db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen
Date Thu, 10 Apr 2008 12:56:39 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/DerbyJMXQuickStart

The comment on the change is:
Added example for enabling JMX w/password authentication

------------------------------------------------------------------------------
  
  === Remote JMX access ===
  
- Remote JMX management and monitoring is a powerful Java feature, letting you monitor a specific
JVM from a remote location. Enabling remote JMX requires explicit actions by the JVM administrator
(you), since it may involve exposing sensitive information about your JVM or application.
+ Remote JMX management and monitoring is a powerful Java feature, letting you monitor a specific
JVM from a remote location. Enabling remote JMX requires explicit actions by the JVM administrator
(you), since it may involve exposing sensitive information about your system.
  
- The most common way to enable remote JMX access to your JVM is to specify a TCP/IP port
number and some basic security (authentication, SSL  (Secure Sockets Layer)) settings when
starting the JVM. For a list of (seemingly de-facto standard) command line options (system
properties) and their meaning, refer to the [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html#gdeum
Java SE Monitoring and Management Guide], the [http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html
Platform Monitoring and Management guide for J2SE 5.0], or your JVM's documentation.
+ The most common way to enable remote JMX access to your JVM is to specify a TCP/IP port
number and some basic security (authentication, SSL  (Secure Sockets Layer)) settings when
starting the JVM. Derby attempts to use the JVM's built-in platform MBean server. For a list
of (seemingly de-facto standard) command line options (system properties) and their meaning,
refer to the [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html#gdeum
Java SE Monitoring and Management Guide], the [http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html
Platform Monitoring and Management guide for J2SE 5.0], or your JVM's documentation.
+ 
+ ==== Example: Enabling Remote JMX, no authentication/SSL ====
  
  The following example starts the Derby Network Server on the command line with (insecure)
remote JMX management and Monitoring enabled, using the JVM from Sun's JDK 6. Password authentication
over SSL is enabled by default, but in this example these security features are disabled,
to keep the example simple. '''It is not recommended to disable authentication or SSL in production
environments'''.
  
@@ -45, +47 @@

  -jar lib/derbyrun.jar server start
  }}}
  
+ When starting the Derby Network Server from the command line, it automatically installs
a security manager using a basic default security policy unless you provide the `-noSecurityManager`
option. You may need to customize this policy to make it suit your needs. See below for details.
+ 
+ ==== Example: Enabling Remote JMX, password authentication, no SSL ====
+ 
+ Some JVMs include built-in support for JMX password authentication. For example, with Sun's
JDK 6, authentication is enabled by default, and it is possible to specify a properties file
specifying usernames and passwords.
+ 
+ ''Note that when authentication is enabled and a Java Security Manager is installed, additional
permissions may need to be granted to users in the security policy used. See [#SecurityPolicy
Security policy] for details.''
+ 
+ Example password file (syntax same as Java properties files), called `jmxremote.password`:
+ {{{
+ ## Defining two "roles", each with its own password
+ monitorRole  derbym
+ controlRole  derby
+ }}}
+ 
+ The following example starts the Derby Network Server on the command line with built-in
JMX password authentication enabled. 
+ 
+ SSL is ''disabled'', meaning that JMX information including usernames and passwords most
likely will be transferred unprotected on the computer network, which is not recommended in
production environments. The command line is presented on multiple lines to improve readability;
though you should enter everything as a single java command.
+ {{{
+ java -Dcom.sun.management.jmxremote.port=9999
+ -Dcom.sun.management.jmxremote.ssl=false 
+ -Dcom.sun.management.jmxremote.password.file=jmxremote.password
+ -jar lib/derbyrun.jar server start
+ }}}
+ 
+ 
+ 
- Refer to the above mentioned documentation for information about enabling JMX security features.
+ Refer to the above mentioned documentation for more information about JMX security features.
  
- === Security policy ===
+ [[Anchor(SecurityPolicy)]]
+ === Fine-grained authorization: Security policy ===
  
- When starting the Derby Network Server from the command line, it installs a basic security
policy by default. This policy includes the required permissions to allow authenticated JMX
users to access Derby's MBeans. 
+ When starting the Derby Network Server from the command line, it installs a basic security
policy by default. This policy includes the required permissions to allow JMX users to access
Derby's MBeans if JMX authentication is disabled. If JMX authentication is enabled, you may
need to grant additional permissions to specific users (JMXPrincipals).
  
  If you are using a custom security policy, refer to the [http://db.apache.org/derby/javadoc/publishedapi/
public API] of Derby's MBeans and Derby's template security policy file ($DERBY_HOME/demo/templates/server-policy)
for details about the permissions you may need to set to allow or restrict specific JMX access.
See also ["JMXSecurityExpectations"].
+ 
+ Some example permissions are included below. Note that these permissions are not necessarily
suitable for any particular application or environment; some customization is probably needed.
+ 
+ ''TODO - Add example policy here...''
  
  == Using JConsole to access Derby's MBeans ==
  

Mime
View raw message