Building a JMXConnectorServer that handles SSL

Question

It is well document how the default JMX Connector can be configured to handle TLS/SSL secured connections from JMX clients such as JConsole, e.g.

-Dcom.sun.management.jmxremote.port=6789 \
-Dcom.sun.management.jmxremote.authenticate=false \
-Dcom.sun.management.jmxremote.ssl=true \
-Djavax.net.ssl.keyStore=/path/to/the/keystore.jks \
-Djavax.net.ssl.keyStorePassword=secr3t

When using JConsole with this connector it prevents the warning 'Secure connection failed. Retry insecurely?', which some users find startling (the warning, not its prevention).

It is less well documented how the same can be achieved programmatically when building a JMXConnectorServer, e.g.

JMXConnectorServerFactory.newJMXConnectorServer(url, env, mBeanServerFactory);

Can anyone refer me to a proven example? The same applies to building an RMIRegistry. I should be most grateful.

M.

Answer 1

Properties props = new Properties();
props.setProperty("com.sun.management.jmxremote.authenticate", "false");
props.setProperty("com.sun.management.jmxremote.ssl", "true");
props.setProperty("com.sun.management.jmxremote.registry.ssl", "true");

// Either set SSL properties via System.setProperty() or load an external config file
// props.setProperty("com.sun.management.jmxremote.ssl.config.file",
//                   "/path/to/ssl.properties");

System.setProperty("javax.net.ssl.keyStore", "/path/to/the/keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "secr3t");

JMXConnectorServer server = sun.management.jmxremote.ConnectorBootstrap
        .startRemoteConnectorServer("6789", props);

This is the easiest way to start SSL-aware JMXConnectorServer programmatically. It relies on a private sun.management API. You may also do this without private API, but you'll have to replicate much of ConnectorBootstrap logic.