- Using a Java security manager and a custom policy file,
jmx.policy
- Allowing connections from remote hosts (that is, on all IPv4 network
interfaces) by specifying -h 0.0.0.0
- Using password authentication, as described in
, using the
jmxremote.password file
- Using SSL (Secure Socket Layer) for the following:
- Authenticating clients
- Encrypting all JMX-related network communication
- Protecting the RMI registry used by the MBean server
This level of protection may or may not be adequate for you, but it is more
secure than the previous examples.
The command line appears on multiple lines to improve readability, but you
would enter it as a single java command.
java -Dcom.sun.management.jmxremote.port=9999
-Dcom.sun.management.jmxremote.password.file=jmxremote.password
-Djavax.net.ssl.keyStore=/home/user/.keystore
-Djavax.net.ssl.keyStorePassword=myKeyStorePassword
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=/home/user/.truststore
-Djavax.net.ssl.trustStorePassword=myTrustStorePassword
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djava.security.manager
-Djava.security.policy=jmx.policy
-jar lib/derbyrun.jar server start -h 0.0.0.0
When password authentication is enabled and a Java Security Manager is
installed, a number of JMX-related permissions need to be granted to trusted
users in the security policy used. See
for
details.
In the example above, system properties specify the keystore containing the
server's key pair, the keystore password, the truststore containing the client
certificates, and the truststore password. Setting up SSL keystores and
truststores is described in the section "Configuring SSL/TLS" in the
, along with more information
on protecting database network traffic using SSL.
When you configure SSL as described above, the following requirements
apply:
- The password of the private key must be the same as the password of the
keystore.
- If the keystore contains more than one key pair, the key pair you want to
use must be listed first among all the keys in the keystore. Otherwise, you
(or the clients) may see an exception with a message like the following:
unable to find valid certification path to requested target
The system property
com.sun.management.jmxremote.ssl.need.client.auth=true
specifies that clients must use SSL to authenticate themselves. This property,
as well as the truststore properties, may be removed if you do not want to
authenticate clients using SSL. However, there may be security risks associated
with using password authentication only.
The system property
com.sun.management.jmxremote.registry.ssl=true aims at
resolving security issues with the RMI registry used in
relation with JMX. This property must be used in conjunction with
com.sun.management.jmxremote.ssl.need.client.auth=true in order
to fully secure the RMI registry.
Clients must also specify and use proper keystores and/or truststores (the
truststores must contain the server's SSL certificate).
For more information about the system properties used above and potential
security risks, see "Monitoring and Management Using JMX Technology" at
http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html
.