Return-Path: 
 <derby-dev-return-59329-apmail-db-derby-dev-archive=db.apache.org@db.apache.org>
Delivered-To: apmail-db-derby-dev-archive@www.apache.org
Received: (qmail 44190 invoked from network); 25 Apr 2008 13:36:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 25 Apr 2008 13:36:05 -0000
Received: (qmail 15765 invoked by uid 500); 25 Apr 2008 13:36:06 -0000
Delivered-To: apmail-db-derby-dev-archive@db.apache.org
Received: (qmail 15744 invoked by uid 500); 25 Apr 2008 13:36:06 -0000
Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:derby-dev-help@db.apache.org>
List-Unsubscribe: <mailto:derby-dev-unsubscribe@db.apache.org>
List-Post: <mailto:derby-dev@db.apache.org>
List-Id: <derby-dev.db.apache.org>
Reply-To: <derby-dev@db.apache.org>
Delivered-To: mailing list derby-dev@db.apache.org
Received: (qmail 15733 invoked by uid 99); 25 Apr 2008 13:36:05 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2008 06:36:05 -0700
X-ASF-Spam-Status: No, hits=-1.0 required=10.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [192.18.6.21] (HELO gmp-eb-inf-1.sun.com) (192.18.6.21)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2008 13:35:19 +0000
Received: from fe-emea-10.sun.com (gmp-eb-lb-2-fe2.eu.sun.com [192.18.6.11])
	by gmp-eb-inf-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id m3PDZSVJ025442
	for <derby-dev@db.apache.org>; Fri, 25 Apr 2008 13:35:31 GMT
Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 id <0JZV00L01UW4YD00@fe-emea-10.sun.com>
 (original mail from John.Embretsen@Sun.COM) for derby-dev@db.apache.org; Fri,
 25 Apr 2008 14:35:28 +0100 (BST)
Received: from [129.159.112.232] by fe-emea-10.sun.com
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 with ESMTPSA id <0JZV00L2XV2VK880@fe-emea-10.sun.com> for
 derby-dev@db.apache.org; Fri, 25 Apr 2008 14:35:20 +0100 (BST)
Date: Fri, 25 Apr 2008 15:34:59 +0200
From: John Embretsen <John.Embretsen@Sun.COM>
Subject: Re: Problem with MBean user/ password example on Wiki page (non-JRMP
 server at remote endpoint)
In-reply-to: <4810AE27.4090105@Sun.COM>
Sender: John.Embretsen@Sun.COM
To: derby-dev@db.apache.org
Reply-to: derby-dev@db.apache.org
Message-id: <4811DE03.8030504@Sun.COM>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7BIT
X-Enigmail-Version: 0.95.1
References: <480F707D.9040807@sbcglobal.net> <480F9257.4090105@sun.com>
 <480FB674.7030204@sbcglobal.net> <4810AE27.4090105@Sun.COM>
User-Agent: Thunderbird 2.0.0.12 (X11/20080228)
X-Virus-Checked: Checked by ClamAV on apache.org

John Embretsen wrote:
> Kathey Marsden wrote:
>> John H. Embretsen wrote:
>>> Hmm, I don't see anything obviously wrong. If it works with JConsole
>>> and the exact same server configuration, it is certainly strange.
>>> Perhaps some of the troubleshooting tips (JMX logging, security debug
>>> traces) described on the wiki might reveal more hints? If you're using
>>> e.g. IBM's JVM that may have something to do with it as well.
>>>
>> For this part I am testing with the Sun JDK 1.6 just to remove that as a
>> variable.  Turning on logging, and running without security manager
>> seemed to have no effect.  I think I'll leave it alone for a while and
>> come back to it as I am pretty stuck.
> 
> For what it's worth, I am able to reproduce it using your command lines. So far
> it seems like it has to do with how the server is started/configured, and not
> the client. The strange thing is I have a script with (seemingly) the same
> options, only in slightly different order and using different classpath etc,
> which works with your client code. I'll try to take a closer look tomorrow.

OK, I have found the issue and corrected the wiki (I apologize for luring you
into this kind of trouble, Kathey). It turns out that the SSL protection of the
RMI registry (com.sun.management.jmxremote.registry.ssl=true) on the server side
requires the JMX client to explicitly specify an RMI client socket factory which
supports SSL, e.g. like this:

env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());

Apparently, JConsole does this automatically or something, but I don't have the
details on that.

There was a bug in the script I used for testing this particular scenario, which
resulted in my using a different JVM version than I thought I was using. With
(JVM) 1.5 that specific property is not supported, and it is apparently just
ignored - hence no changes are required on the client side. With JDK 6 it is
another deal, as you have noticed. Not sure if JVMs from other vendors behave
the same way or even support this kind of SSL protection out of the box.

I wasn't able to find much information about this in official documentation, but
these blog entries lead me to a solution:

http://blogs.sun.com/lmalventosa/entry/secure_management_agent
http://blogs.sun.com/lmalventosa/entry/using_the_ssl_tls_based1

Again, thanks for trying out this stuff!


-- 
John