Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] configuring JMX interface to use SSL

You'll need to use jconsole with the same keystore/truststore you used for the jmx server side.
Or you'll need to use an ssl certificate that's from a trusted CA already found in the default JVM keystore.

Note: the prior example is all using Java 8 update 112 btw.

$ vim jconsole-ssl.sh

--(snip)--
#!/bin/bash

jconsole \
 -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.keyStorePassword=changeme \
 -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.trustStorePassword=changeme \
 localhost:1616
--(/snip)--


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Tue, Feb 14, 2017 at 3:30 PM, Brian Reichert <reichert@xxxxxxxxxxx> wrote:
On Thu, Feb 09, 2017 at 02:11:23PM -0700, Joakim Erdfelt wrote:
> Here you go.
>
> Using Jetty 9.4.1 demo-base ...

Thanks for such an explicit test case. :)

Following along, with jetty-distribution-9.3.8.v20160314.

- created SSL keystore, successfully, just as you did.

- created modules/jmx-ssl.mod.  One change; for some reason, this
  version of jetty did not honor the use of '${jetty.base}' in the module:

    java -jar ../start.jar --module=jmx-ssl

    ...
    Caused by: java.io.FileNotFoundException: ${jetty.base}/jmxkeystore.jks
    (No such file or directory)
        at java.io.FileInputStream.open0(Native Method)
        at java.io.FileInputStream.open(FileInputStream.java:195)
        at java.io.FileInputStream.<init>(FileInputStream.java:138)
        at java.io.FileInputStream.<init>(FileInputStream.java:93)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(SSLContextImpl.java:827)
        at sun.security.ssl.SSLContextImpl$DefaultSSLContext$2.run(SSLContextImpl.java:824)

  The configuration otherwise seems set:

    java -jar ../start.jar --list-config | grep jetty.base
     jetty.base = /usr/jetty-distribution-9.3.8.v20160314/demo-base
     ${jetty.base} -> /usr/jetty-distribution-9.3.8.v20160314/demo-base
     8:      1.4.1.v201005082020 |
    ${jetty.base}/lib/ext/javax.mail.glassfish-1.4.1.v201005082020.jar
     9:          9.3.8.v20160314 |
    ${jetty.base}/lib/ext/test-mock-resources-9.3.8.v20160314.jar
    10:                    (dir) | ${jetty.base}/resources
     ${jetty.base}/etc/demo-rewrite-rules.xml

  I worked past this by supplying an absolute pathname in the module, e.g.:

    -Djavax.net.ssl.keyStore=/usr/jetty-distribution-9.3.8.v20160314/demo-base/jmxkeystore.jks

Now, I do get port 1616 opened up, and there is an SSL interface
there, and this port is exposed on the external NIC, all of which
is desirable.

But, when I connect remotely using jconsole, I get this error:

  non-JRMP server at remote endpoint

I also explored using a command-line JMX console tool to connect locally:

  http://wiki.cyclopsgroup.org/jmxterm/

but it got the same error.

I've tried setting the port to 1099, in case something had a baked-in
default, to no avail.

Googling that error doesn't give me any pointers that seem applicable
to my situation. :/

I'll keep digging, but I did want to report back.

>
> - Joakim
>
>
> Joakim Erdfelt / joakim@xxxxxxxxxxx

--
Brian Reichert                          <reichert@xxxxxxxxxxx>
BSD admin/developer at large
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top