[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] configuring JMX interface to use SSL
|
On Thu, Feb 09, 2017 at 02:11:23PM -0700, Joakim Erdfelt wrote:
> Here you go.
Thanks for this feedback; I look forward to reproducing this effort
in my environment.
>
> Using Jetty 9.4.1 demo-base ...
>
> $ cd /path/to/jetty-distribution-9.4.1.v20170120/demo-base
> $ keytool -genkeypair -keyalg RSA -keystore jmxkeystore.jks -dname
> cn=test,ou=localhost,dc=example,dc=com
>
> (I created the keystore with password 'changeme')
>
> $ mkdir modules
> $ vim modules/jmx-ssl.mod
>
> --(snip)--
> [depend]
> jmx
>
> [exec]
> -Dcom.sun.management.jmxremote
> -Dcom.sun.management.jmxremote.port=1616
> -Dcom.sun.management.jmxremote.authenticate=false
> -Dcom.sun.management.jmxremote.registry.ssl=true
> -Dcom.sun.management.jmxremote.ssl=true
> -Dcom.sun.management.jmxremote.ssl.need.client.auth=false
> -Djavax.net.ssl.keyStore=${jetty.base}/jmxkeystore.jks
> -Djavax.net.ssl.keyStorePassword=changeme
> -Djavax.net.ssl.trustStore=${jetty.base}/jmxkeystore.jks
> -Djavax.net.ssl.trustStorePassword=changeme
> --(/snip)--
>
> $ vim jconsole-ssl.sh
>
> --(snip)--
> #!/bin/bash
>
> jconsole \
> -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
> -J-Djavax.net.ssl.keyStorePassword=changeme \
> -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
> -J-Djavax.net.ssl.trustStorePassword=changeme \
> localhost:1616
> --(/snip)--
>
> (run demo-base server)
>
> $ java -jar ../start.jar --module=jmx-ssl
>
> (in other console window ...)
>
> $ ./jconsole-ssl.sh
>
> - Joakim
>
>
> Joakim Erdfelt / joakim@xxxxxxxxxxx
>
> On Thu, Feb 9, 2017 at 1:50 PM, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
>
> > Hi,
> >
> > On Thu, Feb 9, 2017 at 9:17 PM, Brian Reichert <reichert@xxxxxxxxxxx>
> > wrote:
> > > On Thu, Feb 09, 2017 at 09:23:16PM +0100, Simone Bordet wrote:
> > >> Keep only the jmx module, remove the jmx-remote module.
> > >
> > > BTW, I do appreciate your guidance here.
> > >
> > > I've tried this:
> > >
> > > java -jar ../start.jar --module=jmx
> > >
> > > That only opened up the two configured HTTP[S] ports:
> > >
> > > # lsof -P -n -p 20378 | grep TCP
> > > java 20378 root 90u IPv6 1257602 0t0 TCP
> > *:8080 (LISTEN)
> > > java 20378 root 97u IPv6 1257607 0t0 TCP
> > *:8443 (LISTEN)
> > >
> > > From the startup messages:
> > > ServerConnector@27f674d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
> > > ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
> >
> > Sure.
> >
> > You have to add the JMX system properties as described in
> > https://docs.oracle.com/javase/8/docs/technotes/
> > guides/management/agent.html.
> >
> > The Jetty JMX module exports Jetty components as MBeans, but those
> > stay within the JVM.
> > If you want to be able to connect to the JVM from remote via JMX, then
> > you have to either A) enable the jmx-remote module, or B) add the
> > system properties as above.
> >
> > --
> > Simone Bordet
> > ----
> > http://cometd.org
> > http://webtide.com
> > Developer advice, training, services and support
> > from the Jetty & CometD experts.
> > _______________________________________________
> > jetty-users mailing list
> > jetty-users@xxxxxxxxxxx
> > To change your delivery options, retrieve your password, or unsubscribe
> > from this list, visit
> > https://dev.eclipse.org/mailman/listinfo/jetty-users
> >
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Brian Reichert <reichert@xxxxxxxxxxx>
BSD admin/developer at large
