Re: JMX Access?

[Jerry Malcolm]

The way I understand tunneling, with SSH tunneling, I am technically 
connecting locally.   I use PuTTY on my local machine.  But I set up a 
secure tunnel to port 9999 on the remote host.  When I connect to 
localhost:9999 on my machine it's the same as connecting to 
localhost:9999 on the target machine.  As long as the tunnel is secure 
(SSL), there's no outside access to JMX.   At least that's the way the 
videos explain it for accessing remote Tomcat via a PuTTY tunnel.  And 
Tomcat access works.   Is the exception in James startup log stating 
that the connection is refused ok to ignore.  Seems that's not a good 
thing.

On 9/26/2019 12:40 AM, Tellier Benoit wrote:
Hi Jerry,
You need to be aware James restrict JMX access to localhost.

As you know, the James command line is currently using JMX.

JMX is known-to-be unsecure: read
https://www.cvedetails.com/cve/CVE-2017-12628/ for instance. Exposing
JMX only to localHost is a mitigation.

Could this be the root of your JMX problem?

On 26/09/2019 12:03, Jerry Malcolm wrote:
[...]> So I decided to use JMX to see if there were any
MBeans exposed that might help me figure out why there is no logging.
And, of course with the way everything else has gone, I can't connect to
James JMX.  JConsole will not connect.  It works fine accessing Tomcat
using the same approach. But nothing with James.  I'm using a PuTTY
tunnel directly to the Amazon EC2 instance.

I went back to an absolute pristine install of JAMES 3.3.0 right out of
the downloaded zip file.  I made absolutely zero changes to the
install/config.  Just unpack and run.  No JMX access with out-of-the-box
James either.  JConsole hangs for about a minute, and gives me an error
that it can't connect.

Then I made one change to log4j.properties and bumped everything to
DEBUG.  Thankfully, the one log file that actually works in this release
is James-server.log.  I see the following error when James is apparently
starting up JMX.  The 172.31.... IP address it's failing on is my EC2
public IP.  But the jmx.properties file says to connect to
127.0.0.1:9999.  I never explicitly configured the 172.31... address
anywhere in James.

What's causing this:

INFO  04:29:47,638 |
org.springframework.remoting.rmi.RmiRegistryFactoryBean | Looking for
RMI registry at port '9999', using custom socket factory
DEBUG 04:29:47,642 |
org.springframework.remoting.rmi.RmiRegistryFactoryBean | RMI registry
access threw exception
java.rmi.ConnectException: Connection refused to host: 172.31.32.236;
nested exception is:
         java.net.ConnectException: Connection refused (Connection refused)
         at
sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:619)
         at
sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
         at
sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
         at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:338)
         at
sun.rmi.registry.RegistryImpl_Stub.list(RegistryImpl_Stub.java:85)
         at
org.springframework.remoting.rmi.RmiRegistryFactoryBean.testRegistry(RmiRegistryFactoryBean.java:281)

         at
org.springframework.remoting.rmi.RmiRegistryFactoryBean.getRegistry(RmiRegistryFactoryBean.java:222)

         at
org.springframework.remoting.rmi.RmiRegistryFactoryBean.getRegistry(RmiRegistryFactoryBean.java:193)

         at
org.springframework.remoting.rmi.RmiRegistryFactoryBean.afterPropertiesSet(RmiRegistryFactoryBean.java:164)

         at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1573)

         at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1511)

         at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519)

         at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)

         at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:293)

         at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)

         at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:290)

         at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)

         at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:283)

         at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:191)

         at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:620)

         at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:942)

         at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:482)

         at
org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:139)

         at
org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:93)

         at
org.apache.james.container.spring.context.JamesServerApplicationContext.<init>(JamesServerApplicationContext.java:40)

         at
org.apache.james.app.spring.JamesAppSpringMain.init(JamesAppSpringMain.java:56)

         at
org.apache.james.app.spring.JamesAppSpringMain.main(JamesAppSpringMain.java:42)

Caused by: java.net.ConnectException: Connection refused (Connection
refused)
         at java.net.PlainSocketImpl.socketConnect(Native Method)
         at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)

         at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

         at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
         at java.net.Socket.connect(Socket.java:589)
         at java.net.Socket.connect(Socket.java:538)
         at java.net.Socket.<init>(Socket.java:434)
         at java.net.Socket.<init>(Socket.java:211)
         at
org.apache.james.util.RestrictingRMISocketFactory.createSocket(RestrictingRMISocketFactory.java:65)

         at
sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
         ... 26 more


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org