From derby-commits-return-10025-apmail-db-derby-commits-archive=db.apache.org@db.apache.org Thu Apr 10 12:57:02 2008 Return-Path: Delivered-To: apmail-db-derby-commits-archive@www.apache.org Received: (qmail 43201 invoked from network); 10 Apr 2008 12:57:02 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 10 Apr 2008 12:57:02 -0000 Received: (qmail 65569 invoked by uid 500); 10 Apr 2008 12:57:00 -0000 Delivered-To: apmail-db-derby-commits-archive@db.apache.org Received: (qmail 65529 invoked by uid 500); 10 Apr 2008 12:57:00 -0000 Mailing-List: contact derby-commits-help@db.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: "Derby Development" List-Id: Delivered-To: mailing list derby-commits@db.apache.org Received: (qmail 65458 invoked by uid 99); 10 Apr 2008 12:57:00 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Apr 2008 05:57:00 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.130] (HELO eos.apache.org) (140.211.11.130) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Apr 2008 12:56:26 +0000 Received: from eos.apache.org (localhost [127.0.0.1]) by eos.apache.org (Postfix) with ESMTP id 4F181D2E4 for ; Thu, 10 Apr 2008 12:56:39 +0000 (GMT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Apache Wiki To: derby-commits@db.apache.org Date: Thu, 10 Apr 2008 12:56:39 -0000 Message-ID: <20080410125639.24865.65593@eos.apache.org> Subject: [Db-derby Wiki] Update of "DerbyJMXQuickStart" by JohnHEmbretsen X-Virus-Checked: Checked by ClamAV on apache.org Dear Wiki user, You have subscribed to a wiki page or wiki category on "Db-derby Wiki" for change notification. The following page has been changed by JohnHEmbretsen: http://wiki.apache.org/db-derby/DerbyJMXQuickStart The comment on the change is: Added example for enabling JMX w/password authentication ------------------------------------------------------------------------------ === Remote JMX access === - Remote JMX management and monitoring is a powerful Java feature, letting you monitor a specific JVM from a remote location. Enabling remote JMX requires explicit actions by the JVM administrator (you), since it may involve exposing sensitive information about your JVM or application. + Remote JMX management and monitoring is a powerful Java feature, letting you monitor a specific JVM from a remote location. Enabling remote JMX requires explicit actions by the JVM administrator (you), since it may involve exposing sensitive information about your system. - The most common way to enable remote JMX access to your JVM is to specify a TCP/IP port number and some basic security (authentication, SSL (Secure Sockets Layer)) settings when starting the JVM. For a list of (seemingly de-facto standard) command line options (system properties) and their meaning, refer to the [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html#gdeum Java SE Monitoring and Management Guide], the [http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html Platform Monitoring and Management guide for J2SE 5.0], or your JVM's documentation. + The most common way to enable remote JMX access to your JVM is to specify a TCP/IP port number and some basic security (authentication, SSL (Secure Sockets Layer)) settings when starting the JVM. Derby attempts to use the JVM's built-in platform MBean server. For a list of (seemingly de-facto standard) command line options (system properties) and their meaning, refer to the [http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html#gdeum Java SE Monitoring and Management Guide], the [http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html Platform Monitoring and Management guide for J2SE 5.0], or your JVM's documentation. + + ==== Example: Enabling Remote JMX, no authentication/SSL ==== The following example starts the Derby Network Server on the command line with (insecure) remote JMX management and Monitoring enabled, using the JVM from Sun's JDK 6. Password authentication over SSL is enabled by default, but in this example these security features are disabled, to keep the example simple. '''It is not recommended to disable authentication or SSL in production environments'''. @@ -45, +47 @@ -jar lib/derbyrun.jar server start }}} + When starting the Derby Network Server from the command line, it automatically installs a security manager using a basic default security policy unless you provide the `-noSecurityManager` option. You may need to customize this policy to make it suit your needs. See below for details. + + ==== Example: Enabling Remote JMX, password authentication, no SSL ==== + + Some JVMs include built-in support for JMX password authentication. For example, with Sun's JDK 6, authentication is enabled by default, and it is possible to specify a properties file specifying usernames and passwords. + + ''Note that when authentication is enabled and a Java Security Manager is installed, additional permissions may need to be granted to users in the security policy used. See [#SecurityPolicy Security policy] for details.'' + + Example password file (syntax same as Java properties files), called `jmxremote.password`: + {{{ + ## Defining two "roles", each with its own password + monitorRole derbym + controlRole derby + }}} + + The following example starts the Derby Network Server on the command line with built-in JMX password authentication enabled. + + SSL is ''disabled'', meaning that JMX information including usernames and passwords most likely will be transferred unprotected on the computer network, which is not recommended in production environments. The command line is presented on multiple lines to improve readability; though you should enter everything as a single java command. + {{{ + java -Dcom.sun.management.jmxremote.port=9999 + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.password.file=jmxremote.password + -jar lib/derbyrun.jar server start + }}} + + + - Refer to the above mentioned documentation for information about enabling JMX security features. + Refer to the above mentioned documentation for more information about JMX security features. - === Security policy === + [[Anchor(SecurityPolicy)]] + === Fine-grained authorization: Security policy === - When starting the Derby Network Server from the command line, it installs a basic security policy by default. This policy includes the required permissions to allow authenticated JMX users to access Derby's MBeans. + When starting the Derby Network Server from the command line, it installs a basic security policy by default. This policy includes the required permissions to allow JMX users to access Derby's MBeans if JMX authentication is disabled. If JMX authentication is enabled, you may need to grant additional permissions to specific users (JMXPrincipals). If you are using a custom security policy, refer to the [http://db.apache.org/derby/javadoc/publishedapi/ public API] of Derby's MBeans and Derby's template security policy file ($DERBY_HOME/demo/templates/server-policy) for details about the permissions you may need to set to allow or restrict specific JMX access. See also ["JMXSecurityExpectations"]. + + Some example permissions are included below. Note that these permissions are not necessarily suitable for any particular application or environment; some customization is probably needed. + + ''TODO - Add example policy here...'' == Using JConsole to access Derby's MBeans ==