2.3. Enabling Remote JMX SSL

Overview

Red Hat JBoss Fuse provides a JMX port that allows remote monitoring and management of Fuse containers via MBeans. To prevent unauthorized access to data and applications, you need to secure JMX communications by configuring JMX over SSL.
Configuring JMX over SSL access, involves:
After you have configured JMX over SSL access, you should test the connection.
Warning
If you are planning to enable SSL/TLS security, you must ensure that you explicitly disable the SSLv3 protocol, in order to safeguard against the Poodle vulnerability (CVE-2014-3566). For more details, see Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x.
Note
If you configure JMX over SSL while Red Hat JBoss Fuse is running, you will need to restart it.

Prerequisites

If you haven't already done so, you need to:
  • Set your JAVA_HOME environment variable
  • Configure a JBoss Fuse user with the admin role
    Edit the <installDir>/jboss-fuse-6.1.0.redhat-379/etc/users.properties file to enable the default admin user by uncommenting the line #admin=admin,admin. Alternatively, you can define another user with the admin role.
  • cd to <installDir>/jboss-fuse-6.1.0.redhat-379/etc.

Create the jbossweb.keystore

At the command line, using -dname values appropriate for your application, type this command: 
$JAVA_HOME/bin/keytool -genkey -v -alias jbossalias -keyalg RSA -keysize 1024 -keystore 
jbossweb.keystore -validity 3650 -keypass JbossPassword -storepass 
JbossPassword -dname "CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, 
L=Boston, S=Mass, C=USA"
Important
Type the entire command on the same command line.
The command returns output that looks like this: 
Generating 1,024 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
	for: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
New certificate (self-signed):
[
[
  Version: V3
  Subject: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 1024 bits
  modulus: 1123086025790567043604962990501918169461098372864273201795342440080393808
     1594100776075008647459910991413806372800722947670166407814901754459100720279046
     3944621813738177324031064260382659483193826177448762030437669318391072619867218
     036972335210839062722456085328301058362052369248473659880488338711351959835357
  public exponent: 65537
  Validity: [From: Thu Jun 05 12:19:52 EDT 2014,
               To: Sun Jun 02 12:19:52 EDT 2024]
  Issuer: CN=127.0.0.1, OU=RedHat Software Unit, O=RedHat, L=Boston, ST=Mass, C=USA
  SerialNumber: [    4666e4e6]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AC 44 A5 F2 E6 2F B2 5A   5F 88 FE 69 60 B4 27 7D  .D.../.Z_..i`.'.
0010: B9 81 23 9C                                        ..#.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 01 1D 95 C0 F2 03 B0 FD   CF 3A 1A 14 F5 2E 04 E5  .........:......
0010: DD 18 DD 0E 24 60 00 54   35 AE FE 36 7B 38 69 4C  ....$`.T5..6.8iL
0020: 1E 85 0A AF AE 24 1B 40   62 C9 F4 E5 A9 02 CD D3  .....$.@b.......
0030: 91 57 60 F6 EF D6 A4 84   56 BA 5D 21 11 F7 EA 09  .W`.....V.]!....
0040: 73 D5 6B 48 4A A9 09 93   8C 05 58 91 6C D0 53 81  s.kHJ.....X.l.S.
0050: 39 D8 29 59 73 C4 61 BE   99 13 12 89 00 1C F8 38  9.)Ys.a........8
0060: E2 BF D5 3C 87 F6 3F FA   E1 75 69 DF 37 8E 37 B5  ...<..?..ui.7.7.
0070: B7 8D 10 CC 9E 70 E8 6D   C2 1A 90 FF 3C 91 84 50  .....p.m....<..P

]
[Storing jbossweb.keystore]
Check whether <installDir>/jboss-fuse-6.1.0.redhat-379/etc now contains the file jbossweb.keystore.

Create the keystore.xml file

  1. Using your favorite xml editor, create and save the keystore.xml file in the <installDir>/jboss-fuse-6.1.0.redhat-379/etc directory.
  2. Include this text in the file: 
    <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0">
     <jaas:keystore name="sample_keystore"
                    rank="1"
                    path="file:etc/jbossweb.keystore"
                    keystorePassword="JbossPassword" 
                    keyPasswords="jbossalias=JbossPassword" />
</blueprint>
    Check whether <installDir>/jboss-fuse-6.1.0.redhat-379/etc now contains the file keystore.xml.

Ensure that the keystore.xml file is loaded at the appropriate time

Create the org.apache.felix.fileinstall-keystore.cfg file.
  1. Using your favorite text editor, create and save the org.apache.felix.fileinstall-keystore.cfg file in the <installDir>/jboss-fuse-6.1.0.redhat-379/etc directory.
  2. Include these properties in the file: 
    felix.fileinstall.dir        = ${karaf.base}/etc
felix.fileinstall.filter     = keystore\\.xml
felix.fileinstall.poll       = 1000
felix.fileinstall.noInitialDelay  = true
felix.fileinstall.log.level  = 3
felix.fileinstall.start.level     = 25
    Check whether <installDir>/jboss-fuse-6.1.0.redhat-379/etc now contains the file org.apache.felix.fileinstall-keystore.cfg.

Add the required properties to org.apache.karaf.management.cfg

Edit the <installDir>/jboss-fuse-6.1.0.redhat-379/etc/org.apache.karaf.management.cfg file to include these properties at the end of the file: 
secured = true
secureProtocol = TLSv1
keyAlias = jbossalias
keyStore = sample_keystore
trustStore = sample_keystore
Important
You must set secureProtocol to TLSv1, in order to protect against the Poodle vulnerability (CVE-2014-3566)

Testing the Secure JMX connection

  1. Restart Red Hat JBoss Fuse, if necessary.
    Note
    When you restart Red Hat JBoss Fuse, fuse.log will contain an INFO message that the OsgiKeystoreManager could not find the sample_keystore you configured in the org.apache.karaf.management.cfg file. This occurs because the sample_keystore was not loaded at the time the OSGi management bundle was loading.
    But the org.pache.felix.fileinstall-keystore.cfg file you created forces the OSGi management bundle to reload and scan the keystore, enabling JConsole to connect successfully to Red Hat JBoss Fuse over SSL.
  2. Open a terminal, and start up JConsole by entering this command: 
    jconsole -J-Djavax.net.debug=all -J-Djavax.net.ssl.trustStore=/NotBackedUp/FuseSource/
jboss-fuse-6.1.0.redhat-379/etc/jbossweb.keystore -J-Djavax.net.ssl.trustStoreType=JKS 
-J-Djavax.net.ssl.trustStorePassword=JbossPassword
    Important
    Type the entire command on the same command line.
    Note
    The system property -J-Djavax.net.debug=all shows all transport information, including SSL handshake messages, confirming that communication between JConsole and Red Hat JBoss Fuse occurs over SSL.
  3. When JConsole opens, select the option Remote Process in the New Connection wizard.
  4. Under the Remote Process option, enter these values for the service:jmx:<protocol>:<sap> url, Username, and Password: 
    service:jmx:<protocol>:<sap>: service:jmx:rmi://localhost:44444/jndi/rmi://localhost:1099/karaf-root
Username: admin
Password: admin