Geek Answers Handbook

Kerberos Authentication / Authorization support on JMX Client / Server running Java 6

I have my JMX server that registers beans reading from a local file and makes it available to other JMX clients upon request. Access to the server can be obtained either using "jconsole" or using a Java application running in the Tomcat container.

I want to add authentication to prevent the "unknown" identifier from accessing the JMX Server. For this, I added Kerberos authentication @server using the following JVM options

-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=5555
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Djava.security.auth.login.config=./conf/jaas.conf
-Djava.security.krb5.conf=./conf/krb5.conf
-Dcom.sun.management.jmxremote.login.config=MyKrbAuth
-Ddynamic.mbean.store=./conf/mbeans
-Djava.net.preferIPv4Stack=true

my jaas.conf looks like this →

MyKrbAuth {
com.sun.security.auth.module.Krb5LoginModule required debug=true debugNative=true;
};

When I start my JMX server with the above configuration and try to connect to it using "jconsole", I get the following exception on the client side and the connection does not work →

Cipher: Crypto Permission check failed
Cipher: granted: (CryptoPermission * 128)
Cipher: requesting: (CryptoPermission AES 256)


[java] [STARTED] Mbean Server
[java] Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[java] [Krb5LoginModule] user entered username: username
[java] 
[java] Acquire TGT using AS Exchange
[java] principal is user@localhost.com
[java] EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FD 46 7C 02 19 9B 34 E9   
[java] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FD 46 7C 02 19 9B 34 E9   
[java] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FE 6D 82 01 8A D7 AB 60   98 
[java] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 89 02 31 5D F7 5B 3E 89   BC F7 8A 01 A1 80 C7 
[java] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: A5 67 71 17 F6 57 A9 26   01 09 B1 EB 75 46 6C 
[java] 
[java] Commit Succeeded 
[java]

, ( AES256).. ??

+5
3

. / Kerberos / JMX.

Kerberos @JMX,

  • = >

    -Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.port=<port_no>
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Djava.security.auth.login.config=<locatin_of_jaas.conf>
-Djava.security.krb5.conf=<locatin_of_krb5.conf>
-Dcom.sun.management.jmxremote.login.config=<name_of_login_config_to_be_used>
-Djava.net.preferIPv4Stack=true

  • $JAVA_HOME/jre/lib/management/jmxremote.access. , / JMX jmxremote.access. .access jvm arg

    -Dcom.sun.management.jmxremote.access.file=<acees_control_file>

Kerberos @JMX Client (jconsole)

  • jconsole debug

    jconsole -J-Djava.security.debug=all

  • - AES256, , $JAVA_HOME/jre/Library//. [ Mark .]

Kerberos JMX, JMX

, jconsole, logging.properties file = >

handlers = java.util.logging.ConsoleHandler
.level = INFO
java.util.logging.ConsoleHandler.level = FINEST
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
// Use FINER or FINEST for javax.management.remote.level - FINEST is very verbose...
javax.management.level = FINEST
javax.management.remote.level = FINER

jconsole

jconsole -J-Djava.util.logging.config.file=<location_of_logging.properties>
+3

( Java 6, . java.oracle.com ) Java. Java , AES256 (- , /). .

+3

Kerberos, jconsole. , com.sun.management.jmxremote.ssl = false.

jconsole, ? , :

kinit user
Password for user@REALM:
New ticket is stored in cache file C:\Users\user\krb5cc_user

jconsole /?

0

More articles:


All Articles