Obtain certificate from secured remote JMX connection
petob Dec 3, 2014 4:06 PMHi Guys,
English isn’t my first language, so please excuse any mistakes.
I work as a Application administrator where my applications use JBoss AS7, EAP 6.X, etc . I try to better understand JBoss and learn as much as I can about Java.
I have hundreds of JBoss instances for various customers and each of them has SSL enabled. Most of them use keystore with only a self-signed certificate.
For monitoring I use jConsole and connect to them via remote JMX from my desktop . I run jConsole with all necessary options (J-Djavax.net.ssl.trustStore, -J-Djavax.net.ssl.trustStorePassword) and I know how to export the certificate from JBoss and add it manually into my truststore. I have no problem with this. My problem is that I work in a very dynamic environment where each day new JBosses are installed or removed. It's very time consuming to manually export the certificate from each new JBoss and save it into my truststore. Therefore, I would like to know if it's possible to obtain the certificate programmatically from JBoss via the remote jmx.
For example:
If I connect to JBoss
JMXServiceURL url=new JMXServiceURL("service:jmx:remoting-jmx://127.0.0.1:9999"); try{ JMXConnector jmxc=JMXConnectorFactory.connect(url,null); jmxc.connect(); } catch (Exception e) { e.printStackTrace(); }
I get the following error:
....
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.xnio.ssl.JsseConnectedSslStreamChannel.wrap(JsseConnectedSslStreamChannel.java:252)
...
What is ok because I can catch SSLHandshakeException and inform my app that the connection is established and secured. The problem is that I don't know how to continue and obtain the certificate.
I would like to get something like this when I use jboss-cli.sh for the first time
Unable to connect due to unrecognised server certificate
Subject - CN=localhost,O=Office International des Epizooties (OIE),OU=Marketing,ST=Lithuania,L=Manila,C=NJ
Issuer - CN=localhost, O=Office International des Epizooties (OIE), OU=Marketing, ST=Lithuania, L=Manila, C=NJ
Valid From - Fri Nov 28 22:35:08 CET 2014
Valid To - Sat Dec 19 22:35:08 CET 2015
SHA1 : 39:4d:8a:72:02:bf:59:4b:97:23:f9:9d:77:79:c0:4b:c3:f0:84:6b
MD5 : 96:51:00:06:29:4b:da:89:19:47:79:64:ed:bd:4c:bb
Accept certificate? [N]o, [T]emporarily, [P]ermenantly :
Where I can accept the certificate and automatically save it into my truststore.
Any help would be appreciated.
Regards
Peter