The original address

I mentioned in the previous article that you should use SSL to create JMX connections in a production environment, and this article shows you how to do that.

Leading knowledge

Let’s take a look at some of the things that Java client programs do when creating SSL connections:

  1. The Java Client program will pull the Server’s certificate when making an SSL connection and use the TrustStore to verify the certificate. If the certificate does not exist or is expired or not issued by a trusted CA, it means that the server is not trusted and cannot connect.
  2. If you do not specify which TrustStore to use when the program starts (via the System Property)javax.net.ssl.trustStoreSpecifies), then the$JAVA_HOME/jre/lib/security/cacerts. If so, it will be verified using the specified trustStore + cacerts.
  3. The cacerts store the JDK trusted CA certificate (containing the public key), which already stores the known authoritative CA certificate. You can go throughkeytool -list -keystore $JAVA_HOME/jre/lib/security/cacertsYes (just enter when you are asked to type in your password)

This process is called Server Authentication, which means that a client verifies that the server is trusted. Server Authentication is the most common, and HTTPS is the mode for this.

However, when using SSL to connect to JMX, you also need to do Client Authentication, that is, the server verifies whether the client is trusted. The principle is the same as mentioned above, except that the server uses its own truststore to verify that the client’s certificate is trustworthy.

Step 1: Make the KeyStore and TrustStore

SSL is an asymmetric encryption protocol, so there is also a private key. In Java, private keys and private keys are stored in the keystore.

Now let’s make KeyStore and TrustStore for Visual VM (Client) and Java App (Server).

First describe the general process, and then give the command:

  1. Generate the VisualVM keystore, export cert, and import cert into the Java-app truststore
  2. Generate java-app keystore, export cert, and import cert into VisualVM truststore

Specific orders:

  1. Generate the VisualVM KeyStore

    keytool -genkeypair \ -alias visualvm \ -keyalg RSA \ -validity 365 \ -storetype pkcs12 \ -keystore visualvm.keystore \ -storepass < VisualVM KeyStore Password > \ -keypass < Password > \ -dname "CN=< Name >, OU=< Organization Affiliate >, O=< Organization Name >, L=< City >, S=< province >, C=< country 2 letter >"

  2. Export the cert of VisualVM

    keytool -exportcert \ -alias visualvm \ -storetype pkcs12 \ -keystore visualvm.keystore \ -file visualvm.cer \ -storePass < Password > for VisualVM KeyStore

  3. Import VisualVM’s cert into the Java-app trustStore, and you actually generate a trustStore

    keytool -importcert \ -alias visualvm \ -file visualvm.cer \ -keystore java-app.truststore \ -storepass <java-app The trustStore password > \ -noprompt

  4. Generate the java-app keystore

    keytool -genkeypair \ -alias java-app \ -keyalg RSA \ -validity 365 \ -storetype pkcs12 \ -keystore java-app.keystore \ -storepass <java-app keystore password > \ -keypass <java-app keystore password > \ -dname "CN=< name >, OU=< organization affiliate >, O=< organization name >, L=< city >, S=< province >, C=< country 2 letter >"

  5. Export the CERT of the Java-App

    keytool -exportcert \ -alias java-app \ -storetype pkcs12 \ -keystore java-app.keystore \ -file java-app.cer \ -storepass <java-app keystore Password >

  6. Import java-app cert into VisualVM’s TrustStore

    keytool -importcert -alias java-app \ -file java-app.cer \ -keystore visualvm.truststore \ -storepass <visualvm The trustStore password > \ -noprompt

So the resulting files are as follows:

  1. VisualVm. keystore, which contains the public and private keys of VisualVM
  2. VisualVm.TrustStore, which contains Java-App CERT
  3. Java-app. keystore, which contains java-app public and private keys
  4. Java-app. truststore, which contains VisualVM CERT

Step 2: Start Tomcat

Let’s try again with Tomcat and add a few parameters to CATALINA_OPTS like this. Since there are a lot of parameters, let’s add a setenv.sh file under $Tomcat /bin (remember to add executable permissions) :

CATALINA_OPTS="-Dcom.sun.management.jmxremote" CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.port=1100" CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.rmi.port=1100" CATALINA_OPTS="$CATALINA_OPTS -Djava.rmi.server.hostname=<host or ip>" CATALINA_OPTS="$CATALINA_OPTS - Dcom. Sun. Management. Jmxremote. Authenticate = false "# below and enable SSL related CATALINA_OPTS =" $CATALINA_OPTS -Dcom.sun.management.jmxremote.ssl=true" CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"  CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" CATALINA_OPTS="$CATALINA_OPTS -Djavax.net.ssl.keyStore=<path to java-app.keystore>" CATALINA_OPTS="$CATALINA_OPTS - Djavax.net.ssl.keyStorePassword= < Java - app. Keystore password > "CATALINA_OPTS =" $CATALINA_OPTS - Djavax.net.ssl.trustStore= < path The to Java - app. Truststore > "CATALINA_OPTS =" $CATALINA_OPTS - Djavax.net.ssl.trustStorePassword= < Java - app. Truststore password >"

Then $TOMCAT/bin/startup. Sh

Step 3: Start VisualVM

jvisualvm -J-Djavax.net.ssl.keyStore=<path to visualvm.keystore> \ - J-Djavax.net.ssl.keyStorePassword= < visualvm. Keystore password > \ - J-Djavax.net.ssl.trustStore= < path to visualvm. Truststore > \ - J-Djavax.net.ssl.trustStorePassword= < visualvm. Truststore password >

You can start JVisualVM with no arguments and see if the next step to create a JMX connection is successful, which should not be if configured correctly.

Step 4: Create a JMX connection

After starting JVisualVM with the above parameters, create a JMX connection as mentioned in the steps of using VisualVM and JMX remote monitoring of Java processes, but do not check the box “Do not require SSL connection” when creating a JMX connection (but in the test, it can be successfully connected with the box).

The resources

  • Monitoring and Management Using JMX Technology – Using SSL
  • Customizing the Default Keystores and Truststores, Store Types, and Store Passwords
  • Customizing JSSE – This table lists some SSL-related System Properties
  • Creating a Keystore to Use with JSSE
  • keytool
  • Monitor Java with JMX
  • Java Secure Socket Extension (JSSE) Reference Guide, which is the most complete Reference document for Java’s support for SSL

My blog is synchronized to tencent cloud + community, invite everyone to come together: https://cloud.tencent.com/dev…