JMX with SSL

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
deek
Posts: 194
Joined: Fri Apr 26, 2019 2:01 am

JMX with SSL

Post by deek »

Hi

We saw this in the forum
https://support.nagios.com/forum/viewto ... 6&start=20

We are trying to use check_jmx for one of our springboot servers. We made the connection between nagios and springboot server.

On the target server the keystore and truststore have been generated. From nagios side, we have CA certs, we are not sure if java is mandatory on the nagios side as well.

This is on the target side
#!/bin/bash
java \
-Xms${minheap} \
-Xmx${maxheap} \
${custom1} \
${custom2} \
${custom3} \
${custom4} \
${custom5} \
-Dcom.sun.management.jmxremote.port=`expr ${PORT} + 2000` \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true \
-Djavax.net.ssl.keyStore=/usr/local/global/keystore.jks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=/usr/local/java/openjdk8/lib/security/cacerts \
-Djavax.net.ssl.trustStorePassword=password \
-Dlogging.file=${log_file} \
-Dserver.port=${PORT} \
-jar ${app_jar}


Should we be using the target servers keystore.jks in Nagios or should we create a separate certs using keytool or something. Currently in our nagios instance we have CA certs based on the below setup which are generated on the nagios server based on this document (https://support.nagios.com/kb/article/n ... .html#RHEL).

/usr/local/nagiosxi/var/certs/nagiosxi.crt
/usr/local/nagiosxi/var/certs/nagiosxi.key

What should we do from our nagios server to make the SSL connection with the target springboot server.

Let us know what are the files/data that you would need to validate.

Below is the result without SSL.

[account@lxappxxxx ~]$ /usr/local/nagios/libexec/check_jmx -a '-U service:jmx:rmi:///jndi/rmi://172.29.xxx.xx:8181/jmxrmi -O java.lang:type=Memory -A HeapMemoryUsage -K used -I HeapMemoryUsage -J used -vvvv -w 4248302272 -c 5498760192'

JMX OK HeapMemoryUsage.used=54811264{committed=134217728;init=134217728;max=268435456;used=54811264} | committed=134217728; init=134217728; max=268435456; used=54811264;
Top
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: JMX with SSL

Post by mcapra »

deek wrote:What should we do from our nagios server to make the SSL connection with the target springboot server.
With com.sun.management.jmxremote.ssl.need.client.auth=true, the truststore your Spring Boot app has loaded would need to trust the certificate presented by check_jmx/JMXQuery.

You could just copy the entire truststore loaded by your Spring Boot app to your Nagios XI machine and plug it into javax.net.ssl.trustStore as demonstrated in my post I would think. Might be wrong; haven't really gotten into the weeds with Java SSL stuff in a few years, and every time I do the Google rabbit-hole is vague at best.
Former Nagios employee
https://www.mcapra.com/
Top
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: JMX with SSL

Post by ssax »

Thanks @mcapra!

That looks to be what's required in order to get it to use the certs.

@deek, let us know if that works for you.
Top
Locked

Return to “Nagios XI”