search

eclipse-ee4j / openmq

OpenMQ
https://projects.eclipse.org/projects/ee4j.openmq/
Other
52 stars 34 forks source link

Embedded broker JMX support using GlassFish server secured RMI Registry #326

Open glassfishrobot opened 11 years ago

glassfishrobot commented 11 years ago

GF supports starting secured RMI Registry for JMX. In that case EMBEDDED broker can reuse it instead of starting its own to avoid opening extra port.

glassfishrobot commented 6 years ago
glassfishrobot commented 11 years ago

@glassfishrobot Commented Reported by liang.x.zhao

glassfishrobot commented 10 years ago

@glassfishrobot Commented liang.x.zhao said: The steps to enable secure jmx connector in GF:

asadmin set configs.config.server-config.admin-service.jmx-connector.system.security-enabled=true asadmin change-admin-password (respond to the prompts) asadmin enable-secure-admin asadmin restart-domain (as prompted in the output from enable-secure-admin) asadmin list-jms-resources (users first need to run any asadmin command that contacts the DAS which now has secure admin enabled. This caches the DAS cert in the local GlassFish truststore (in the ~/.gfclient/truststore file).)

jconsole -J-Djavax.net.ssl.trustStore=$

{HOME}

/.gfclient/truststore (Use Remote Process with URL "localhost:8686", and the admin username/passowrd).

You can refer to GLASSFISH-20671 for more details.

glassfishrobot commented 10 years ago

@glassfishrobot Commented @amykang2020 said: added JMX support from broker to use GlassFish server secure rmi registry port, custom JMX clients can do following to connect to the ssljmxrmi service of a JMSRA managed broker that uses GlassFish server secure rmi registry

env.put(JMXConnector.CREDENTIALS, credentials);
env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
final JMXServiceURL jmxURL = new JMXServiceURL(jmxServiceURL);
final JMXConnector jmxConnector = JMXConnectorFactory.connect(jmxURL, env);

where jmxServiceURL is the JMX service URL for broker ssljmxrmi service which can be obtained either from the broker log on startup or by getJMXServiceURL() method from com.sun.messaging.AdminConnectionConfiguration

1. Before start broker, run imqkeytool to setup keystore so that broker ssljmx service can use it 2. JMSRA need to pass the following to broker in order to have broker use GlassFish secure RMI registry port -useRmiRegistry -rmiRegistryPort -Dimq.jmx.connector.activelist=ssljmxrmi <== This turns off broker jmxrmi service and enables ssljmxrmi service

as well as imq.keystore.password

3. JMX application client user needs to do following a) Using Java keytool, import broker's certificate to $HOME/.gfclient/truststore b) run JMX application client with Java system property -Djavax.net.ssl.trustStore=$

{HOME}

/.gfclient/truststore

Because of a jconsole bug mentioned in GLASSFISH-20671, jconsole can not be used to access broker mbeans when broker uses GlassFish server secure RMI registry. Therefore, David, GlassFish JMS module should not make this a default, instead only turn it on when user wanted

glassfishrobot commented 11 years ago

@glassfishrobot Commented Issue-Links: blocks GLASSFISH-20707 GLASSFISH-20714

glassfishrobot commented 7 years ago

@glassfishrobot Commented This issue was imported from java.net JIRA MQ-326