Secure JMX with TLS Encryption


Question 

How to Secure JMX with Basic Auth (username:password) and TLS Encryption/Authentication

Answer 

First set up JMX with basic auth as shown in the Secure JMX: Basic Auth page.

To enable TLS Encryption/Authentication in JMX you need a jks keystore and truststore.

Please note that both JKS Truststore and Keystore should have the same password.

The reason for this is because the javax.net.ssl class will use the password you pass to the Keystore as the keypassword

Let’s assume this java process is Kafka and that you have installed the keystore.jks and truststore.jks under `/etc/certs``

Export the following options in the user’s env which will run Kafka.

export BROKER_JMX_OPTS= "-Dcom.sun.management.jmxremote=true
  -Dcom.sun.management.jmxremote.authenticate=true \
  -Dcom.sun.management.jmxremote.ssl=true \
  -Dcom.sun.management.jmxremote.local.only=false \
  -Djava.rmi.server.hostname=10.15.3.1 \
  -Dcom.sun.management.jmxremote.rmi.port=9581 \
  -Dcom.sun.management.jmxremote.access.file=/etc/jmxremote.access \
  -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote.password \
  -Dcom.sun.management.jmxremote.port=9581 \
  -Djavax.net.ssl.keyStore=/etc/certs/kafka.jks \
  -Djavax.net.ssl.keyStorePassword=somePassword \
  -Djavax.net.ssl.trustStore=/etc/certs/truststore.jks \
  -Djavax.net.ssl.trustStorePassword=somePassword \
  -Dcom.sun.management.jmxremote.registry.ssl=true \
  -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
--
Last modified: February 26, 2024