You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/01/20 21:33:46 UTC

[Bug 56039] New: JmxRemoteLifecycleListener does not work with SSL

https://issues.apache.org/bugzilla/show_bug.cgi?id=56039

            Bug ID: 56039
           Summary: JmxRemoteLifecycleListener does not work with SSL
           Product: Tomcat 7
           Version: 7.0.50
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: esengstrom@gmail.com

Created attachment 31242
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31242&action=edit
Patch against http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk

Using JmxRemoteLifecycleListener with SSL results in the following error on
startup:

Jan 16, 2014 4:34:20 PM org.apache.catalina.mbeans.JmxRemoteLifecycleListener
createServer
SEVERE: The JMX connector server could not be created or failed to start for
the Platform server
java.io.IOException: Cannot bind to URL [rmi://localhost:1900/jmxrmi]:
javax.naming.CommunicationException [Root exception is
java.rmi.ConnectIOException: non-JRMP server at remote endpoint]
        at
javax.management.remote.rmi.RMIConnectorServer.newIOException(Unknown Source)
        at javax.management.remote.rmi.RMIConnectorServer.start(Unknown Source)
        at
org.apache.catalina.mbeans.JmxRemoteLifecycleListener.createServer(JmxRemoteLifecycleListener.java:304)
        at
org.apache.catalina.mbeans.JmxRemoteLifecycleListener.lifecycleEvent(JmxRemoteLifecycleListener.java:258)
        at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
        at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
        at
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:347)
        at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:725)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:691)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:322)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at
org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243)
Caused by: javax.naming.CommunicationException [Root exception is
java.rmi.ConnectIOException: non-JRMP server at remote endpoint]
        at com.sun.jndi.rmi.registry.RegistryContext.bind(Unknown Source)
        at com.sun.jndi.toolkit.url.GenericURLContext.bind(Unknown Source)
        at javax.naming.InitialContext.bind(Unknown Source)
        at javax.management.remote.rmi.RMIConnectorServer.bind(Unknown Source)
        ... 20 more
Caused by: java.rmi.ConnectIOException: non-JRMP server at remote endpoint
        at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
        at sun.rmi.server.UnicastRef.newCall(Unknown Source)
        at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
        ... 24 more


The relevant configuration from server.xml:

<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiRegistryPortPlatform="1900" rmiServerPortPlatform="11900" />

and java properties:

-Djavax.net.ssl.keyStore=$KEYSTORE -Djavax.net.ssl.keyStorePassword=$KEY_PASS
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=$TRUSTSTORE
-Djavax.net.ssl.trustStorePassword=$TRUST_PASS
-Dcom.sun.management.jmxremote.registry.ssl=true -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.rmi.server.hostname=$HOST_IP -Dcom.sun.management.jmxremote.ssl=true

If com.sun.management.jmxremote.ssl is changed to false everything works as
expected except without SSL.

Looking at the source code, I there is a property missing from the environment:

 env.put("com.sun.jndi.rmi.factory.socket", csf);

Adding this to JmxRemoteLifecycleListener allows SSL to work properly.

Patch attatched.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56039] JmxRemoteLifecycleListener does not work with SSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56039

esengstrom@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |esengstrom@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56039] JmxRemoteLifecycleListener does not work with SSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56039

Ravi Sanwal <rs...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rsanwal@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 56039] JmxRemoteLifecycleListener does not work with SSL

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=56039

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report and the patch. The patch has been applied to 8.0.x for
8.0.0 onwards and to 7.0.x for 7.0.51 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org