使用SSL和自签名证书使JMX在Tomcat 7下运行 [英] Getting JMX working under Tomcat 7 with SSL and a self-signed cert

问题描述

我正在尝试使用SSL在Tomcat 7.0.23下运行JMX。服务器位于AWS中，这意味着所有主机都是NAT，我需要使用JmxRemoteLifecycleListener来显式设置JMX使用的两个端口。我一直在做很多关于这个主题的阅读但是我无法让所有的部分正确地协同工作。

I'm trying to get JMX working under Tomcat 7.0.23 with SSL. The servers are located in AWS, which means all the hosts are NATed, and I need to use JmxRemoteLifecycleListener to explicitly set the two ports used by JMX. I've been doing a lot of reading on the subject but I just can't get all the pieces working together properly.

我可以让JMX在没有SSL的情况下正常工作。我已经为我的Tomcat版本下载了catalina-jmx-remote.jar的版本，并将其安装在我的tomcat / lib目录中。我的server.xml包含：

I can get JMX working fine without SSL. I have downloaded the version of catalina-jmx-remote.jar for my version of Tomcat and installed it in my tomcat/lib directory. My server.xml contains:

  <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" 
        rmiRegistryPortPlatform="1099" rmiServerPortPlatform="1098" />

当我使用以下设置启动Tomcat时，我可以使用不安全的会话进行连接：

When I launch Tomcat with the following settings I can connect with an insecure session:

-Dcom.sun.management.jmxremote 
-Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password 
-Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access 
-Djava.rmi.server.hostname=<public IP of server> 
-Dcom.sun.management.jmxremote.ssl=false

但是如果我改变这些以下我无法建立SSL连接：

However if I change these to the following then I'm unable to establish an SSL connection:

-Dcom.sun.management.jmxremote 
-Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password 
-Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access 
-Djava.rmi.server.hostname=<public IP of server> 
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false 
-Dcom.sun.management.jmxremote.authenticate=true
-Djavax.net.ssl.keyStore=/path/to/keystore.dat 
-Djavax.net.ssl.keyStorePassword=<password>
-Djavax.net.ssl.trustStore=/path/to/truststore.dat 
-Djavax.net.ssl.trustStorePassword=<password>

keystore.dat只包含一个通过以下方式创建的证书：

keystore.dat contains just a single certificate created via:

openssl x509 -outform der -in cert.pem -out cert.der
keytool -import -alias tomcat -keystore keystore.dat -file cert.der -storepass <password>

truststore.dat包含java cacerts的完整副本以及我自签名证书的CA证书：

truststore.dat contains a full copy of the java cacerts plus the CA cert for my self-signed cert:

cp $JAVA_HOME/jre/lib/security/cacerts truststore.dat
keytool -storepasswd -storepass changeit -new <password> -keystore truststore.dat
keytool -import -trustcacerts -file mycacert.pem -alias myalias -keystore truststore.dat -storepass <password>

启动Tomcat后我尝试通过jconsole连接，但无法建立连接。我尝试使用openssl验证SSL，但看起来Tomcat没有使用证书：

After launching Tomcat I've tried connecting via jconsole but it can't establish a connection. I tried to verify SSL using openssl but it looks like Tomcat isn't making use of the cert:

$ openssl s_client -connect <host>:1099
CONNECTED(00000003)
140735160957372:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 322 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

我已通过导出密钥并验证证书链验证我的本地密钥库和信任库是否已正确设置（combined.pem是来自truststore.dat的所有CA证书，cert.pem是来自keystore.dat的证书）：

I've verified that my local keystore and truststore are set up properly by exporting the keys and verifying the cert chain (combined.pem is all the CA certs from truststore.dat and cert.pem is my cert from keystore.dat):

$ openssl verify -verbose -purpose sslserver -CAfile combined.pem cert.pem
cert.pem: OK

所以现在我完全失去了。证书和CA证书看起来正确。未加密的JMX连接有效。但我似乎无法获得使用SSL的连接。我在这里想念的是什么？

So now I'm at a complete loss. The cert and CA cert look correct. Unencrypted JMX connections work. But I can't seem to get the connection to use SSL. What am I missing here?

我不知道这只是一个红鲱鱼，但我没有看到任何方法来指定JMX使用keyStore中的证书。我读到的一些内容暗示它只使用带有别名tomcat的证书。这是正确的吗？

I don't know if this is just a red herring or not, but I don't see any way to specify what cert in the keyStore is used by JMX. Some of what I read implies that it just uses a cert with the alias "tomcat". Is that correct?

推荐答案

您正在端口 1099上启动 RMI注册表 。要使 RMI注册表使用 SSL ，您需要传递额外的 -Dcom.sun.management.jmxremote.registry.ssl = true 参数。

You are starting the RMI Registry on port 1099. In order for the RMI Registry to utilize SSL you need to pass an additional -Dcom.sun.management.jmxremote.registry.ssl=true argument.

编辑：
您使用 jconsole -J-Djavax .net.ssl.trustStore = truststore -J-Djavax.net.ssl.trustStorePassword = trustword -Djavax.net.ssl.keyStore = keystore -Djavax.net.ssl.keyStorePassword = password 启动JConsole ？它需要知道商店的位置和相应的密码。

Do you use jconsole -J-Djavax.net.ssl.trustStore=truststore -J-Djavax.net.ssl.trustStorePassword=trustword -Djavax.net.ssl.keyStore=keystore -Djavax.net.ssl.keyStorePassword=password to start JConsole? It needs to know where the stores are and the corresponding passwords.

对于VisualVM，您可以安装 VisualVM-Security 插件，这将添加一个新选项卡到选项对话框，允许您在UI中自定义SSL相关选项。

For VisualVM you can install VisualVM-Security plugin which will add a new tab to the Options dialogue allowing you customize the SSL related options in UI.

这篇关于使用SSL和自签名证书使JMX在Tomcat 7下运行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！