Monday Feb 28, 2011

Connecting securely to GlassFish via JMX

If you are here , you probably are familiar with GlassFish as well as JMX . This blog is about enabling JMX clients to connect securely to GlassFish.

Glassfish has a JMX Connector listening on port 8686 by default, for requests made to the MBeanServer from JMX clients.Typically the protocol is either JRMP over RMI or JMXMP. A user could connect to this port via a custom JMX client or a tool like jconsole to view the MBeans exposed by GlassFish and further manage or monitor the server using these MBeans.

Now , if one was using the server in production , then it would make a lot of sense to connect using SSL or TLS. This blog describes the steps to do that. If you want to know more on how secure JMX connections are made using RMI and SSL, please refer to these very informative blogs from Luis-Miguel and Daniel Fuchs . Here are a series of steps to be followed for enabling secure JMX connection to GlassFish

Glassfish by default has a JMX connector which listens of port 8686. This is named as "system". The domain.xml has an element under admin-service which looks like this


<admin-service type="das-and-server" system-jmx-connector-name="system">
   <jmx-connector name="system" auth-realm-name="admin-realm" address="0.0.0.0" port="8686">
   </jmx-connector>
</admin-service>

To enable secure connections, we need to set an attribute named "security-enabled" to true and also add an "ssl" configuration element as a child of the jmx-connector element. This is done either via the Admin Console or via the Admin CLI. The next steps are for achieving this via the Admin CLI.

Enabling Security for the JMX Connector

The following command sets the security-enabled attribute of the jmx-connector named "system" to true and hence the jmx-connector would have TLS enabled as per the ssl config which we would set in the next step.

asadmin set configs.config.server-config.admin-service.jmx-connector.system.security-enabled=true

The next step is to configure the secure socket that the JMX Connector would create. We do this by adding an element in the domain.xml. This can be achived by Admin CLI as well. Here is a command that adds an ssl element as a child to the jmx-connector element with a default configuration

asadmin create-ssl --type jmx-connector --certname s1as system

This command creates an ssl element for the jmx-connector named "system" using a certificate alias "s1as" The domain.xml looks like this after running the above commands.


<admin-service system-jmx-connector-name="system" type="das-and-server">
   <jmx-connector port="8686" address="0.0.0.0" auth-realm-name="admin-realm" name="system">
      <ssl classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"> </ssl>
   </jmx-connector>
</admin-service>


The JMX Connector in GlassFish is now secure. We need to restart the domain/instance/cluster for this to take effect.

Connecting to the secure JMX Connector

The next part is to connect to this secure connector via a JMX client or jConsole . There are two main steps here .
1. To write a JMX client which can do a SSL handshake with the JMX Connector ( if you need to )
2. Pass the credentials and truststores to this client while connecting

To keep things simple lets use jConsole as an example here as a client. That should take care of #1 .

The next step is to get the certificate named s1as from GlassFish. A simple way of achieving this would be to connect to the admin server "securely", download the certificate that it sends over and then use the saved certificate as the truststore to be passed while connecting to the secure JMX connector. The steps needed to achive this are listed below :

First, ensure the secure admin is enabled

asadmin enable-secure-admin

Restart the domain / server after running this command.

Next , try and run any asadmin command

asadmin --secure=true list-modules

The server then sends the certificate ( s1as) which is then printed on the console like this :


[
[
Version: V3
Subject: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits
modulus: 97954156793835138341680996103344678953674748997532211467359834975421400284125563262970337639362640745885555344627684588129109590370462160481207032557865487946908660504438107241154897539418460620522517212201504303859663985429597210945869016648453192769222604701698012686618738746521485767623901158049620124549
public exponent: 65537
Validity: [From: Sat Feb 05 21:12:59 IST 2011,
To: Tue Feb 02 21:12:59 IST 2021]
Issuer: CN=localhost, OU=GlassFish, O=Oracle Corporation, L=Santa Clara, ST=California, C=US
SerialNumber: [ 4d4d7003]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D4 50 B1 4E 23 06 45 6E CA 26 28 C8 FB 73 5F 1C .P.N#.En.&(..s_.
0010: 01 A4 11 74 ...t
]
]

]
Algorithm: [SHA1withRSA]
Signature:
0000: 34 1D ED C0 66 56 EB 7A F0 A6 15 E9 CE 95 C1 DB 4...fV.z........
0010: 5D F6 13 E9 57 CB 92 63 7A 50 98 C6 CB 1F 35 BF ]...W..czP....5.
0020: 5A 0F 77 C7 E8 0C CC EF 3C B8 D8 51 E5 64 9A 63 Z.w.....<..Q.d.c
0030: 2B 02 AF C9 66 7C 5B 50 80 E9 1C 40 53 92 7E BF +...f.[P...@S...
0040: 8D F8 9E E2 7D EB 23 E7 AE 8B 74 1E 42 7F 1B B5 ......#...t.B...
0050: 3A 31 8E 9B 2C 87 06 BB 7B CA 6B 83 D3 D5 C1 74 :1..,.....k....t
0060: F9 3C AA 93 18 DB B8 17 E4 AA 75 8D D1 F8 C0 08 .<........u.....
0070: 45 95 70 F0 D5 0A 01 9A ED EA BB 52 DB 1B ED 30 E.p........R...0

]
Do you trust the above certificate [y|N] -->

Choose "y" as the option and this certificate would be stored in a file named .asdmintruststore in your home directory.
Now, we have a server certificate stored in ${HOME}/.asadmintruststore . We will use this as a truststore when connecting to the JMX connector using a client like jConsole.

jconsole -J-Djavax.net.ssl.trustStore=${HOME}/.asadmintruststore

This should bring up the jConsole , and it would ask for the JMX URL or the host / port of the GlassFish installation. You would also need to provide the admin username and password to connect. After this step assuming the authentication goes through, you should be connected securely to the GlassFish MBeanserver on that host/port combination that you provided.

There are a few more topics that could be covered, namely
• Can I see all the MBeans in the domain from the DAS ? ( yes you can )
• Ok, how do I write my own JMX Client that can connect securely to the JMX Connector on GlassFish.

For details, watch this space.

About

prasads

Search

Categories
Archives
« February 2011
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
     
       
Today