Enabling remote JMX with password authentication and SSL This example shows how to start the Network Server as follows. Java Management Extensions (JMX) technology JMXenabling with password authentication and SSL
  • Using a Java security manager and a custom policy file, jmx.policy
  • Allowing connections from remote hosts (that is, on all IPv4 network interfaces) by specifying -h 0.0.0.0
  • Using password authentication, as described in , using the jmxremote.password file
  • Using SSL (Secure Socket Layer) for the following:
    • Authenticating clients
    • Encrypting all JMX-related network communication
    • Protecting the RMI registry used by the MBean server

This level of protection may or may not be adequate for you, but it is more secure than the previous examples.

The command line appears on multiple lines to improve readability, but you would enter it as a single java command.

java -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.password.file=jmxremote.password -Djavax.net.ssl.keyStore=/home/user/.keystore -Djavax.net.ssl.keyStorePassword=myKeyStorePassword -Dcom.sun.management.jmxremote.ssl.need.client.auth=true -Djavax.net.ssl.trustStore=/home/user/.truststore -Djavax.net.ssl.trustStorePassword=myTrustStorePassword -Dcom.sun.management.jmxremote.registry.ssl=true -Djava.security.manager -Djava.security.policy=jmx.policy -jar lib/derbyrun.jar server start -h 0.0.0.0

When password authentication is enabled and a Java Security Manager is installed, a number of JMX-related permissions need to be granted to trusted users in the security policy used. See for details.

In the example above, system properties specify the keystore containing the server's key pair, the keystore password, the truststore containing the client certificates, and the truststore password. Setting up SSL keystores and truststores is described in the section "Configuring SSL/TLS" in the , along with more information on protecting database network traffic using SSL.

When you configure SSL as described above, the following requirements apply:

  • The password of the private key must be the same as the password of the keystore.
  • If the keystore contains more than one key pair, the key pair you want to use must be listed first among all the keys in the keystore. Otherwise, you (or the clients) may see an exception with a message like the following: unable to find valid certification path to requested target

The system property com.sun.management.jmxremote.ssl.need.client.auth=true specifies that clients must use SSL to authenticate themselves. This property, as well as the truststore properties, may be removed if you do not want to authenticate clients using SSL. However, there may be security risks associated with using password authentication only.

The system property com.sun.management.jmxremote.registry.ssl=true aims at resolving security issues with the RMI registry used in relation with JMX. This property must be used in conjunction with com.sun.management.jmxremote.ssl.need.client.auth=true in order to fully secure the RMI registry.

Clients must also specify and use proper keystores and/or truststores (the truststores must contain the server's SSL certificate).

For more information about the system properties used above and potential security risks, see "Monitoring and Management Using JMX Technology" at http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html .