Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] configuring JMX interface to use SSL

Here you go.

Using Jetty 9.4.1 demo-base ...

$ cd /path/to/jetty-distribution-9.4.1.v20170120/demo-base
$ keytool -genkeypair -keyalg RSA -keystore jmxkeystore.jks -dname cn=test,ou=localhost,dc=example,dc=com

(I created the keystore with password 'changeme')

$ mkdir modules
$ vim modules/jmx-ssl.mod

--(snip)--
[depend]
jmx

[exec]
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=1616
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.registry.ssl=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
-Djavax.net.ssl.keyStore=${jetty.base}/jmxkeystore.jks
-Djavax.net.ssl.keyStorePassword=changeme
-Djavax.net.ssl.trustStore=${jetty.base}/jmxkeystore.jks
-Djavax.net.ssl.trustStorePassword=changeme
--(/snip)--

$ vim jconsole-ssl.sh

--(snip)--
#!/bin/bash

jconsole \
 -J-Djavax.net.ssl.keyStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.keyStorePassword=changeme \
 -J-Djavax.net.ssl.trustStore=jmxkeystore.jks \
 -J-Djavax.net.ssl.trustStorePassword=changeme \
 localhost:1616
--(/snip)--

(run demo-base server)

$ java -jar ../start.jar --module=jmx-ssl

(in other console window ...)

$ ./jconsole-ssl.sh

- Joakim


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Feb 9, 2017 at 1:50 PM, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
Hi,

On Thu, Feb 9, 2017 at 9:17 PM, Brian Reichert <reichert@xxxxxxxxxxx> wrote:
> On Thu, Feb 09, 2017 at 09:23:16PM +0100, Simone Bordet wrote:
>> Keep only the jmx module, remove the jmx-remote module.
>
> BTW, I do appreciate your guidance here.
>
> I've tried this:
>
>   java -jar ../start.jar --module=jmx
>
> That only opened up the two configured HTTP[S] ports:
>
>   # lsof -P -n -p 20378 | grep TCP
>   java    20378 root   90u  IPv6            1257602      0t0     TCP *:8080 (LISTEN)
>   java    20378 root   97u  IPv6            1257607      0t0     TCP *:8443 (LISTEN)
>
> From the startup messages:
>   ServerConnector@27f674d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
>   ServerConnector@67b64c45{SSL,[ssl, http/1.1]}{0.0.0.0:8443}

Sure.

You have to add the JMX system properties as described in
https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html.

The Jetty JMX module exports Jetty components as MBeans, but those
stay within the JVM.
If you want to be able to connect to the JVM from remote via JMX, then
you have to either A) enable the jmx-remote module, or B) add the
system properties as above.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top