Skip to first unread message
Ryan Cuprak
Nov 1, 2017, 4:16:35 PM11/1/17
to Payara Forum
How do I go about protecting JMX access to Payara? In the JMX Connector there is configuration for a realm (set to admin-realm by default) but this doesn't appear to work. I can start jconsole and connect without having to enter a username/password. Is the JMX Connector the right thing to configure or should I be directly configuring JMX using System properties?
Thanks,
-Ryan
Ondrej Mihályi
Nov 1, 2017, 6:51:28 PM11/1/17
to Ryan Cuprak, Payara Forum
Hi Ryan,
The configuration in the JMX Connector page is what you need and I believe you secured JMX access correctly. By default it's secured by the same admin and password as the Admin console.
Are you really connecting through the remote JMX interface?
If you start JConsole on the same computer you can connect to all JVMs via a system socket which isn't protected.
If you only select Payara Server's JVM in JConsole from the list of local processes then you connect via a socket and not via JMX. You should connect to a remote process and specify hostname:port (localhost:8686), user and password. Then you should select Insecure connection if you didn't enable security for JMX.
Mind to allow connecting to JMX from a remote machine, you should also enable security and add keystore to jconsole via a command line parameter: https://docs.oracle.com/javase/7/docs/technotes/guides/management/faq.html#ssl1
Otherwise, I believe it's not possible to connect from a remote machine because server refuses remote JMX connections if not secured.
Ondro
--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/b966e00d-c9aa-466a-b221-9de7550192ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ryan Cuprak
Nov 2, 2017, 4:54:10 PM11/2/17
to Payara Forum
Hi Ondro,
I have Payara running on a remote linux server and I am able to connect to it from jConsole on my Mac. It is setup with the admin realm and I am not supplying a username or password when connecting. The url is service:mx:rmi://<remote server>:9986/jndi/rmi://<remote server>:9986/jmxrmi. I was surprised that I was able to connect.
-Ryan
On Wednesday, November 1, 2017 at 6:51:28 PM UTC-4, Ondro Mihályi wrote:
Hi Ryan,The configuration in the JMX Connector page is what you need and I believe you secured JMX access correctly. By default it's secured by the same admin and password as the Admin console.Are you really connecting through the remote JMX interface?If you start JConsole on the same computer you can connect to all JVMs via a system socket which isn't protected.If you only select Payara Server's JVM in JConsole from the list of local processes then you connect via a socket and not via JMX. You should connect to a remote process and specify hostname:port (localhost:8686), user and password. Then you should select Insecure connection if you didn't enable security for JMX.Mind to allow connecting to JMX from a remote machine, you should also enable security and add keystore to jconsole via a command line parameter: https://docs.oracle.com/javase/7/docs/technotes/guides/management/faq.html#ssl1Otherwise, I believe it's not possible to connect from a remote machine because server refuses remote JMX connections if not secured.Ondro
2017-11-01 21:16 GMT+01:00 Ryan Cuprak <rcu...@gmail.com>:
How do I go about protecting JMX access to Payara? In the JMX Connector there is configuration for a realm (set to admin-realm by default) but this doesn't appear to work. I can start jconsole and connect without having to enter a username/password. Is the JMX Connector the right thing to configure or should I be directly configuring JMX using System properties?Thanks,-Ryan
--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum...@googlegroups.com.
ondrej....@gmail.com
Nov 3, 2017, 3:08:26 AM11/3/17
to Ryan Cuprak, Payara Forum
You're not using he default 8686 port. How do you go figure JMX? It's open by default on port 8686 without any configuration changes.
If you go figure JMX with system properties as y Java application,it won't use any realm to secure the connection.
Ondro
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/a842342d-d6c8-4f54-ae7d-32d984fde1aa%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages