Accessing JMX with jconsole over SSL on EAP 7.0 or Wildfly 10+
dgilbert Jan 10, 2017 3:14 PMI am trying to setup secure jmx connection with ssl in DOMAIN mode. I have been able to get it to work in standalone mode (See my steps below). However in domain mode I am missing something. I was able to find this knowledge base article for EAP 6 which worked fine for me in both standalone and domain mode. In EAP 7 there is no more remoting port 4447 that existed in EAP 6. I can connect to my servers over JMX in non-ssl mode with no issues.
Accessing JMX with jconsole over SSL on EAP 6 - Red Hat Customer Portal
This is what I did so far for both standalone and domain mode:
This is being done on a dev setup so exact production quality practices is not an issue
right now.
In standalone mode.
1) Created keystore
keytool -genkey -alias jboss -keyalg RSA -keystore eap7console.jks -storepass changeit
2) Added to standalone/configuration/standalone.xml, the ssl config to ManagementRealm
<management>
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="eap7console.jks" relative-
to="jboss.server.config.dir" keystore-password="changeit" alias="jboss"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-
to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-
to="jboss.server.config.dir"/>
</authorization>
</security-realm>
...
</management>
3) Set management-https binding on Management interface
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
4) Modify the jconsole.sh script in $JBOSS_HOME/bin directory. For simplicity I created a
copy of jconsole.sh script for ssl connection. I called my copy jconsole_ssl.sh. Within the
new jconsole_ssl.sh script, I modified the startup parameters to include the truststore and
password.
$JAVA_HOME/bin/jconsole -J-Djava.class.path="$CLASSPATH" -J-Djavax.net.ssl.trustStorePassword=changeit -J-Djavax.net.ssl.trustStore=standalone/configuration/eap7console.jks -J-Djavax.net.debug=ssl "$@"
4) When jconsole starts up, I selected Remote Process and entered the following for the
service url:
service:jmx:remote+https://<hostname>:9993
The username and password for the management user created through the add-user.sh script
port 9993 is defined in the management-https socket binding.
5) The jconsole output window appears to show ssl connection succeeded based on the debug putput because I specified J-Djavax.net.debug=ssl on startup
===============================================================================
However domain mode is totally different problem.
1) In the domain/configuration/domain.xml file
I enabled the support of management of the server. Just for completeness I enabled it on
all profiles even though my server is using full profile.
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector use-management-endpoint="false"/>
</subsystem>
2) In the domain/configuration/host.xml file
I add ssl config to the ApplicationRealm since that is how the server are accessed in
domain mode using jmx management.
<security-realm name="ApplicationRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="eap7console.jks" relative-
to="jboss.domain.config.dir" keystore-password="changeit" alias="jboss"/>
</ssl>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" skip-group-
loading="true"/>
<properties path="application-users.properties" relative-
to="jboss.domain.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-
to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
</security-realms>
3) Modify the jconsole.sh script in $JBOSS_HOME/bin directory. For simplicity I created a
copy of jconsole.sh script for ssl connection. I called my copy jconsole_ssl_domain.sh.
Within the new jconsole_ssl.sh script, I modified the startup parameters to include the
truststore and password.
$JAVA_HOME/bin/jconsole -J-Djava.class.path="$CLASSPATH" -J-
Djavax.net.ssl.trustStorePassword=changeit -J-
Djavax.net.ssl.trustStore=domain/configuration/eap7console.jks -J-Djavax.net.debug=ssl "$@"
4) Started jconsole script jconsole_ssl_domain.sh
5) This is what I tried in the jconsole dialog:
- Select Remote Process
- enter service url - service:jmx:remote+https://<hostname>:8443
- the user name and password is the application user created through the add-user.sh script
I am using the https port of the server
The connection fails.
=============================================
If I connect in non-ssl mode, I have no issues connecting to the following service url in jconsole:
service:jmx:remote+http://<hostname>:8080
application username and password
Currently I have been running my tests on wildfly 10.0.0 final. I have tried in EAP 7 also. I need to work in both wildfly and EAP versions. It should be identical procedure for setup in both.