secured JMX monitoring from local machine

Posted Sun, 07/03/2010 - 17:54 by shalom
, , , , ,

Hi
We have a customer request for secured JMX monitoring ,a nd they are very strict on security.
the requirenments are:
JMX agaent can be accessed from the local machine only using tools like Nagios or jmxterm.
should be password protected.
should not expose any open post on the local network.

if we configure JMX with jmi connector and password authentication the the rmi port is available on the local network and a clever hacker can break it. of course one solution can be to block this port with a local firewal or some other way to block the port for access from outside the machine.

if we use the Attach API to start and access the JMX agent the password authentication is not available.

so the question is: what is the way to enablr JMX monitoring from the local machine only with password authentication and no port exposed to the local network.

Thanks.

‹ Maven War Plugin picking multiple version of the same SNAPSHOT jars 3 issues relating to changing bugzilla version 3.4 create.html.tmpl in /var/www/bugzilla/template/en/default/bug/create ›

Comments

by shlomo - 07/03/2010 - 21:56

Is it a Linux machine? can you utilize SSH tunneling commands?

Not sure it will work.

by shalom - 08/03/2010 - 13:52

Its a linux machine and they access it over ssh only.

by mark - 07/03/2010 - 22:10

Starting JMX Agent listening localhost only (127.0.0.1) will limit access from other hosts.

by shalom - 08/03/2010 - 13:53

can you say how?
even when we set the property java.rmi.server.hostname=localhost you can still open a telnet session from other machines on the network.

by shlomo - 08/03/2010 - 14:13

Hope I understand correctly. Is this what you are looking for?

http://confluence.sakaiproject.org/display/QA/Remote+JVM+profiling+via+S...

http://blogs.sun.com/jmxetc/entry/jmx_connecting_through_firewalls_using

If not, be more specific.

by shalom - 08/03/2010 - 16:59

They login to the remote machine over ssh, and then they use some command line tools like Nagios to monitor the jvm. so its not jmx over ssh, its local jmx monitoring as I understand it.

by tikal - 10/03/2010 - 11:12

When it comes to JMX monitoring with Nagios, jmx4perl (www.jmx4perl.org)

is an option.

 

It it an agent based approach (with multiple available agents for multiple

platform like JEE Server or OSGi container) and has the possibility to restrict

the access to certain hosts and even for certain JMX operations. It use a

configuration file like

 

<?xml version="1.0" encoding="UTF-8"?>

<!--
  Sample definitions for restricting the access to the j4p-agent. Adapt this
  file and copy it over to 'restrict_access.xml', which get's evaluated during
  runtime (if included in the war).

  You can restrict the available methods in principale as well as the accessible
  attributes and operations in detail.
-->

<j4p-restrict>

  <!-- List of remote hosts which are allowed to access this agent. The name can be
       given as IP or FQDN. If any of the given hosts matches, access will be allowed
      (respecting further restrictions, though). If <remote> ... </remote> is given
      without any host no access is allowed at all (probably not what you want).
     
      You can also specify a subnetmask behind a numeric IP adress in which case any
      host within the specified subnet is allowed to access the agent. The netmask can
      be given either in CIDR format (e.g "/16") or as a full netmask (e.g. "/255.255.0.0")
  -->
  <remote>
    <host>127.0.0.1</host>
    <host>localhost</host>
    <!-- Example with subnet
    <host>10.0.0.0/16</host>
    -->
  </remote>

  <!-- List of allowed commands. Remove the commands you dont want to
       be called. If the section <commands> is missing completely, all
       commands are allowed -->
  <commands>
    <command>read</command>
   </commands>

  <!-- Access to the following MBeans with their attributes/operations is allowed. If the
       <mbeans> sections is present, access to any MBean not mentioned there will be
       rejected. If the <mbeans> section is missing, access to all MBeans is allowed -->
  <mbeans>
    <mbean>
      <name>java.lang:type=Memory</name>
      <attribute>HeapMemoryUsage</attribute>
      <attribute mode="read">Verbose</attribute>
      <operation>gc</operation>
    </mbean>
    <mbean>
      <name>java.lang:type=Threading</name>
      <attribute>ThreadCount</attribute>
    </mbean>
  </mbeans>
</j4p-restrict>

If you deploy the agent war on a Servlet container you could go even further

to secure the agent as any other Web-application, e.g. by using username/password

for securing the webapp agent or binding only on 127.0.0.1 for serving agent requests.

 

...roland
 

 

 

by shalom - 10/03/2010 - 14:10

Thanks a lot Roland,
actually the application is not a webappa and there's no web server involved, it's a java application embedding an activemq broker. does jmx4perl provide a solution for a java application? a solution that will include: restricting access from local machine only. user/password protection. ssl communication.

Thanks.

by tikal - 10/03/2010 - 22:56

There is indeed a solution with the forthcoming release jmx4perl 0.65

 

I already finished an JVM agent which can be used with any Java application running with a Sun JDK 6 (since it uses the integrated HttpServer).

It can be called with

 

   java -javaagent:agent.jar:host=127.0.0.1,port=8888,user=pirx,password=secret ....

 

which will bind on localhost only with the given user and password. There is no SSL support, though (but can come in into a later version).

This agent is already ready, I will prepare a developer release 0.65_1 for this weekend and put it on CPAN. In the meantime you could get the source from github.com/rhuss/jmx4perl/tree/jvm-agent

 

... roland