /.gfclient/truststore Because of a jconsole bug mentioned in GLASSFISH-20671 , jconsole can not be used to access broker mbeans when broker uses GlassFish server secure RMI registry. Therefore, David, GlassFish JMS module should not make this a default, instead only turn it on when user wanted

            People

            • Assignee:
              Nigel Deakin
              Reporter:
              David Zhao
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: