How to Secure JMX with Basic Auth (username:password)
Setting up the JMX Agent with Basic Auth.
This will be done in two parts. The first part is about setting up the required files that JMX Agent will require and the second is about the options we need to pass to the agent.
First let’s create a new folder called jmxremote
jmxremote
mkdir -vp /etc/jmxremote
To enable basic auth JMX, first create two files:
The password file has the credentials that the JMX agent will check during client authentication
cat /etc/jmxremote/jmxremote.password admin admin guest admin
The above code is registering 2 users.
The access file has authorization information, like who is allowed to do what.
cat jmxremote/jmxremote.access admin readwrite guest readonly
In the above code, we can see that the admin user can do read and write operations in JMX, while guest user can only read the JMX content.
Now, to enable JMX with basic auth protection, all we need to do is pass the following options in the JRE’s env that will run the Java process you need to protect the jmx.
Let’s assume this java process is Kafka.
Change the permissions on both files so only owner can edit and view them.
chmod -R 0600 /etc/jmxremote chown -R <user-that-will-run-kafka-name>:<user-that-will-run-kafka-group> /etc/jmxremote/jmxremote.*
If you do not change the permissions to 0600 and to the user that will run the jre process, then JMX will Agent will cause an error complaining that the Process is not the owner of the files that will be used for authentication and authorization.
Finally export the following options in the user’s env which will run Kafka.
export BROKER_JMX_OPTS= "-Dcom.sun.management.jmxremote=true \ -Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.ssl=false \ -Dcom.sun.management.jmxremote.local.only=false \ -Djava.rmi.server.hostname=10.15.3.1 \ -Dcom.sun.management.jmxremote.rmi.port=9581 \ -Dcom.sun.management.jmxremote.access.file=/etc/jmxremote/jmxremote.access \ -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote/jmxremote.password \ -Dcom.sun.management.jmxremote.port=9581
On this page
