Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

2.4. Enabling Remote JMX SSL

Overview
링크 복사

Red Hat JBoss Fuse provides a JMX port that allows remote monitoring and management of Fuse containers using MBeans. By default, however, the credentials that you send over the JMX connection are unencrypted and vulnerable to snooping. To encrypt the JMX connection and protect against password snooping, you need to secure JMX communications by configuring JMX over SSL.
To configure JMX over SSL, perform the following steps:
  1. Create the jbossweb.keystore file
  2. Create and deploy the keystore.xml file
  3. Add the required properties to org.apache.karaf.management.cfg
  4. Restart the container
After you have configured JMX over SSL access, you should test the connection.
Warning
If you are planning to enable SSL/TLS security, you must ensure that you explicitly disable the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
Note
If you configure JMX over SSL while Red Hat JBoss Fuse is running, you will need to restart it.

Prerequisites
링크 복사

If you haven't already done so, you need to:
  • Set your JAVA_HOME environment variable
  • Configure a JBoss Fuse user with the Administrator role
    Edit the <installDir>/jboss-fuse-6.3.0.redhat-187/etc/users.properties file and add the following entry, on a single line: 
    admin=YourPassword,Administrator
    Copy to Clipboard Toggle word wrap
    This creates a new user with username, admin, password, YourPassword, and the Administrator role.

Create the jbossweb.keystore file
링크 복사

Open a command prompt and make sure you are in the etc/ directory of your JBoss A-MQ installation: 
cd <installDir>/jboss-fuse-6.3.0.redhat-187/etc
Copy to Clipboard Toggle word wrap
At the command line, using a -dname value (Distinguished Name) appropriate for your application, type this command: 
$JAVA_HOME/bin/keytool -genkey -v -alias jbossalias -keyalg RSA -keysize 1024 -keystore jbossweb.keystore -validity 3650 -keypass JbossPassword -storepass JbossPassword -dname "CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, S=Mass, C=USA"
Copy to Clipboard Toggle word wrap
Important
Type the entire command on a single command line.
The command returns output that looks like this: 
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
New certificate (self-signed):
[
[
  Version: V3
  Subject: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 1024 bits
  modulus: 1123086025790567043604962990501918169461098372864273201795342440080393808
     1594100776075008647459910991413806372800722947670166407814901754459100720279046
     3944621813738177324031064260382659483193826177448762030437669318391072619867218
     036972335210839062722456085328301058362052369248473659880488338711351959835357
  public exponent: 65537
  Validity: [From: Thu Jun 05 12:19:52 EDT 2014,
               To: Sun Jun 02 12:19:52 EDT 2024]
  Issuer: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
  SerialNumber: [    4666e4e6]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC 44 A5 F2 E6 2F B2 5A   5F 88 FE 69 60 B4 27 7D  .D.../.Z_..i`.'.
0010: B9 81 23 9C                                        ..#.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 01 1D 95 C0 F2 03 B0 FD   CF 3A 1A 14 F5 2E 04 E5  .........:......
0010: DD 18 DD 0E 24 60 00 54   35 AE FE 36 7B 38 69 4C  ....$`.T5..6.8iL
0020: 1E 85 0A AF AE 24 1B 40   62 C9 F4 E5 A9 02 CD D3  .....$.@b.......
0030: 91 57 60 F6 EF D6 A4 84   56 BA 5D 21 11 F7 EA 09  .W`.....V.]!....
0040: 73 D5 6B 48 4A A9 09 93   8C 05 58 91 6C D0 53 81  s.kHJ.....X.l.S.
0050: 39 D8 29 59 73 C4 61 BE   99 13 12 89 00 1C F8 38  9.)Ys.a........8
0060: E2 BF D5 3C 87 F6 3F FA   E1 75 69 DF 37 8E 37 B5  ...<..?..ui.7.7.
0070: B7 8D 10 CC 9E 70 E8 6D   C2 1A 90 FF 3C 91 84 50  .....p.m....<..P

]
[Storing jbossweb.keystore]
Copy to Clipboard Toggle word wrap
Check whether <installDir>/jboss-fuse-6.3.0.redhat-187/etc now contains the file jbossweb.keystore.

Create and deploy the keystore.xml file
링크 복사

  1. Using your favorite xml editor, create and save the keystore.xml file in the <installDir>/jboss-fuse-6.3.0.redhat-187/etc directory.
  2. Include this text in the file: 
    <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0">
     <jaas:keystore name="sample_keystore"
                    rank="1"
                    path="file:etc/jbossweb.keystore"
                    keystorePassword="JbossPassword" 
                    keyPasswords="jbossalias=JbossPassword" />
</blueprint>
    Copy to Clipboard Toggle word wrap
  3. Deploy the keystore.xml file to the container, by copying it into the <installDir>/jboss-fuse-6.3.0.redhat-187/deploy directory (the hot deploy directory).
    Note
    Subsequently, if you need to undeploy the keystore.xml file, you can do so by deleting the keystore.xml file from the deploy/ directory while the Karaf container is running.

Add the required properties to org.apache.karaf.management.cfg
링크 복사

Edit the <installDir>/jboss-fuse-6.3.0.redhat-187/etc/org.apache.karaf.management.cfg file to include these properties at the end of the file: 
secured = true
secureProtocol = TLSv1
keyAlias = jbossalias
keyStore = sample_keystore
trustStore = sample_keystore
Copy to Clipboard Toggle word wrap
Important
You must set secureProtocol to TLSv1, in order to protect against the Poodle vulnerability (CVE-2014-3566)

Restart the JBoss A-MQ container
링크 복사

You must restart the JBoss A-MQ container for the new JMX SSL/TLS settings to take effect.

Testing the Secure JMX connection
링크 복사

  1. Open a command prompt and make sure you are in the etc/ directory of your JBoss A-MQ installation: 
    cd <installDir>/jboss-fuse-6.3.0.redhat-187/etc
    Copy to Clipboard Toggle word wrap
  2. Open a terminal, and start up JConsole by entering this command: 
    jconsole -J-Djavax.net.debug=ssl -J-Djavax.net.ssl.trustStore=jbossweb.keystore -J-Djavax.net.ssl.trustStoreType=JKS -J-Djavax.net.ssl.trustStorePassword=JbossPassword
    Copy to Clipboard Toggle word wrap
    Where the -J-Djavax.net.ssl.trustStore option specifies the location of the jbossweb.keystore file (make sure this location is specified correctly, or the SSL/TLS handshake will fail). The -J-Djavax.net.debug=ssl setting enables logging of SSL/TLS handshake messages, so you can verify that SSL/TLS has been successfully enabled.
    Important
    Type the entire command on the same command line.
  3. When JConsole opens, select the option Remote Process in the New Connection wizard.
  4. Under the Remote Process option, enter the following value for the service:jmx:<protocol>:<sap> connection URL: 
    service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
    Copy to Clipboard Toggle word wrap
    And fill in the Username, and Password fields with valid JAAS credentials (as set in the etc/users.properties file): 
    Username: admin
Password: YourPassword
    Copy to Clipboard Toggle word wrap
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat