Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
2.3. Enabling Remote JMX SSL
Overview
Copiar enlaceEnlace copiado en el portapapeles!
Red Hat JBoss Fuse provides a JMX port that allows remote monitoring and management of Fuse containers via MBeans. To prevent unauthorized access to data and applications, you need to secure JMX communications by configuring JMX over SSL.
Configuring JMX over SSL access, involves:
After you have configured JMX over SSL access, you should test the connection.
Note
If you configure JMX over SSL while Red Hat JBoss Fuse is running, you will need to restart it.
Prerequisites
Copiar enlaceEnlace copiado en el portapapeles!
If you haven't already done so, you need to:
- Set your
JAVA_HOMEenvironment variable - Configure a JBoss Fuse user with the
adminroleEdit the<installDir>/jboss-fuse6.0.redhat-024/etc/users.propertiesfile to enable the defaultadminuser by uncommenting the line#admin=admin,admin. Alternatively, you can define another user with theadminrole. - cd to
<installDir>/jboss-fuse6.0.redhat-024/etc.
Create the jbossweb.keystore
Copiar enlaceEnlace copiado en el portapapeles!
At the command line, using
-dname values appropriate for your application, type this command:
$JAVA_HOME/bin/keytool -genkey -v -alias jbossalias -keyalg RSA -keysize 1024 -keystore
jbossweb.keystore -validity 3650 -keypass JbossPassword -storepass
JbossPassword -dname "CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat,
L=Boston, S=Mass, C=USA"Important
Type the entire command on the same command line.
The command returns output that looks like this:
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
for: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
New certificate (self-signed):
[
[
Version: V3
Subject: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 1024 bits
modulus: 1123086025790567043604962990501918169461098372864273201795342440080393808
1594100776075008647459910991413806372800722947670166407814901754459100720279046
3944621813738177324031064260382659483193826177448762030437669318391072619867218
036972335210839062722456085328301058362052369248473659880488338711351959835357
public exponent: 65537
Validity: [From: Thu Jun 05 12:19:52 EDT 2014,
To: Sun Jun 02 12:19:52 EDT 2024]
Issuer: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
SerialNumber: [ 4666e4e6]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC 44 A5 F2 E6 2F B2 5A 5F 88 FE 69 60 B4 27 7D .D.../.Z_..i`.'.
0010: B9 81 23 9C ..#.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 01 1D 95 C0 F2 03 B0 FD CF 3A 1A 14 F5 2E 04 E5 .........:......
0010: DD 18 DD 0E 24 60 00 54 35 AE FE 36 7B 38 69 4C ....$`.T5..6.8iL
0020: 1E 85 0A AF AE 24 1B 40 62 C9 F4 E5 A9 02 CD D3 .....$.@b.......
0030: 91 57 60 F6 EF D6 A4 84 56 BA 5D 21 11 F7 EA 09 .W`.....V.]!....
0040: 73 D5 6B 48 4A A9 09 93 8C 05 58 91 6C D0 53 81 s.kHJ.....X.l.S.
0050: 39 D8 29 59 73 C4 61 BE 99 13 12 89 00 1C F8 38 9.)Ys.a........8
0060: E2 BF D5 3C 87 F6 3F FA E1 75 69 DF 37 8E 37 B5 ...<..?..ui.7.7.
0070: B7 8D 10 CC 9E 70 E8 6D C2 1A 90 FF 3C 91 84 50 .....p.m....<..P
]
[Storing jbossweb.keystore]
Check whether
<installDir>/jboss-fuse6.0.redhat-024/etc now contains the file jbossweb.keystore.
Create the keystore.xml file
Copiar enlaceEnlace copiado en el portapapeles!
- Using your favorite xml editor, create and save the
keystore.xmlfile in the<installDir>/jboss-fuse6.0.redhat-024/etcdirectory. - Include this text in the file:
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0" xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"> <jaas:keystore name="sample_keystore" rank="1" path="file:etc/jbossweb.keystore" keystorePassword="JbossPassword" keyPasswords="jbossalias=JbossPassword" /> </blueprint>Check whether<installDir>/jboss-fuse6.0.redhat-024/etcnow contains the filekeystore.xml.
Ensure that the keystore.xml file is loaded at the appropriate time
Copiar enlaceEnlace copiado en el portapapeles!
Create the
org.apache.felix.fileinstall-keystore.cfg file.
- Using your favorite text editor, create and save the
org.apache.felix.fileinstall-keystore.cfgfile in the<installDir>/jboss-fuse6.0.redhat-024/etcdirectory. - Include these properties in the file:
feilx.fileinstall.dir = ${karaf.base}/etc feilx.fileinstall.filter = keystore\\.xml feilx.fileinstall.poll = 1000 feilx.fileinstall.noInitialDelay = true feilx.fileinstall.log.level = 3 feilx.fileinstall.start.level = 25Check whether<installDir>/jboss-fuse6.0.redhat-024/etcnow contains the fileorg.apache.felix.fileinstall-keystore.cfg.
Add the required properties to org.apache.karaf.management.cfg
Copiar enlaceEnlace copiado en el portapapeles!
Edit the
<installDir>/jboss-fuse6.0.redhat-024/etc/org.apache.karaf.management.cfg file to include these properties at the end of the file:
secured = true
secureProtocol = SSL
keyAlias = jbossalias
keyStore = sample_keystore
trustStore = sample_keystoreTesting the Secure JMX connection
Copiar enlaceEnlace copiado en el portapapeles!
- Restart Red Hat JBoss Fuse, if necessary.NoteWhen you restart Red Hat JBoss Fuse,
fuse.logwill contain anINFOmessage that the OsgiKeystoreManager could not find thesample_keystoreyou configured in theorg.apache.karaf.management.cfgfile. This occurs because thesample_keystorewas not loaded at the time the OSGi management bundle was loading.But theorg.pache.felix.fileinstall-keystore.cfgfile you created forces the OSGi management bundle to reload and scan the keystore, enabling JConsole to connect successfully to Red Hat JBoss Fuse over SSL. - Open a terminal, and start up JConsole by entering this command:
jconsole -J-Djavax.net.debug=all -J-Djavax.net.ssl.trustStore=/NotBackedUp/FuseSource/ jboss-fuse-6.0.0.redhat-024/etc/jbossweb.keystore -J-Djavax.net.ssl.trustStoreType=JKS -J-Djavax.net.ssl.trustStorePassword=JbossPasswordImportantType the entire command on the same command line.NoteThe system property -J-Djavax.net.debug=all shows all transport information, including SSL handshake messages, confirming that communication between JConsole and Red Hat JBoss Fuse occurs over SSL. - When JConsole opens, select the option Remote Process in the New Connection wizard.
- Under the Remote Process option, enter these values for the
service:jmx:<protocol>:<sap>url, Username, and Password:service:jmx:<protocol>:<sap>: service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root Username: admin Password: admin
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}