I am working on providing configuration of JMX over SSL. Here is a situation I have run into and I want others inputs.
I want to use Keystore GBean to configure the keystore and truststore required by the connector. Here is the part that I am sure of. org.apache.geronimo.jmxremoting.JMXConnector GBean needs the following additional attributes and references to specify the SSL configuration: 1. sslEnabled : true/false 2. algorithm : Default/SunX509/IBMX509 3. secureProtocol: SSL/TLS 4. keyStore 5. keyAlias 6. trustStore 7. clientAuth : true/false 8. keystoreManager : A reference to keystore manager. Here are some of the approaches and the problems I have run into. Approach-A) The JMXConnector GBean is right now in "j2ee-security" configuration. Unless the keystore GBeans are started before the JMXConnector GBean, it will not work as expected. The order in which keystore GBeans appear in the plan also seems to matter. Currently Keystore GBean(s) are in server-security-config. Either the keystore GBeans should be moved to j2ee-security or the JMXConnector needs to be moved to server-security-config. Approach-B) Have a reference collection listener listen to the Keystore GBeans being added. In this case, the JMX Server will have to be started in the listener class. The problem with this approach is that the JMXConnector.doStart() can not wait for the listener class to start the JMX server. So, the JMX server will be started only after the JMXConnector.doStart() has completed. If the JMX server startup fails in the collection listener, there is no way to make JMXConnector GBean to fail at startup (as it has already started successfully!!). Another problem is that if the configured keystore does not exist, the collection listener will never know about it and JMX server will not start. Both the patches are attached in the JIRA. Please comment on these two approaches and suggest any improvements that I may have missed out.
