When you would like to use JMX with SSL you have to configure some points on both sides. First, create yourself a self-signed certificate (details here) and insert it into a keystore (details here).

Let’s assume you want to use JMX over SSL with your Tomcat and JConsole on the client. Add these parameters to your tomcat script:[your jmx port][your password][full path to keystore file]
To configure JConsole to use SSL add these parameters to the call:
jconsole[full path to keystore file][your password]
Make sure that the trustStore file is the same as the keyStore file for Tomcat, or trustStore and keyStore contain the same certificates with the same alias.

Should you experience any problems using SSL, this parameter might help you: (for jconsole) (for tomcat)
This will also work with the check_jmx Nagios plugin. Just add the keystore file as trustStore to your call:
java -cp jmxquery.jar[full path to keystore file][your password] org.nagios.JMXQuery -U service:jmx:rmi:///jndi/rmi://:/jmxrmi -O "java.lang:type=MemoryPool,name=Perm Gen" -A Usage -K used -I Usage

Technorati Tags: , , ,


Merlin Blom said...

Thanks this helped a lot!
Generating a self-signed cert can be done with on command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

And it is very important to give check_jmx the FULL Path of the keystore file otherwise you get an NRPE error.


Anonymous said...

Good doc! helped a lot..espically the check_jmx part :)

Question: Consider we have got two machines. Tomcat and nagios client. Do we need to generate the certificate on nagios and import it into tomcat trusted keys?

Christian said...

The different is in the parameters:
keyStore vs. trustStore

The SSL cert alwyas has to be imported as keyStore for the Tomcat. The client needs the certificate as trustStore. In your case, the nagios client is also the client for the SSL connection. So it has to trust the certificate used by your Tomcat.

dilipm79 said...
This comment has been removed by the author.
Anonymous said...

Hi Christian, thanks but little unclear to me.

So for the nagios to connect to tomcat over ssl and fetch the jmx attributes,

1. I generate ssl keyStore "for tomcat". Export the cert from it and import "into nagios" trustStore.
2. Generate the ssl keyStore "for nagios" Export the cert from it and import "into tomcat" trustStore

Christian said...

The second step is not necessary.

The second step would mean you would authenticate your nagios client to your tomcat server.

Another Christian said...

Just adding trustStore and trustStorePassword properties didn't work for me.

What worked was adding this to the env variable in the connect method:

env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());

(found here

Post a Comment