Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

2.3. Enabling Remote JMX SSL

Overview
Copy link

Red Hat JBoss Fuse provides a JMX port that allows remote monitoring and management of Fuse containers via MBeans. To prevent unauthorized access to data and applications, you need to secure JMX communications by configuring JMX over SSL.
Configuring JMX over SSL access, involves:
After you have configured JMX over SSL access, you should test the connection.
Note
If you configure JMX over SSL while Red Hat JBoss Fuse is running, you will need to restart it.

Prerequisites
Copy link

If you haven't already done so, you need to:
  • Set your JAVA_HOME environment variable
  • Configure a JBoss Fuse user with the admin role
    Edit the <installDir>/jboss-fuse6.0.redhat-024/etc/users.properties file to enable the default admin user by uncommenting the line #admin=admin,admin. Alternatively, you can define another user with the admin role.
  • cd to <installDir>/jboss-fuse6.0.redhat-024/etc.

Create the jbossweb.keystore
Copy link

At the command line, using -dname values appropriate for your application, type this command: 
$JAVA_HOME/bin/keytool -genkey -v -alias jbossalias -keyalg RSA -keysize 1024 -keystore 
jbossweb.keystore -validity 3650 -keypass JbossPassword -storepass 
JbossPassword -dname "CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, 
L=Boston, S=Mass, C=USA"
Copy to Clipboard Toggle word wrap
Important
Type the entire command on the same command line.
The command returns output that looks like this: 
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
New certificate (self-signed):
[
[
  Version: V3
  Subject: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 1024 bits
  modulus: 1123086025790567043604962990501918169461098372864273201795342440080393808
     1594100776075008647459910991413806372800722947670166407814901754459100720279046
     3944621813738177324031064260382659483193826177448762030437669318391072619867218
     036972335210839062722456085328301058362052369248473659880488338711351959835357
  public exponent: 65537
  Validity: [From: Thu Jun 05 12:19:52 EDT 2014,
               To: Sun Jun 02 12:19:52 EDT 2024]
  Issuer: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
  SerialNumber: [    4666e4e6]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC 44 A5 F2 E6 2F B2 5A   5F 88 FE 69 60 B4 27 7D  .D.../.Z_..i`.'.
0010: B9 81 23 9C                                        ..#.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 01 1D 95 C0 F2 03 B0 FD   CF 3A 1A 14 F5 2E 04 E5  .........:......
0010: DD 18 DD 0E 24 60 00 54   35 AE FE 36 7B 38 69 4C  ....$`.T5..6.8iL
0020: 1E 85 0A AF AE 24 1B 40   62 C9 F4 E5 A9 02 CD D3  .....$.@b.......
0030: 91 57 60 F6 EF D6 A4 84   56 BA 5D 21 11 F7 EA 09  .W`.....V.]!....
0040: 73 D5 6B 48 4A A9 09 93   8C 05 58 91 6C D0 53 81  s.kHJ.....X.l.S.
0050: 39 D8 29 59 73 C4 61 BE   99 13 12 89 00 1C F8 38  9.)Ys.a........8
0060: E2 BF D5 3C 87 F6 3F FA   E1 75 69 DF 37 8E 37 B5  ...<..?..ui.7.7.
0070: B7 8D 10 CC 9E 70 E8 6D   C2 1A 90 FF 3C 91 84 50  .....p.m....<..P

]
[Storing jbossweb.keystore]
Copy to Clipboard Toggle word wrap
Check whether <installDir>/jboss-fuse6.0.redhat-024/etc now contains the file jbossweb.keystore.

Create the keystore.xml file
Copy link

  1. Using your favorite xml editor, create and save the keystore.xml file in the <installDir>/jboss-fuse6.0.redhat-024/etc directory.
  2. Include this text in the file: 
    <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0">
     <jaas:keystore name="sample_keystore"
                    rank="1"
                    path="file:etc/jbossweb.keystore"
                    keystorePassword="JbossPassword" 
                    keyPasswords="jbossalias=JbossPassword" />
</blueprint>
    Copy to Clipboard Toggle word wrap
    Check whether <installDir>/jboss-fuse6.0.redhat-024/etc now contains the file keystore.xml.
Create the org.apache.felix.fileinstall-keystore.cfg file.
  1. Using your favorite text editor, create and save the org.apache.felix.fileinstall-keystore.cfg file in the <installDir>/jboss-fuse6.0.redhat-024/etc directory.
  2. Include these properties in the file: 
    feilx.fileinstall.dir        = ${karaf.base}/etc
feilx.fileinstall.filter     = keystore\\.xml
feilx.fileinstall.poll       = 1000
feilx.fileinstall.noInitialDelay  = true
feilx.fileinstall.log.level  = 3
feilx.fileinstall.start.level     = 25
    Copy to Clipboard Toggle word wrap
    Check whether <installDir>/jboss-fuse6.0.redhat-024/etc now contains the file org.apache.felix.fileinstall-keystore.cfg.
Edit the <installDir>/jboss-fuse6.0.redhat-024/etc/org.apache.karaf.management.cfg file to include these properties at the end of the file: 
secured = true
secureProtocol = SSL
keyAlias = jbossalias
keyStore = sample_keystore
trustStore = sample_keystore
Copy to Clipboard Toggle word wrap

Testing the Secure JMX connection
Copy link

  1. Restart Red Hat JBoss Fuse, if necessary.
    Note
    When you restart Red Hat JBoss Fuse, fuse.log will contain an INFO message that the OsgiKeystoreManager could not find the sample_keystore you configured in the org.apache.karaf.management.cfg file. This occurs because the sample_keystore was not loaded at the time the OSGi management bundle was loading.
    But the org.pache.felix.fileinstall-keystore.cfg file you created forces the OSGi management bundle to reload and scan the keystore, enabling JConsole to connect successfully to Red Hat JBoss Fuse over SSL.
  2. Open a terminal, and start up JConsole by entering this command: 
    jconsole -J-Djavax.net.debug=all -J-Djavax.net.ssl.trustStore=/NotBackedUp/FuseSource/
jboss-fuse-6.0.0.redhat-024/etc/jbossweb.keystore -J-Djavax.net.ssl.trustStoreType=JKS 
-J-Djavax.net.ssl.trustStorePassword=JbossPassword
    Copy to Clipboard Toggle word wrap
    Important
    Type the entire command on the same command line.
    Note
    The system property -J-Djavax.net.debug=all shows all transport information, including SSL handshake messages, confirming that communication between JConsole and Red Hat JBoss Fuse occurs over SSL.
  3. When JConsole opens, select the option Remote Process in the New Connection wizard.
  4. Under the Remote Process option, enter these values for the service:jmx:<protocol>:<sap> url, Username, and Password: 
    service:jmx:<protocol>:<sap>: service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
Username: admin
Password: admin
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat