Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Received-SPF: pass (athena.apache.org: domain of jgawor@gmail.com designates
 209.85.162.178 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=nkZjZYr3RgqDJU50RSAflQW5Qnb6LBOCAkEHPuDlPMwgLF+iRoouHgZXjmAnmG/iPkUWgp5CPohwcqs2+6wCLmJoclOUzX6e5Wj5UT8ReeSMjqP9b9NRpn+0R6sNoNw/7aSIx2bteO9JXmARGYyoHyLMnp/GvpHlzUfJ3CPsnUs=
Message-ID: <5eb405c70803270931t6e1c008fuc6946929387afe76@mail.gmail.com>
Date: Thu, 27 Mar 2008 12:31:36 -0400
From: "Jarek Gawor" <jgawor@gmail.com>
To: dev@geronimo.apache.org
Subject: Re: GERONIMO-3876: Allow configuring JMX over SSL
In-Reply-To: <22d56c4d0803201348w77b652fatf68a23fb73d45676@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <22d56c4d0803201348w77b652fatf68a23fb73d45676@mail.gmail.com>

Vamsi,

Two things on this:

1) I think it is important to make sure that all command line tools,
gshell, (or anything that uses JMX) still (seamlessly) works once SSL
is enabled on the JMX port.

2) Also, I do think that we should have a separate SSL-enabled JMX
port (even though there might not be a standard one defined). Using
the same port with and without SSL will just create problems for users
and admins that have to manage multiple G servers and they will never
know if the port is secure or not.

Jarek

On Thu, Mar 20, 2008 at 4:48 PM, Vamsavardhana Reddy
<c1vamsi1c@gmail.com> wrote:
> I am working on providing configuration of JMX over SSL.  Here is a
> situation I have run into and I want others inputs.
>
> I want to use Keystore GBean to configure the keystore and truststore
> required by the connector.  Here is the part that I am sure of.
>
> org.apache.geronimo.jmxremoting.JMXConnector GBean needs the following
> additional attributes and references to specify the SSL configuration:
> 1. sslEnabled : true/false
> 2. algorithm : Default/SunX509/IBMX509
>  3. secureProtocol: SSL/TLS
> 4. keyStore
> 5. keyAlias
> 6. trustStore
> 7. clientAuth : true/false
> 8. keystoreManager : A reference to keystore manager.
>
> Here are some of the approaches and the problems I have run into.
>
> Approach-A) The JMXConnector GBean is right now in "j2ee-security"
> configuration.  Unless the keystore GBeans are started before the
> JMXConnector GBean, it will not work as expected.  The order in which
> keystore GBeans appear in the plan also seems to matter.  Currently Keystore
> GBean(s) are in server-security-config.  Either the keystore GBeans should
> be moved to j2ee-security or the JMXConnector needs to be moved to
> server-security-config.
>
> Approach-B) Have a reference collection listener listen to the Keystore
> GBeans being added.  In this case, the JMX Server will have to be started in
> the listener class.  The problem with this approach is that the
> JMXConnector.doStart() can not wait for the listener class to start the JMX
> server.  So, the JMX server will be started only after the
> JMXConnector.doStart() has completed.  If the JMX server startup fails in
> the collection listener, there is no way to make JMXConnector GBean to fail
> at startup (as it has already started successfully!!).  Another problem is
> that if the configured keystore does not exist, the collection listener will
> never know about it and JMX server will not start.
>
> Both the patches are attached in the JIRA.  Please comment on these two
> approaches and suggest any improvements that I may have missed out.
>
>
>