geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <>
Subject GERONIMO-3876: Allow configuring JMX over SSL
Date Thu, 20 Mar 2008 20:48:10 GMT
I am working on providing configuration of JMX over SSL.  Here is a
situation I have run into and I want others inputs.

I want to use Keystore GBean to configure the keystore and truststore
required by the connector.  Here is the part that I am sure of.

org.apache.geronimo.jmxremoting.JMXConnector GBean needs the following
additional attributes and references to specify the SSL configuration:
1. sslEnabled : true/false
2. algorithm : Default/SunX509/IBMX509
3. secureProtocol: SSL/TLS
4. keyStore
5. keyAlias
6. trustStore
7. clientAuth : true/false
8. keystoreManager : A reference to keystore manager.

Here are some of the approaches and the problems I have run into.

Approach-A) The JMXConnector GBean is right now in "j2ee-security"
configuration.  Unless the keystore GBeans are started before the
JMXConnector GBean, it will not work as expected.  The order in which
keystore GBeans appear in the plan also seems to matter.  Currently Keystore
GBean(s) are in server-security-config.  Either the keystore GBeans should
be moved to j2ee-security or the JMXConnector needs to be moved to

Approach-B) Have a reference collection listener listen to the Keystore
GBeans being added.  In this case, the JMX Server will have to be started in
the listener class.  The problem with this approach is that the
JMXConnector.doStart() can not wait for the listener class to start the JMX
server.  So, the JMX server will be started only after the
JMXConnector.doStart() has completed.  If the JMX server startup fails in
the collection listener, there is no way to make JMXConnector GBean to fail
at startup (as it has already started successfully!!).  Another problem is
that if the configured keystore does not exist, the collection listener will
never know about it and JMX server will not start.

Both the patches are attached in the JIRA.  Please comment on these two
approaches and suggest any improvements that I may have missed out.

View raw message