对于Kerberos身份验证/授权支持JMX客户机/服务器Java 6的运行 [英] Support for Kerberos Authentication/Authorization on JMX Client/Server running on Java 6

问题描述

我有哪些寄存器豆从本地文件读取，并使其可按需其他JMX客户端JMX我的服务器。
服务器可以用JConsole的或的Java应用程序下的Tomcat容器中运行的访问无论是。

I have my JMX server which registers beans reading from local file and make them available to other JMX clients on demand. Server can be accessed either using "jconsole" or by Java app running under Tomcat container.

我要的是为了增加身份验证prevent未知的身份访问JMX服务器。要做到这一点我已经尝试使用以下JVM选项添加Kerberos身份验证服务器@

What i want is to add authentication in order to prevent "unknown" identity accessing JMX Server. To achieve this i have added Kerberos authentication @ server using following JVM options

-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=5555
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Djava.security.auth.login.config=./conf/jaas.conf
-Djava.security.krb5.conf=./conf/krb5.conf
-Dcom.sun.management.jmxremote.login.config=MyKrbAuth
-Ddynamic.mbean.store=./conf/mbeans
-Djava.net.preferIPv4Stack=true

我的Jaas.conf看起来像这样>>

my jaas.conf looks like this >>

MyKrbAuth {
com.sun.security.auth.module.Krb5LoginModule required debug=true debugNative=true;
};

当我开始与上面的配置我的JMX服务器，并尝试使用JConsole的连接时，我得到客户端以下异常和连接失败>>

When I start my JMX server with above configuration and try to connect it using "jconsole", I get the following exception at client side and connection fails>>

Cipher: Crypto Permission check failed
Cipher: granted: (CryptoPermission * 128)
Cipher: requesting: (CryptoPermission AES 256)

但在服务器验证似乎是成功>>

But at server authentication appears to be successful >>

[java] [STARTED] Mbean Server
[java] Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[java] [Krb5LoginModule] user entered username: username
[java] 
[java] Acquire TGT using AS Exchange
[java] principal is user@localhost.com
[java] EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FD 46 7C 02 19 9B 34 E9   
[java] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FD 46 7C 02 19 9B 34 E9   
[java] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FE 6D 82 01 8A D7 AB 60   98 
[java] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 89 02 31 5D F7 5B 3E 89   BC F7 8A 01 A1 80 C7 
[java] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: A5 67 71 17 F6 57 A9 26   01 09 B1 EB 75 46 6C 
[java] 
[java] Commit Succeeded 
[java] 

从上面看来，客户端不能够去code响应（这是AES256加密）。如何解决这个问题？

From above it seems that client not able to decode response (which is AES256 encrypted).. How to fix it ??

推荐答案

管理固定上述问题。
这里是你的JMX客户端/服务器引入Kerberos身份验证/授权的步骤

Managed to fixed above problem. Here are the steps to introduce Kerberos authentication/authorization at your JMX client/server

要启用Kerberos @ JMX服务器，

To enable Kerberos @ JMX server,

1. 与以下ARGS =>

-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=<port_no>
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Djava.security.auth.login.config=<locatin_of_jaas.conf>
-Djava.security.krb5.conf=<locatin_of_krb5.conf>
-Dcom.sun.management.jmxremote.login.config=<name_of_login_config_to_be_used>
-Djava.net.preferIPv4Stack=true

在添加$ JAVA_HOME / JRE / lib目录/管理/ jmxremote.access访问条目。一旦用户获取认证，到JMX服务器的读/写访问将提供jmxremote.access的基础。可以用以下JVM ARG在服务器启动时提供。访问文件的位置

Add access entry in $JAVA_HOME/jre/lib/management/jmxremote.access. Once user get authenticated, read/write access to JMX server will be provided on basis of jmxremote.access. Location of .access file can be provided using following jvm arg at server start up

-Dcom.sun.management.jmxremote.access.file=<acees_control_file>    

要启用Kerberos @ JMX客户端（JConsole的）

To enable Kerberos @ JMX Client (jconsole)

1. 与调试选项和放大器来启动JConsole;连接到服务器

1. Start jconsole with debug option & connect to server

jconsole -J-Djava.security.debug=all

如果请求的加密是AES256，然后下载的无限强度加密政策的jar文件，提取和地方政策文件在$ JAVA_HOME / JRE / lib / security中/。 [感谢马克您指出政策纳入。]

if requested encryption is AES256, then download unlimited strength cryptography policy jar files, extract and place policy files at $JAVA_HOME/jre/lib/security/. [Thanks to Mark for pointing out policy inclusion.]

以上应的Kerberos工作在两个JMX客户端和JMX服务器端

Above should make Kerberos work at both JMX client and JMX server side

如果您仍然面临着连接问题，那么你可以使用logging.properties启用JConsole的详细调试文件=>

If you are still facing problem in connection then you can enable verbose debugging for jconsole using logging.properties file =>

handlers = java.util.logging.ConsoleHandler
.level = INFO
java.util.logging.ConsoleHandler.level = FINEST
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
// Use FINER or FINEST for javax.management.remote.level - FINEST is very verbose...
javax.management.level = FINEST
javax.management.remote.level = FINER

和开始使用的JConsole

And start jconsole using

jconsole -J-Djava.util.logging.config.file=<location_of_logging.properties>

这篇关于对于Kerberos身份验证/授权支持JMX客户机/服务器Java 6的运行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！