IBM Support

Step by step instructions for securing JMX authentication for nodetool utility, OpsCenter and JConsole

Troubleshooting


Problem

Summary

It's possible to secure JMX authentication, which makes JMX compliant utilities such as nodetool, OpsCenter and JConsole ask for password authentication.

Enabling JMX authentication can be a simple way to ensure only certain people can use utilities like nodetool, OpsCenter and JConsole. For example, some system administrators prefer to secure nodetool usage as it can be used to add and remove nodes.

JMX authentication

1) Edit /etc/dse/cassandra/cassandra-env.sh file and update/add the below lines:

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"

 

2) Create a jmxremote.password file that contains a user name and password on each line and save it to the location entered in the previous step. Example:

touch jmxremote.password

3) Add a username and password in the file created as seen below

cassandra p4ssw0rd
monitorrole MonIt0R

4) Change ownership and permission of the file to cassandra user

chown cassandra:cassandra /etc/cassandra/jmxremote.password
chmod 400 /etc/cassandra/jmxremote.password

5) (Optional)To limit the actions a user can perform, add/uncomment the below line in /etc/dse/cassandra/cassandra-env.sh file

JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"

6) If you have Step 5 enabled - Change the ownership and permission of the file to Cassandra user and edit the file to include users and their proper permission level. Example:

monitorRole readonly
cassandra readwrite

7) Restart DSE

/etc/init.d/dse restart

8) Run nodetool with user and password:

nodetool -u cassandra -pw cassandra status

Without a username and password you will see this error:

root@VM1 cassandra]# nodetool status
Exception in thread "main" java.lang.SecurityException: Authentication failed! Credentials required
at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(Unknown Source)
at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(Unknown Source)
at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(Unknown Source)
at javax.management.remote.rmi.RMIServerImpl.doNewClient(Unknown Source)
at javax.management.remote.rmi.RMIServerImpl.newClient(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(Unknown Source)
at javax.management.remote.rmi.RMIConnector.connect(Unknown Source)
at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
at org.apache.cassandra.tools.NodeProbe.connect(NodeProbe.java:146)
at org.apache.cassandra.tools.NodeProbe.<init>(NodeProbe.java:116)
at org.apache.cassandra.tools.NodeCmd.main(NodeCmd.java:1099)

 

OpsCenter Changes

If you are using OpsCenter you need to add the JMX credentials for nodes to connect:

1) In OpsCenter select Edit Cluster, enter user name and password under JMX Username and JMX Password.

2) Restart OpsCenter agent on each node

/etc/init.d/opscenterd restart

3) You can check if the JMX credentials were added to OpsCenter by viewing this file:

/etc/opscenter/clusters/<cluster_name>.conf

It should contain an entry like this:

[jmx]
username = cassandra
password = cassandra
port = 7199

 

JConsole

If using JConsole, you must provide a username and password when connecting to the host.

Last Reviewed: 11/13/2023

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCR56","label":"IBM DataStax Enterprise"},"ARM Category":[{"code":"","label":""}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Historical Number

ka06R000000HcWBQA0

Document Information

Modified date:
30 January 2026

UID

ibm17258897

Page Feedback