[
https://issues.apache.org/jira/browse/CASSANDRA-12109?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sam Tunnicliffe updated CASSANDRA-12109:
----------------------------------------
Status: Patch Available (was: In Progress)
Pushed a fix which restores the pre CASSANDRA-10091 behaviour. It also
reorganised the JMX section in {{cassandra-env.sh}} slightly, moving the SSL
options into the {{LOCAL_JMX != yes}} block. One thing to note is that when SSL
is enabled, it isn't possible to use the same port for both
{{cassandra.jmx.remote.port}} and {{com.sun.management.jmxremote.rmi.port}}, as
this causes contention at bind time resulting in {{AlreadyBoundException}}.
This is not new behaviour though and has been the always been the case AFAIK.
||branch||testall||dtest||
|[12109-3.9|https://github.com/beobal/cassandra/tree/12109-3.9]|[testall|http://cassci.datastax.com/view/Dev/view/beobal/job/beobal-12109-3.9-testall]|[dtest|http://cassci.datastax.com/view/Dev/view/beobal/job/beobal-12109-3.9-dtest]|
|[12109-trunk|https://github.com/beobal/cassandra/tree/12109-trunk]|[testall|http://cassci.datastax.com/view/Dev/view/beobal/job/beobal-12109-trunk-testall]|[dtest|http://cassci.datastax.com/view/Dev/view/beobal/job/beobal-12109-trunk-dtest]|
> Configuring SSL for JMX connections forces requirement of local truststore
> --------------------------------------------------------------------------
>
> Key: CASSANDRA-12109
> URL: https://issues.apache.org/jira/browse/CASSANDRA-12109
> Project: Cassandra
> Issue Type: Bug
> Components: Configuration, Lifecycle, Observability
> Reporter: Sam Tunnicliffe
> Assignee: Sam Tunnicliffe
> Fix For: 3.x
>
>
> In CASSANDRA-10091 we changed the way the JMX server is constructed such that
> this is always done programatically, which gives us control over the
> authentication and authorization mechanisms. Previously, when
> {{LOCAL_JMX=no}}, Cassandra would allow the JMX setup to be done by the built
> in JVM agent, which delegates to
> {{sun.management.jmxremote.ConnectorBootstrap}} to do the actual JMX & RMI
> setup.
> This change has introduced a regression when SSL is enabled for JMX
> connections, namely that now it is not possible to start C* with only the
> server-side elements of the SSL setup specified. That is, if enabling SSL
> with {{com.sun.management.jmxremote.ssl=true}}, it should only be necessary
> to specify a keystore (via {{javax.net.ssl.keyStore}}), and a truststore
> should only be necessary if client authentication is also enabled
> ({{com.sun.management.jmxremote.ssl.need.client.auth=true}}).
> As it is, C* cannot currently startup without a truststore containing the
> server's own certificate, which is clearly a bug.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
