You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by ashonline <as...@mac.com> on 2017/06/07 08:33:06 UTC

Encrypted JMX Connection

Hi,

I have a two part question, related to monitoring the Karaf container via
JMX. We are using ServiceMix 7.0.0 that includes Karaf 4.0.8 in its
distribution.

Firstly, we have a requirement to encrypt JMX connections and I'm struggling
to find documentation that walks us through this. The Karaf manual did
provide some information, which was to fill in properties in the
org.apache.karaf.management.cfg file, such as "keyStore=my_keystore".

However this seemed to be only half the story as it seems that the keyStore
value is not the path to the keystore file, but a reference to a keystore
entity as configured using a keystore.xml file. The curious thing is that
this was not mentioned in the karaf manual and we only came across these
instructions by looking at some Fuse documentation:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.1/html/Security_Guide/FMQSecurityJmxSSL.html.

Unfortunately we still ended up with an error when following the Fuse guide:
"Can't re-init JMXConnectorServer with SSL enabled when register a
keystore:connector:name=rmi" and were unable to connect from jconsole.

*So we're not confident that we're on the right track, can somebody confirm
this?*

Secondly, assuming that creating the keystore.xml descriptor file is the
right way to go, it seems that it requires the credentials for the keystore,
and the alias of the private key contained within, to be specified in plain
text. Attempts to specify "{CRYPT}" tags didn't appear to work.

*Does the keystore descriptor file support jasypt integration, and we just
need to try harder to get it to work?*

Any help greatly appreciated!

- Ash

--
View this message in context: http://karaf.922171.n3.nabble.com/Encrypted-JMX-Connection-tp4050593.html
Sent from the Karaf - User mailing list archive at Nabble.com.

Re: Encrypted JMX Connection

Posted by ashonline <as...@mac.com>.

Just a quick update for anyone else struggling, it appears that the linked
Fuse documentation is essential in configuring Karaf for encrypted JMX
communications. Also since the keystore.xml file referenced in that
documentation is just an ordinary blueprint file, then jasypt encrypted
passwords can also be configured as a consequence.

Also it turned out that we had been successful in configuration ServiceMix,
but we had neglected to ensure that the connecting jconsole java truststore
was updated to trust the certificate used by ServiceMix in the encryption
process. So that's one pitfall to look out for, since jconsole doesn't
provide particularly helpful troubleshooting output in this regard.



--
View this message in context: http://karaf.922171.n3.nabble.com/Encrypted-JMX-Connection-tp4050593p4050673.html
Sent from the Karaf - User mailing list archive at Nabble.com.