Hello,
I don't manage to successfully enable JMX Authentication with my MessageProcessor.
I've followed the instructions here : https://docs.apigee.com/private-cloud/v4.18.05/how-monitor#jmx-auth but the JMX still remains accessible without login/password.
First, I tried in adding this (without backslashes) :
-Dcom.sun.management.jmxremote \ -Dcom.sun.management.jmxremote.port=1101 \ -Dcom.sun.management.jmxremote.local.only=false \ -Dcom.sun.management.jmxremote.authenticate=false \ -Dcom.sun.management.jmxremote.ssl=false
and then enabling authentication with this command :
apigee-service edge-message-processor change_jmx_auth -u theUser -p thePassword -e y
The service restarts normally, everything is up, but JMX remains accessible without authentication.
So, I tried to change "jmxremote.authenticate" value at "true".
Then the service crashes at the restart. I can see these traces in /opt/apigee/var/log/edge-message-processor/edge-message-processor.log
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=128m; support was removed in 8.0 Error: Password file not found: /opt/jdk1.8.0_202-x86_64/jre/lib/management/jmxremote.password sun.management.AgentConfigurationError at sun.management.jmxremote.ConnectorBootstrap.checkPasswordFile(ConnectorBootstrap.java:563) at sun.management.jmxremote.ConnectorBootstrap.startRemoteConnectorServer(ConnectorBootstrap.java:426) at sun.management.Agent.startAgent(Agent.java:262) at sun.management.Agent.startAgent(Agent.java:452)
What am I doing wrong ?
What is the right combination of parameters to enable JMX Authentication ?
Thanks.
Solved! Go to Solution.
Hi Nicolas,
I made it work using following steps:
1. Create file /opt/apigee/customer/conf/jmxremote.access with contents:
monitorRole readonly controlRole readwrite \ create javax.management.monitor.*,javax.management.timer.* \ unregister admin readonly edge readwrite \ create javax.management.monitor.*,javax.management.timer.* \ unregister
2. Create file /opt/apigee/customer/conf/jmxremote.password with contents:
edge Apigee123! admin Secret123
3. You can tidy up permissions and owner for both files
sudo chown apigee:apigee /opt/apigee/customer/conf/jmxremote.password sudo chmod 400 /opt/apigee/customer/conf/jmxremote.password ls -ls /opt/apigee/customer/conf/jmxremote.password
4. Add following java options to the /opt/apigee/edge-message-processor/bin/start:
exec $JAVA \ -Dcom.sun.management.jmxremote \ -Dcom.sun.management.jmxremote.port=1101 \ -Dcom.sun.management.jmxremote.local.only=false \ -Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.password.file=/opt/apigee/customer/conf/jmxremote.password \ -Dcom.sun.management.jmxremote.access.file=/opt/apigee/customer/conf/jmxremote.access \ -Dcom.sun.management.jmxremote.ssl=false \ -classpath "$classpath"........
5. Restart edge-message-processor
apigee-service edge-message-processor restart
Now you should be able to access jmx only when authenticated.
Customize as desired.
Which OPDK version are you using ?
The latest documentation is here:
Hi Nicola,
We run OPDK 4.18.05.
The instructions in your link are exactly the same for 4.18.05 and 4.19.01.
Follow these steps:
https://docs.apigee.com/private-cloud/v4.18.05/how-monitor#usejmx
This is the link that I've quoted in my question.
It doesn't work : JMX is enabled, but without authentication.
Hi Nicolas, can you open a support ticket with these steps so support will reproduce it and guide to the next step.
Hi Nicolas,
I made it work using following steps:
1. Create file /opt/apigee/customer/conf/jmxremote.access with contents:
monitorRole readonly controlRole readwrite \ create javax.management.monitor.*,javax.management.timer.* \ unregister admin readonly edge readwrite \ create javax.management.monitor.*,javax.management.timer.* \ unregister
2. Create file /opt/apigee/customer/conf/jmxremote.password with contents:
edge Apigee123! admin Secret123
3. You can tidy up permissions and owner for both files
sudo chown apigee:apigee /opt/apigee/customer/conf/jmxremote.password sudo chmod 400 /opt/apigee/customer/conf/jmxremote.password ls -ls /opt/apigee/customer/conf/jmxremote.password
4. Add following java options to the /opt/apigee/edge-message-processor/bin/start:
exec $JAVA \ -Dcom.sun.management.jmxremote \ -Dcom.sun.management.jmxremote.port=1101 \ -Dcom.sun.management.jmxremote.local.only=false \ -Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.password.file=/opt/apigee/customer/conf/jmxremote.password \ -Dcom.sun.management.jmxremote.access.file=/opt/apigee/customer/conf/jmxremote.access \ -Dcom.sun.management.jmxremote.ssl=false \ -classpath "$classpath"........
5. Restart edge-message-processor
apigee-service edge-message-processor restart
Now you should be able to access jmx only when authenticated.
Customize as desired.
Many thanks for sharing this @ylesyuk. I also could not get the following command mentioned on the documentation to work on OPDK v4.18.05 for enabling JMX on an Message Processor. The problem was that even after executing below command I was able to connect to JMX server without specifying credentials:
apigee-service edge-message-processor change_jmx_auth -e y -u username -p password
Later, I tried steps suggested by you and it worked. Thanks again!
@ylesyuk Hi Yuriy,
Nice to see you here !
Thank you very much for your answer. It works perfectly.
(But really far from the official documentation which should be updated. Unless a fix later ?)
B.R.
Nicolas.
HI @ylesyuk do we have any solution in the SAAS version ? i'm facing same issue while calling kafka producer.
java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "createMBeanServer")
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |