You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by Kathey Marsden <km...@sbcglobal.net> on 2008/04/23 19:23:09 UTC

Problem with MBean user/ password example on Wiki page (non-JRMP server at remote endpoint)

   
I am trying to follow the example to connect to the MBean server 
programatically with password, but have thus far not been able to get it 
to work.

I start my server like this:
java -Dcom.sun.management.jmxremote.port=9999  
-Dcom.sun.management.jmxremote.password.file=jmxremote.password 
-Djavax.net.ssl.keyStore=serverKeyStore.key 
-Djavax.net.ssl.keyStorePassword=derbym 
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true  
-Djavax.net.ssl.trustStore=serverTrustStore.key 
-Djavax.net.ssl.trustStorePassword=derbym 
-Dcom.sun.management.jmxremote.registry.ssl=true -Djava.security.manager 
-Dderby.install.url=file:/C:/kmarsden/projects/jmxtesting/db-derby-10.4.1.3-lib/lib/  
-Djava.security.policy=jmx.policy -jar lib/derbyrun.jar server start -h 
0.0.0.0

My program is just a cut and paste of the example pretty much.
import javax.management.*;
import javax.management.remote.*;
import java.util.HashMap;

public class MbeanProgramSSL {

public static void main(String[] args) throws Exception
{
    JMXServiceURL url = new JMXServiceURL(
            "service:jmx:rmi:///jndi/rmi://localhost:9999/jmxrmi");
    // Assuming the following JMX credentials: username=controlRole, 
password=derby
    String[] credentials = new String[] { "controlRole" , "derby" };
    HashMap<String,Object> env = new HashMap<String,Object>();
    // Set credentials (jmx.remote.credentials, see JMX Remote API 1.0 
spec section 3.4)
    env.put(JMXConnector.CREDENTIALS, credentials);
    JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
    MBeanServerConnection mbeanServerConn = jmxc.getMBeanServerConnection();

}

}

I run my program like:
java -Djavax.net.ssl.trustStore=clientTrustStore.key 
-Djavax.net.ssl.trustStorePassword=derbym 
-Djavax.net.ssl.keyStore=clientKeyStore.key 
-Djavax.net.ssl.keyStorePassword=derbym MbeanProgramSSL


The exception I get is:

Exception in thread "main" java.io.IOException: Failed to retrieve 
RMIServer stub: javax.naming.CommunicationException [
Root exception is java.rmi.ConnectIOException: non-JRMP server at remote 
endpoint]
        at 
javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:323)
        at 
javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
        at MbeanProgramSSL.main(MbeanProgramSSL.java:16)
Caused by: javax.naming.CommunicationException [Root exception is 
java.rmi.ConnectIOException: non-JRMP server at remote
 endpoint]
        at 
com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:101)
        at 
com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:185)
        at javax.naming.InitialContext.lookup(InitialContext.java:392)
        at 
javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1871)
        at 
javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1841)
        at 
javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:257)
        ... 2 more
Caused by: java.rmi.ConnectIOException: non-JRMP server at remote endpoint
        at 
sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:230)
        at 
sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
        at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322)
        at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
        at 
com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:97)
        ... 7 more


I was able to connect with SSL user/password with JConsole but just 
can't seem to get it working programatically.  Any idea what I am doing 
wrong?

Kathey

Re: Problem with MBean user/ password example on Wiki page (non-JRMP server at remote endpoint)

Posted by John Embretsen <Jo...@Sun.COM>.

John Embretsen wrote:
> Kathey Marsden wrote:
>> John H. Embretsen wrote:
>>> Hmm, I don't see anything obviously wrong. If it works with JConsole
>>> and the exact same server configuration, it is certainly strange.
>>> Perhaps some of the troubleshooting tips (JMX logging, security debug
>>> traces) described on the wiki might reveal more hints? If you're using
>>> e.g. IBM's JVM that may have something to do with it as well.
>>>
>> For this part I am testing with the Sun JDK 1.6 just to remove that as a
>> variable.  Turning on logging, and running without security manager
>> seemed to have no effect.  I think I'll leave it alone for a while and
>> come back to it as I am pretty stuck.
> 
> For what it's worth, I am able to reproduce it using your command lines. So far
> it seems like it has to do with how the server is started/configured, and not
> the client. The strange thing is I have a script with (seemingly) the same
> options, only in slightly different order and using different classpath etc,
> which works with your client code. I'll try to take a closer look tomorrow.

