Option 3: Setting up JMX with SSL

In this option, you enable JMX on Apache Tomcat with SSL authentication.

About this task

You can use different degrees of SSL security:

Securing server communication to use SSL: This is the default SSL configuration (com.sun.management.jmxremote.ssl) that must be set to true. Setting this configuration to true secures the communications via SSL by using a server certificate.
JMX RMI registry SSL secured: Starting with JDK 6, an additional parameter was added to force the creation of an SSL-secured Remote Method Invocation (RMI) registry.
Set up client SSL authentication: This method enables client-side SSL-based authentication.

For a full SSL-secured scenario you must implement all three options. The following examples include a phased approach and show which additional parameters and steps are required in each situation.

JMX with SSL for the server

About this task

For this configuration to work, the Apache Tomcat server must already be configured to use SSL. The Apache Tomcat server that is bundled with the CLM applications already has SSL configured with a self-signed certificate. This example shows how to use this existing configuration from your deployment for the JMX Apache Tomcat interface.

Note: The same steps apply if you have replaced the default self-signed certificate with your own.

Procedure

Go to JazzInstallDir/server/tomcat/conf and open the server.xml file.

Note the keystoreFile and keystorePass parameters.

<Connector port="10443"
							connectionTimeout="20000"
               connectionTimeout="20000"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
keystoreFile="ibm-team-ssl.keystore"
keystorePass="ibm-team"
protocol="HTTP/1.1"
SSLEnabled="true"
sslEnabledProtocols="${jazz.connector.sslEnabledProtocols}"
algorithm="${jazz.connector.algorithm}"
URIEncoding="UTF-8"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

Go to the JazzInstallDir/server directory and open server.startup for editing.

Add the following JAVA_OPTS lines to the file:

Linux:

# for JMX monitoring
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote=true"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.port=1099"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=false"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=ibm-team"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=tomcat/ibm-team-ssl.keystore"

Microsoft Windows:

rem for JMX monitoring
set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote=true
   set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.port=1099
   set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl=true
   set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=false
   set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl.need.client.auth=false
   set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=ibm-team
   set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=tomcat/ibm-team-ssl.keystore

Results

To connect to JConsole, the JConsole client must import the certificate from the server and use it for the connection to take place. The following information describes how to use keytool to perform these steps. You can use other tools to accomplish the same tasks: adjust the instructions if you use a different tool.

Open a command prompt and go to JazzInstallDir/server/jre/bin.
Enter the following command to export the CLM certificate to a file called jazz.cer. Use the keyStore and keystorePass values that you entered in the server.startup file.
```
keytool -export -alias ibm-team -keystore ibm-team-ssl.keystore -file jazz.cer -storepass ibm-team
```
Enter the following command to generate a truststore and import the certificate that JConsole will use. The example uses jconsole.truststore and password.
```
keytool -import -alias jconsole -file jazz.cer -keystore jconsole.truststore -storepass password -noprompt
```

Specify the truststore and password parameters when you start JConsole.

jconsole -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=ibm-team service:jmx:rmi:///jndi/rmi://host:1099/jmxrmi

Creating an SSL-secured Remote Method Invocation (RMI) registry

Procedure

You can enable this option by adding the following property to the server.startup file:

Linux:

   JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"

Microsoft Windows:

   set JAVA_OPTS=%JAVA_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true

The rest of the SSL configuration parameters remain the same. This property makes the virtual machine create an SSL-secured RMI registry at startup for the clients to use.

Results

To connect to JConsole, you use the same configuration and parameter as in "JMX with SSL for the server".

video icon Watch videos

CLM playlist
Jazz.net channel
User Education channel

learn icon Learn more

CLM learning circle
Agile learning circle
Learning circles

ask icon Ask questions

Jazz.net forum
developerWorks forums

support icon Get support

Support Portal
Deployment wiki
Support blog