JMX with SSL
Posted: Tue Jun 15, 2021 12:42 am
Hi
We saw this in the forum
https://support.nagios.com/forum/viewto ... 6&start=20
We are trying to use check_jmx for one of our springboot servers. We made the connection between nagios and springboot server.
On the target server the keystore and truststore have been generated. From nagios side, we have CA certs, we are not sure if java is mandatory on the nagios side as well.
This is on the target side
#!/bin/bash
java \
-Xms${minheap} \
-Xmx${maxheap} \
${custom1} \
${custom2} \
${custom3} \
${custom4} \
${custom5} \
-Dcom.sun.management.jmxremote.port=`expr ${PORT} + 2000` \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true \
-Djavax.net.ssl.keyStore=/usr/local/global/keystore.jks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=/usr/local/java/openjdk8/lib/security/cacerts \
-Djavax.net.ssl.trustStorePassword=password \
-Dlogging.file=${log_file} \
-Dserver.port=${PORT} \
-jar ${app_jar}
Should we be using the target servers keystore.jks in Nagios or should we create a separate certs using keytool or something. Currently in our nagios instance we have CA certs based on the below setup which are generated on the nagios server based on this document (https://support.nagios.com/kb/article/n ... .html#RHEL).
/usr/local/nagiosxi/var/certs/nagiosxi.crt
/usr/local/nagiosxi/var/certs/nagiosxi.key
What should we do from our nagios server to make the SSL connection with the target springboot server.
Let us know what are the files/data that you would need to validate.
Below is the result without SSL.
[account@lxappxxxx ~]$ /usr/local/nagios/libexec/check_jmx -a '-U service:jmx:rmi:///jndi/rmi://172.29.xxx.xx:8181/jmxrmi -O java.lang:type=Memory -A HeapMemoryUsage -K used -I HeapMemoryUsage -J used -vvvv -w 4248302272 -c 5498760192'
JMX OK HeapMemoryUsage.used=54811264{committed=134217728;init=134217728;max=268435456;used=54811264} | committed=134217728; init=134217728; max=268435456; used=54811264;
We saw this in the forum
https://support.nagios.com/forum/viewto ... 6&start=20
We are trying to use check_jmx for one of our springboot servers. We made the connection between nagios and springboot server.
On the target server the keystore and truststore have been generated. From nagios side, we have CA certs, we are not sure if java is mandatory on the nagios side as well.
This is on the target side
#!/bin/bash
java \
-Xms${minheap} \
-Xmx${maxheap} \
${custom1} \
${custom2} \
${custom3} \
${custom4} \
${custom5} \
-Dcom.sun.management.jmxremote.port=`expr ${PORT} + 2000` \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true \
-Djavax.net.ssl.keyStore=/usr/local/global/keystore.jks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=/usr/local/java/openjdk8/lib/security/cacerts \
-Djavax.net.ssl.trustStorePassword=password \
-Dlogging.file=${log_file} \
-Dserver.port=${PORT} \
-jar ${app_jar}
Should we be using the target servers keystore.jks in Nagios or should we create a separate certs using keytool or something. Currently in our nagios instance we have CA certs based on the below setup which are generated on the nagios server based on this document (https://support.nagios.com/kb/article/n ... .html#RHEL).
/usr/local/nagiosxi/var/certs/nagiosxi.crt
/usr/local/nagiosxi/var/certs/nagiosxi.key
What should we do from our nagios server to make the SSL connection with the target springboot server.
Let us know what are the files/data that you would need to validate.
Below is the result without SSL.
[account@lxappxxxx ~]$ /usr/local/nagios/libexec/check_jmx -a '-U service:jmx:rmi:///jndi/rmi://172.29.xxx.xx:8181/jmxrmi -O java.lang:type=Memory -A HeapMemoryUsage -K used -I HeapMemoryUsage -J used -vvvv -w 4248302272 -c 5498760192'
JMX OK HeapMemoryUsage.used=54811264{committed=134217728;init=134217728;max=268435456;used=54811264} | committed=134217728; init=134217728; max=268435456; used=54811264;