Remote jmx has enabled SSL. How to configure jmx-exporter for verification? about jmx_exporter HOT 13 CLOSED

When running the exporter in standalone mode with JMX being protected by SSL you have to...

1. Create a trust store to be used by the exporter.

2. Added the trusted certificate to the trust store )if you are not using a certificate signed by a public certificate authority)

3. Added the following properties to your exporter command line

-javax.net.ssl.trustStore=<file> -javax.net.ssl.trustStorePassword=<trustStore password>

from jmx_exporter.

@kingEneru When configuring RMI for SSL, the expectation is that the RMI registry is also configured for SSL. This requires the Java system property...

  -Dcom.sun.management.jmxremote.registry.ssl=true

... to be defined when launching your application.

I have merged an integration test that tests/validates RMI with SSL. @unitsvc also validated that adding the Java system property resolves the issue.

from jmx_exporter.

When running the exporter in standalone mode with JMX being protected by SSL you have to...

1. Create a trust store to be used by the exporter.
2. Added the trusted certificate to the trust store )if you are not using a certificate signed by a public certificate authority)
3. Added the following properties to your exporter command line

-javax.net.ssl.trustStore=<file> -javax.net.ssl.trustStorePassword=<trustStore password>

Thanks for your prompt reply. And do I need to add the keystore command line?

-Djavax.net.ssl.keyStore=/home/user/.keystore
-Djavax.net.ssl.keyStorePassword=changeit

from jmx_exporter.

I don't believe the keyStore values are required.

from jmx_exporter.

I don't believe the keyStore values are required.

Okay，I generated truststore.p12 through tomcatJMX.cer file, and specify trustStore in commandline, but still got the above memtioned error.

• Create truststore
  keytool -import -keystore ./truststore.p12 -storepass changeit-noprompt -trustcacerts -v -alias jmxssl -file ./tomcatJMX.cer
• Running command:
  java -jar jmx_prometheus_httpserver.jar 49103 /etc/jmx/jmx-server-prometheus.yaml -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit

from jmx_exporter.

This command line is incorrect...

java -jar jmx_prometheus_httpserver.jar 49103 /etc/jmx/jmx-server-prometheus.yaml -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit

This is passing -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit as arguments to the exporter.

The correct command line should be...

java -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit -jar jmx_prometheus_httpserver.jar 49103 /etc/jmx/jmx-server-prometheus.yaml

The use of the Java agent is strongly recommended. Some JVM metrics can't be captured when running the standalone exporter.

from jmx_exporter.

This command line is incorrect...

java -jar jmx_prometheus_httpserver.jar 49103 /etc/jmx/jmx-server-prometheus.yaml -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit

This is passing -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit as arguments to the exporter.

The correct command line should be...

java -Djavax.net.ssl.trustStore=./truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit -jar jmx_prometheus_httpserver.jar 49103 /etc/jmx/jmx-server-prometheus.yaml

The use of the Java agent is strongly recommended. Some JVM metrics can't be captured when running the standalone exporter.

It seems that the agent mode cannot be used because I deployed the java application and jmx_exporter in a kubernetes environment.

from jmx_exporter.

Deployment of the JMX Exporter Java agent works in Kubernetes.

from jmx_exporter.

Hi @dhoard , I tried again based on the correct command you provided. Unfortunately, I still got the same error. Then, I checked the SSL related source code and found that after I deleted this line and tested it in local, I was able to pass the SSL authentication successful. This Is it a bug?

from jmx_exporter.

@kingEneru I am reviewing #947, which appears to fail a new integration test I have created (not yet merged into main.)

EDIT: The code in main works correctly.

from jmx_exporter.

@kingEneru I am reviewing #947, which appears to fail a new integration test I have created (not yet merged into main.)

EDIT: The code in main works correctly.

That's weird...
Does SSL authentication require that the jdk version of jmx exporter is the same as the jdk version of jmx server?

from jmx_exporter.

That's weird... Does SSL authentication require that the jdk version of jmx exporter is the same as the jdk version of jmx server?

It does not. This is a configuration issue. I just updated PR #947 with the missing Java system property.

from jmx_exporter.

@kingEneru When configuring RMI for SSL, the expectation is that the RMI registry is also configured for SSL. This requires the Java system property...

  -Dcom.sun.management.jmxremote.registry.ssl=true

... to be defined when launching your application.

I have merged an integration test that tests/validates RMI with SSL. @unitsvc also validated that adding the Java system property resolves the issue.

Okay, It's working successfully and normally now. Thanks a lot

from jmx_exporter.