Embedded broker JMX support using GlassFish server secured RMI Registry

[glassfishrobot]

GF supports starting secured RMI Registry for JMX. In that case EMBEDDED broker can reuse it instead of starting its own to avoid opening extra port.

[glassfishrobot]

@glassfishrobot Commented
Reported by liang.x.zhao

[glassfishrobot]

@glassfishrobot Commented
Issue-Links:
blocks
GLASSFISH-20707
GLASSFISH-20714

[glassfishrobot]

@glassfishrobot Commented
liang.x.zhao said:
The steps to enable secure jmx connector in GF:

asadmin set configs.config.server-config.admin-service.jmx-connector.system.security-enabled=true
asadmin change-admin-password (respond to the prompts)
asadmin enable-secure-admin
asadmin restart-domain (as prompted in the output from enable-secure-admin)
asadmin list-jms-resources (users first need to run any asadmin command that contacts the DAS which now has secure admin enabled. This caches the DAS cert in the local GlassFish truststore (in the ~/.gfclient/truststore file).)

jconsole -J-Djavax.net.ssl.trustStore=$

{HOME}

/.gfclient/truststore (Use Remote Process with URL "localhost:8686", and the admin username/passowrd).

You can refer to GLASSFISH-20671 for more details.

[glassfishrobot]

@glassfishrobot Commented
@amykang2020 said:
added JMX support from broker to use GlassFish server secure rmi registry port, custom JMX clients can do following
to connect to the ssljmxrmi service of a JMSRA managed broker that uses GlassFish server secure rmi registry

env.put(JMXConnector.CREDENTIALS, credentials);
env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
final JMXServiceURL jmxURL = new JMXServiceURL(jmxServiceURL);
final JMXConnector jmxConnector = JMXConnectorFactory.connect(jmxURL, env);

where jmxServiceURL is the JMX service URL for broker ssljmxrmi service which can be obtained either from the broker log on startup or by getJMXServiceURL() method from com.sun.messaging.AdminConnectionConfiguration

1. Before start broker, run imqkeytool to setup keystore so that broker ssljmx service can use it
2. JMSRA need to pass the following to broker in order to have broker use GlassFish secure RMI registry port
-useRmiRegistry
-rmiRegistryPort
-Dimq.jmx.connector.activelist=ssljmxrmi <== This turns off broker jmxrmi service and enables ssljmxrmi service

as well as imq.keystore.password

3. JMX application client user needs to do following
a) Using Java keytool, import broker's certificate to $HOME/.gfclient/truststore
b) run JMX application client with Java system property
-Djavax.net.ssl.trustStore=$

{HOME}

/.gfclient/truststore

Because of a jconsole bug mentioned in GLASSFISH-20671, jconsole can not be used to access broker mbeans when broker uses GlassFish server secure RMI registry. Therefore, David, GlassFish JMS module should not make this a default, instead only turn it on when user wanted

[glassfishrobot]

@glassfishrobot Commented
This issue was imported from java.net JIRA MQ-326

[glassfishrobot]

• Issue Imported From: https://github.com/javaee/openmq/issues/326
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @nigeldeakin