db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen
Date Fri, 25 Apr 2008 09:28:46 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification.

The following page has been changed by JohnHEmbretsen:
http://wiki.apache.org/db-derby/DerbyJMXQuickStart

The comment on the change is:
Added missing client environment entry for RMI registry SSL protection

------------------------------------------------------------------------------
   * The password of the private key must be the same as the password of the keystore
   * The keystore can only contain one key pair, or the key pair you want to use must be listed
first among all the keys in the keystore. Otherwise, you (or the clients) may see an exception
saying something like "''unable to find valid certification path to requested target.''"
  
- The system property `-Dcom.sun.management.jmxremote.ssl.need.client.auth=true` specifies
that clients ''must'' use SSL to authenticate themselves. This requirement is optional. This
property as well as the truststore properties may be removed if you do not want to authenticate
clients using SSL (note that there may be security risks associated with using password authentication
only).
+ The system property `com.sun.management.jmxremote.ssl.need.client.auth=true` specifies that
clients ''must'' use SSL to authenticate themselves. This requirement is optional. This property
as well as the truststore properties may be removed if you do not want to authenticate clients
using SSL (note that there may be security risks associated with using password authentication
only).
+ 
+ The system property `com.sun.management.jmxremote.registry.ssl=true` is new in JDK 6 and
aims at resolving security issues with the RMI registry used in relation with JMX. This property
must be used in conjunction with `com.sun.management.jmxremote.ssl.need.client.auth=true`
in order to fully secure the RMI registry. 
+ 
+ '''Note that when enabling SSL protection of the registry, clients must provide an additional
entry in the environment map passed to the `JMXConnector` (JConsole/JDK6 handles this automatically):
+ {{{
+    env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
+ }}}
+ (see [:#ConnectingToServer:Connecting to the MBean Server] for details)
  
  Note that clients must also specify and use proper keystores and/or truststores (the truststores
must contain the server's SSL certificate).
  
@@ -404, +412 @@

  
  ''Note that you do '''not''' need any Derby libraries in the JMX client application's classpath
(unless MBean proxies are used)''.
  
+ [[Anchor(ConnectingToServer]]
  === Connecting to the MBean Server ===
  
  Derby will attempt to register its MBeans with the Platform MBean Server of the JVM running
the Derby system (embedded or Network Server). The following examples assume that you have
configured the Derby JVM to enable remote JMX, which means that you have set a port number
(`com.sun.management.jmxremote.port`) to be used by the JMX Server Connector.
@@ -428, +437 @@

      String[] credentials = new String[] { "controlRole" , "derby" };
      HashMap<String,Object> env = new HashMap<String,Object>();
      // Set credentials (jmx.remote.credentials, see JMX Remote API 1.0 spec section 3.4)
-     env.put(JMXConnector.CREDENTIALS, credentials); 
+     env.put(JMXConnector.CREDENTIALS, credentials);
+     // if the server's RMI registry is protected with SSL/TLS (JDK 6)
+     // (com.sun.management.jmxremote.registry.ssl=true), then the following entry must be
included:
+     //env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());  // uncomment
if needed
+ 
+     // Connect to the server
      JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
      MBeanServerConnection mbeanServerConn = jmxc.getMBeanServerConnection();
  }}}
+ 
+ (''Not specifying `SslRMIClientSocketFactory` when required may result in "`java.rmi.ConnectIOException:
non-JRMP server at remote endpoint`"''.)
  
  === Creating a ManagementMBean ===
  

Mime
View raw message