0 Replies Latest reply on Dec 3, 2014 4:06 PM by peto b

    Obtain certificate from secured remote JMX connection

    peto b Newbie

      Hi Guys,


      English isn’t my first language, so please excuse any mistakes.


      I work as a Application administrator where my applications use JBoss AS7, EAP 6.X, etc . I try to better understand JBoss and  learn as much as I can about Java.


      I have hundreds of JBoss instances for various customers  and each of them has SSL enabled. Most of them use keystore with only a self-signed certificate.


      For monitoring I use jConsole  and connect to them via remote JMX from my desktop . I run jConsole with all necessary options (J-Djavax.net.ssl.trustStore, -J-Djavax.net.ssl.trustStorePassword) and I know how to export the certificate from JBoss and add it manually into my truststore. I have no problem with this. My problem is that I work in a very dynamic environment where each day new JBosses are installed or removed. It's very time consuming to manually export the certificate from each new JBoss and save it into my truststore. Therefore, I would like to know if it's possible to obtain the certificate programmatically from JBoss via the remote jmx.


      For example:


      If I connect to JBoss

      JMXServiceURL url=new JMXServiceURL("service:jmx:remoting-jmx://");
          JMXConnector jmxc=JMXConnectorFactory.connect(url,null);
      } catch (Exception e) {


      I get the following error:




      javax.net.ssl.SSLHandshakeException: General SSLEngine problem


          at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290)


          at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)


          at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)


          at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)


          at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)


          at org.xnio.ssl.JsseConnectedSslStreamChannel.wrap(JsseConnectedSslStreamChannel.java:252)




      What is ok because I can catch SSLHandshakeException and inform my app that the connection is established and secured. The problem is that I don't know how to continue and obtain the certificate.


      I would like to get something like this when I use jboss-cli.sh for the first time


      Unable to connect due to unrecognised server certificate


      Subject    - CN=localhost,O=Office International des Epizooties (OIE),OU=Marketing,ST=Lithuania,L=Manila,C=NJ


      Issuer     - CN=localhost, O=Office International des Epizooties (OIE), OU=Marketing, ST=Lithuania, L=Manila, C=NJ


      Valid From - Fri Nov 28 22:35:08 CET 2014


      Valid To   - Sat Dec 19 22:35:08 CET 2015


      SHA1 : 39:4d:8a:72:02:bf:59:4b:97:23:f9:9d:77:79:c0:4b:c3:f0:84:6b


      MD5 : 96:51:00:06:29:4b:da:89:19:47:79:64:ed:bd:4c:bb


      Accept certificate? [N]o, [T]emporarily, [P]ermenantly :


      Where I can accept the certificate and automatically save it into my truststore.


      Any help would be appreciated.