OK, I have found the issue and corrected the wiki (I apologize for luring you
into this kind of trouble, Kathey). It turns out that the SSL protection of the
RMI registry (com.sun.management.jmxremote.registry.ssl=true) on the server side
requires the JMX client to explicitly specify an RMI client socket factory which
supports SSL, e.g. like this:

env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());

Apparently, JConsole does this automatically or something, but I don't have the
details on that.

There was a bug in the script I used for testing this particular scenario, which
resulted in my using a different JVM version than I thought I was using. With
(JVM) 1.5 that specific property is not supported, and it is apparently just
ignored - hence no changes are required on the client side. With JDK 6 it is
another deal, as you have noticed. Not sure if JVMs from other vendors behave
the same way or even support this kind of SSL protection out of the box.

I wasn't able to find much information about this in official documentation, but
these blog entries lead me to a solution:

http://blogs.sun.com/lmalventosa/entry/secure_management_agent
http://blogs.sun.com/lmalventosa/entry/using_the_ssl_tls_based1

Again, thanks for trying out this stuff!

-- 
John

Re: Problem with MBean user/ password example on Wiki page (non-JRMP server at remote endpoint)

Posted by John Embretsen <Jo...@Sun.COM>.

Kathey Marsden wrote:
> John H. Embretsen wrote:
>> Hmm, I don't see anything obviously wrong. If it works with JConsole
>> and the exact same server configuration, it is certainly strange.
>> Perhaps some of the troubleshooting tips (JMX logging, security debug
>> traces) described on the wiki might reveal more hints? If you're using
>> e.g. IBM's JVM that may have something to do with it as well.
>>
> For this part I am testing with the Sun JDK 1.6 just to remove that as a
> variable.  Turning on logging, and running without security manager
> seemed to have no effect.  I think I'll leave it alone for a while and
> come back to it as I am pretty stuck.

For what it's worth, I am able to reproduce it using your command lines. So far
it seems like it has to do with how the server is started/configured, and not
the client. The strange thing is I have a script with (seemingly) the same
options, only in slightly different order and using different classpath etc,
which works with your client code. I'll try to take a closer look tomorrow.

-- 
John

Re: Problem with MBean user/ password example on Wiki page (non-JRMP server at remote endpoint)

Posted by Kathey Marsden <km...@sbcglobal.net>.

John H. Embretsen wrote:
> Hmm, I don't see anything obviously wrong. If it works with JConsole 
> and the exact same server configuration, it is certainly strange. 
> Perhaps some of the troubleshooting tips (JMX logging, security debug 
> traces) described on the wiki might reveal more hints? If you're using 
> e.g. IBM's JVM that may have something to do with it as well.
>
For this part I am testing with the Sun JDK 1.6 just to remove that as a 
variable.  Turning on logging, and running without security manager 
seemed to have no effect.  I think I'll leave it alone for a while and 
come back to it as I am pretty stuck.

Kathey

Re: Problem with MBean user/ password example on Wiki page (non-JRMP server at remote endpoint)

Posted by "John H. Embretsen" <Jo...@Sun.COM>.

Kathey Marsden wrote:
>   I am trying to follow the example to connect to the MBean server 
> programatically with password, but have thus far not been able to get it 
> to work.
> 
[snip]
> I run my program like:
> java -Djavax.net.ssl.trustStore=clientTrustStore.key 
> -Djavax.net.ssl.trustStorePassword=derbym 
> -Djavax.net.ssl.keyStore=clientKeyStore.key 
> -Djavax.net.ssl.keyStorePassword=derbym MbeanProgramSSL
> 
> 
> The exception I get is:
> 
> Exception in thread "main" java.io.IOException: Failed to retrieve 
> RMIServer stub: javax.naming.CommunicationException [
> Root exception is java.rmi.ConnectIOException: non-JRMP server at remote 
> endpoint]
[snip]
> I was able to connect with SSL user/password with JConsole but just 
> can't seem to get it working programatically.  Any idea what I am doing 
> wrong?

Hmm, I don't see anything obviously wrong. If it works with JConsole and 
the exact same server configuration, it is certainly strange. Perhaps 
some of the troubleshooting tips (JMX logging, security debug traces) 
described on the wiki might reveal more hints? If you're using e.g. 
IBM's JVM that may have something to do with it as well.

Sorry for not being able to help more...

-- 
John