db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen
Date Tue, 15 Apr 2008 15:11:38 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/DerbyJMXQuickStart

The comment on the change is:
Added example using SSL on the server side

------------------------------------------------------------------------------
  -jar lib/derbyrun.jar server start
  }}}
  
+ ==== Example: Enabling Remote JMX, password authentication, client/server SSL, RMI registry
SSL ====
  
+ This example shows how to start the Derby network server...
+  * using Sun's JDK 6
+  * using a Java security manager and a custom policy file, `jmx.policy`
+  * allowing connections from remote hosts (technically: via all network interfaces (IPv4))
(`-h 0.0.0.0`)
+  * using password authentication, as described in the previous example (`jmxremote.password`
file)
+  * using SSL (Secure Socket Layer) for
+    * authenticating clients
+    * encrypting all JMX related network communication
+    * protecting the RMI registry used by the MBean server
  
- Refer to the above mentioned documentation for more information about JMX security features.
+ This level of protection may or may not be adequate for you, but it is definitely more secure
that the previous examples.
+ 
+ The command line is presented on multiple lines to improve readability; though you should
enter everything as a single java command.
+ 
+ {{{
+ java -Dcom.sun.management.jmxremote.port=9999 
+ -Dcom.sun.management.jmxremote.password.file=jmxremote.password 
+ -Djavax.net.ssl.keyStore=/home/user/.keystore 
+ -Djavax.net.ssl.keyStorePassword=myKeyStorePassword 
+ -Dcom.sun.management.jmxremote.ssl.need.client.auth=true 
+ -Djavax.net.ssl.trustStore=/home/user/.truststore 
+ -Djavax.net.ssl.trustStorePassword=myTrustStorePassword 
+ -Dcom.sun.management.jmxremote.registry.ssl=true 
+ -Djava.security.manager 
+ -Djava.security.policy=jmx.policy 
+ -jar lib/derbyrun.jar server start -h 0.0.0.0
+ }}}
+ 
+ ''Note that when password authentication is enabled and a Java Security Manager is installed,
a number of JMX-related permissions need to be granted to trusted users in the security policy
used. See [#SecurityPolicy Security policy] for details.''
+ 
+ In the example above, system properties specify the keystore containing the server's key
pair, the keystore password, the truststore containing the client certificates and the truststore
password. Setting up SSL keystores and truststores is partly described in the '''Derby Server
and Administration Guide''', under "''Derby Network Server advanced topics''" --> "''Network
encryption and authentication with SSL/TLS''" --> [http://db.apache.org/derby/docs/dev/adminguide/cadminsslkeys.html
"Key and certificate handling"]. You should also refer to that guide if you want to protect
the actual database network traffic using SSL. You should also be able to find Java-related
SSL tutorials elsewhere on the web.
+ 
+ When configuring SSL as described above, the following caveats apply:
+  * The password of the private key must be the same as the password of the keystore
+  * The keystore can only contain one key pair, or the key pair you want to use must be listed
first among all the keys in the keystore. Otherwise, you (or the clients) may see an exception
saying something like "''unable to find valid certification path to requested target.''"
+ 
+ The system property `-Dcom.sun.management.jmxremote.ssl.need.client.auth=true` specifies
that clients ''must'' use SSL to authenticate themselves. This requirement is optional. This
property as well as the truststore properties may be removed if you do not want to authenticate
clients using SSL (note that there may be security risks associated with using password authentication
only).
+ 
+ Note that clients must also specify and use proper keystores and/or truststores (the truststores
must contain the server's SSL certificate).
+ 
+ For more information about the system properties used above and potential security risks,
see [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html the Java SE
Monitoring and Management Guide].
+ 
  
  [[Anchor(SecurityPolicy)]]
  === Fine-grained authorization: Security policy ===

Mime
View raw message