Remote JMX Access

This document describes the configuration to enable remote JMX access to the UltraESB instances and securing the JMX connection so that the successful connection requires the username and password to be specified to connect to JMX MXBeans.

Introduction

JMX (Java Management eXtension) is the standard of managing and monitoring any Java process. UltraESB leverage the capabilities of JMX to manage/monitor the the instances. While the local JMX access is always enabled the remote JMX access is disabled by default in the UltraESB, for security reasons.

UltraESB management is solely on JMX meaning that any of the management options UTerm will be finally using the JMX to talk to UltraESB instances. There for it is required in most of the serious deployments to enable remote JMX access. However enabling remote JMX without security is not recommended as that gives the complete control of the UltraESB instances to any arbitrary person with network access to the JMX port of the running UltraESB instance.

Configuring Remote JMX Access

The default root configuration file (i.e. conf/ultra-root.xml) contains the necessary Spring configuration to configure JMX access to the instance as shown below.

Remote JMX Access Configuration

<bean id="serverConnector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" depends-on="registry">
  <property name="objectName" value="connector:name=iiop"/>
  <property name="serviceUrl" value="service:jmx:rmi://localhost:9994/jndi/rmi://localhost:1099/ultra"/>
  <property name="threaded" value="true"/>
  <property name="daemon" value="true"/>
</bean>
<bean id="registry" class="org.springframework.remoting.rmi.RmiRegistryFactoryBean">
  <property name="port" value="1099"/>
</bean>

The  RmiRegistryFactoryBean defines the RMI port used (defaults to 1099) and the serviceUrl of the ConnectorServerFactoryBean defines the JMX port used, along with the RMI configuration. To expose JMX management over a network interface other than the local interface - specify the desired IP address or hostname (if DNS is configured) instead of "localhost" within the serviceUrl. Using a remotely accessible serviceUrl the instance could be managed from a remote system.

You will also need to configure the ultraesb.sh or the wrapper.conf (depending on the method that you use to start the UltraESB instance) to include the property "-Djava.rmi.server.hostname" with the value of the IP address or hostname of the server running the UltraESB instance.

Securing the JMX Access

It is not recommended to expose remote JMX connections without security. There are multiple ways of securing the remote JMX connection, upon which the two most widely used mechanisms are using the password and access files and using LDAP based authentication. UltraESB supports both the password and access file based authentication and LDAP / ActiveDirectory based authentication for the remote JMX connections.

Server Connector bean for enabling Security

<bean id="serverConnector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" depends-on="registry">
  <property name="objectName" value="connector:name=iiop"/>
  <property name="serviceUrl" value="service:jmx:rmi://localhost:9994/jndi/rmi://localhost:1099/ultra"/>
  <property name="threaded" value="true"/>
  <property name="daemon" value="true"/>
  <property name="environment">
    <map>
      <entry key="jmx.remote.x.access.file" value="conf/management/jmxremote.access"/>
      <!--For plain text password file based access control-->
      <entry key="jmx.remote.x.password.file" value="conf/management/jmxremote.password"/>
      <!--For JAAS (e.g. LDAP / ActiveDirectory) based authentication-->
      <!--<entry key="jmx.remote.x.login.config" value="LdapConfig"/>-->
    </map>
  </property>
</bean>

Password and Access File based Security

To configure the password and access file based security, add the "environment" property into the serverConnector bean configured in enabling the remote JMX connection with specifying the password and access files as shown above.

UltraESB by default ships a password file and an access file in the conf/management directory with the following content.

Content of the jmxremote.access file

admin readwrite 

The access file shown above declares the access rights for the role "admin" to be "readwrite" where that admin role can invoke any operation. You could prepare another role with just monitoring capabilities by declaring a role with "readonly" access rights depending on your requirement.

Now the password file looks like follows.

Content of the jmxremote.password file

admin admin 

This defines the password for the role "admin" to be "admin". This results in the username admin and password admin to be supplied to make any connection into the UltraESB instance via remote JMX.

It is highly recommended that any serious production deployment to change at least the password of the admin role, while it’s better if the role name itself changes from it’s default value.

LDAP / ActiveDirectory based Authentication

UltraESB LDAP configuration file ldap.conf can be found in the conf directory. To enable LADP based authentication uncomment last line in "environment" property map which sets the path to JAAS Configuration file (ladp.conf) that ships with UltraESB and comment all above entries in that map. More information LDAP configuration can be found here.

There are many other alternates for securing the remote JMX access like using SSL and you may go through the guide on Monitoring and Management using JMX Technology of Java documentation to get an understanding of all the available options.

In this topic
In this topic
Contact Us