On Thu, Mar 27, 2008 at 10:01 PM, Jarek Gawor <[EMAIL PROTECTED]> wrote:
> Vamsi, > > Two things on this: > > 1) I think it is important to make sure that all command line tools, > gshell, (or anything that uses JMX) still (seamlessly) works once SSL > is enabled on the JMX port. Agreed. Infact, we will also need some additional configuration to be done so that command line deployer works with SSL. I have not thought about GShell. Thanks for bringing it up. > > > 2) Also, I do think that we should have a separate SSL-enabled JMX > port (even though there might not be a standard one defined). Using > the same port with and without SSL will just create problems for users > and admins that have to manage multiple G servers and they will never > know if the port is secure or not. > > Jarek > > On Thu, Mar 20, 2008 at 4:48 PM, Vamsavardhana Reddy > <[EMAIL PROTECTED]> wrote: > > I am working on providing configuration of JMX over SSL. Here is a > > situation I have run into and I want others inputs. > > > > I want to use Keystore GBean to configure the keystore and truststore > > required by the connector. Here is the part that I am sure of. > > > > org.apache.geronimo.jmxremoting.JMXConnector GBean needs the following > > additional attributes and references to specify the SSL configuration: > > 1. sslEnabled : true/false > > 2. algorithm : Default/SunX509/IBMX509 > > 3. secureProtocol: SSL/TLS > > 4. keyStore > > 5. keyAlias > > 6. trustStore > > 7. clientAuth : true/false > > 8. keystoreManager : A reference to keystore manager. > > > > Here are some of the approaches and the problems I have run into. > > > > Approach-A) The JMXConnector GBean is right now in "j2ee-security" > > configuration. Unless the keystore GBeans are started before the > > JMXConnector GBean, it will not work as expected. The order in which > > keystore GBeans appear in the plan also seems to matter. Currently > Keystore > > GBean(s) are in server-security-config. Either the keystore GBeans > should > > be moved to j2ee-security or the JMXConnector needs to be moved to > > server-security-config. > > > > Approach-B) Have a reference collection listener listen to the Keystore > > GBeans being added. In this case, the JMX Server will have to be > started in > > the listener class. The problem with this approach is that the > > JMXConnector.doStart() can not wait for the listener class to start the > JMX > > server. So, the JMX server will be started only after the > > JMXConnector.doStart() has completed. If the JMX server startup fails > in > > the collection listener, there is no way to make JMXConnector GBean to > fail > > at startup (as it has already started successfully!!). Another problem > is > > that if the configured keystore does not exist, the collection listener > will > > never know about it and JMX server will not start. > > > > Both the patches are attached in the JIRA. Please comment on these two > > approaches and suggest any improvements that I may have missed out. > > > > > > >
