This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to enable JMX authentication

Posted on 04-26-2019 06:58 AM
nicolastisseran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,


I don't manage to successfully enable JMX Authentication with my MessageProcessor.
I've followed the instructions here : https://docs.apigee.com/private-cloud/v4.18.05/how-monitor#jmx-auth but the JMX still remains accessible without login/password.

First, I tried in adding this (without backslashes) :

-Dcom.sun.management.jmxremote \
 -Dcom.sun.management.jmxremote.port=1101 \
 -Dcom.sun.management.jmxremote.local.only=false \
 -Dcom.sun.management.jmxremote.authenticate=false \
 -Dcom.sun.management.jmxremote.ssl=false


and then enabling authentication with this command : 

apigee-service edge-message-processor change_jmx_auth -u theUser -p thePassword -e y


The service restarts normally, everything is up, but JMX remains accessible without authentication.

So, I tried to change "jmxremote.authenticate" value at "true".
Then the service crashes at the restart. I can see these traces in /opt/apigee/var/log/edge-message-processor/edge-message-processor.log

Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=128m; support was removed in 8.0
  Error: Password file not found: /opt/jdk1.8.0_202-x86_64/jre/lib/management/jmxremote.password
  sun.management.AgentConfigurationError
  at sun.management.jmxremote.ConnectorBootstrap.checkPasswordFile(ConnectorBootstrap.java:563)
  at sun.management.jmxremote.ConnectorBootstrap.startRemoteConnectorServer(ConnectorBootstrap.java:426)
  at sun.management.Agent.startAgent(Agent.java:262)
  at sun.management.Agent.startAgent(Agent.java:452)


What am I doing wrong ?
What is the right combination of parameters to enable JMX Authentication ?


Thanks.

Solved Solved
1 9 5,224
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylesyuk
New Member
Reply posted on --/--/---- --:-- AM

Hi Nicolas,

I made it work using following steps:

1. Create file /opt/apigee/customer/conf/jmxremote.access with contents:

monitorRole   readonly
controlRole   readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister
admin readonly
edge   readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister

2. Create file /opt/apigee/customer/conf/jmxremote.password with contents:

edge Apigee123!
admin Secret123

3. You can tidy up permissions and owner for both files

sudo chown apigee:apigee /opt/apigee/customer/conf/jmxremote.password
sudo chmod 400 /opt/apigee/customer/conf/jmxremote.password
ls -ls /opt/apigee/customer/conf/jmxremote.password

4. Add following java options to the /opt/apigee/edge-message-processor/bin/start:

exec $JAVA \
  -Dcom.sun.management.jmxremote \
  -Dcom.sun.management.jmxremote.port=1101 \
  -Dcom.sun.management.jmxremote.local.only=false \
  -Dcom.sun.management.jmxremote.authenticate=true \
  -Dcom.sun.management.jmxremote.password.file=/opt/apigee/customer/conf/jmxremote.password \
  -Dcom.sun.management.jmxremote.access.file=/opt/apigee/customer/conf/jmxremote.access \
  -Dcom.sun.management.jmxremote.ssl=false \
-classpath "$classpath"........

5. Restart edge-message-processor

apigee-service edge-message-processor restart

Now you should be able to access jmx only when authenticated.

Customize as desired.

View solution in original post

Jump to Solution
9 REPLIES 9

Posted on --/--/---- --:-- AM
ncardace
Staff
Reply posted on --/--/---- --:-- AM

Which OPDK version are you using ?

The latest documentation is here:

https://docs.apigee.com/private-cloud/v4.19.01/how-monitor

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nicolastisseran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Nicola,

We run OPDK 4.18.05.

The instructions in your link are exactly the same for 4.18.05 and 4.19.01.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ncardace
Staff
Reply posted on --/--/---- --:-- AM

Follow these steps:

https://docs.apigee.com/private-cloud/v4.18.05/how-monitor#usejmx

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nicolastisseran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

This is the link that I've quoted in my question.

It doesn't work : JMX is enabled, but without authentication.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ncardace
Staff
Reply posted on --/--/---- --:-- AM

Hi Nicolas, can you open a support ticket with these steps so support will reproduce it and guide to the next step.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ylesyuk
New Member
Reply posted on --/--/---- --:-- AM

Hi Nicolas,

I made it work using following steps:

1. Create file /opt/apigee/customer/conf/jmxremote.access with contents:

monitorRole   readonly
controlRole   readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister
admin readonly
edge   readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister

2. Create file /opt/apigee/customer/conf/jmxremote.password with contents:

edge Apigee123!
admin Secret123

3. You can tidy up permissions and owner for both files

sudo chown apigee:apigee /opt/apigee/customer/conf/jmxremote.password
sudo chmod 400 /opt/apigee/customer/conf/jmxremote.password
ls -ls /opt/apigee/customer/conf/jmxremote.password

4. Add following java options to the /opt/apigee/edge-message-processor/bin/start:

exec $JAVA \
  -Dcom.sun.management.jmxremote \
  -Dcom.sun.management.jmxremote.port=1101 \
  -Dcom.sun.management.jmxremote.local.only=false \
  -Dcom.sun.management.jmxremote.authenticate=true \
  -Dcom.sun.management.jmxremote.password.file=/opt/apigee/customer/conf/jmxremote.password \
  -Dcom.sun.management.jmxremote.access.file=/opt/apigee/customer/conf/jmxremote.access \
  -Dcom.sun.management.jmxremote.ssl=false \
-classpath "$classpath"........

5. Restart edge-message-processor

apigee-service edge-message-processor restart

Now you should be able to access jmx only when authenticated.

Customize as desired.

Jump to Solution

Posted on --/--/---- --:-- AM
imesh
Staff
In response to ylesyuk
Reply posted on --/--/---- --:-- AM

Many thanks for sharing this @ylesyuk. I also could not get the following command mentioned on the documentation to work on OPDK v4.18.05 for enabling JMX on an Message Processor. The problem was that even after executing below command I was able to connect to JMX server without specifying credentials:

apigee-service edge-message-processor change_jmx_auth -e y -u username -p password

Later, I tried steps suggested by you and it worked. Thanks again!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nicolastisseran
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

@ylesyuk Hi Yuriy,

Nice to see you here !

Thank you very much for your answer. It works perfectly.

(But really far from the official documentation which should be updated. Unless a fix later ?)

B.R.

Nicolas.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
pmallikarjuna
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

HI @ylesyuk  do we have any solution in the SAAS version ? i'm facing same issue while calling kafka producer. 

java.security.AccessControlException: access denied ("javax.management.MBeanServerPermission" "createMBeanServer")

 

Jump to Solution
0 Likes