Configure security for remote JMX monitoring (3.6+)

N4 uses Java Management Extensions (JMX) to enable you to monitor memory usage and also provides other diagnostic information through MBeans. You can monitor JMX locally on the server or remotely from another server. Remote JMX monitoring can potentially allow unauthorized access to your N4 application. Navis recommends protecting your remote JMX monitoring by enabling the Secure Sockets Layer (SSL) with a server side keystore certificate, along with user authentication.

You can set up this feature manually or through the N4 installer on each N4 node.

Follow the steps below to enable SSL for remote JMX monitoring:

1	Create the password and access files (on page 1).
2	Update the Java Options for the N4 service (on page 1).
3	Configure your monitoring tool to use SSL (on page 1).

Step 1: Create the password and access files

The password and access files control security for remote monitoring and management. You define a role as an entry in both the password and the access files.

The password file defines the different roles and their passwords.
The access control file defines the permitted access for each role. The access level is either readonly or readwrite.

To create the password and access files:

In the conf directory (default location C:\ProgramData\Navis\[node]\conf), create the password file. Add the passwords for the roles defined in the access file.

password.properties

monitorRole password1

controlRole password2

Create the access file. The access file defines roles and their access levels. By default, the access file defines the two following primary roles:

monitorRole which grants read-only access for monitoring.
controlRole which grants read-write access for monitoring and management.

An access control entry consists of a role name and an associated access level. The role name cannot contain spaces or tabs and must correspond to an entry in the password file. The access level can be either one of the following:

readonly: grants access to read an MBean's attributes. For monitoring, this means that a remote client in this role can read measurements but cannot perform any action that changes the environment of the running program. The remote client can also listen to MBean notifications.
readwrite: grants access to read and write an MBean's attributes, to invoke operations on them, and to create or remove them. This access should be granted to only trusted clients, since they can potentially interfere with the operation of an application.

access.properties

monitorRole readonly

controlRole readwrite

Restrict access on the password file. The JVM requires the password file to have restricted access in order to help protect the confidential passwords contained in it. You must ensure that only the owner has read and write permissions on this file, since it contains the passwords in clear text. For security reasons, the system checks that the file is readable only by the owner and exits with an error if it is not.

Windows:

a. In Windows Explorer, right click-on the file, and navigate to Properties Security Advanced.

b. Disable inheritance.

c. Select all the users except your user, and click Remove.

d. Ensure your user has Full Control.

Linux: Set the file permissions using this command:

chmod 600 password.properties

Next step(s):

Step 2: Update the Java Options for the N4 service (on page 1)

Step 2: Update the Java Options for the N4 service

The JVM properties for the N4 Tomcat service needs to be updated to use authentication for JMX monitoring. Update the Java properties for the N4 Tomcat service.

To update the Java Options (in Windows):

On the N4 node, find the Tomcat service (for example, n4clusterw.exe). (The default location is C:\Program Files\Navis\sparcsn4\bin.)

Right-click on the file and select 'Run as administrator.'
Select the Java tab. Under Java Options, add the following:

-Dcom.sun.management.jmxremote.port=9019 --for N4

-Dcom.sun.management.jmxremote.authenticate=true

-Dcom.sun.management.jmxremote.ssl=true

-Dcom.sun.management.jmxremote.access.file=<conf-path>/access.properties

-Dcom.sun.management.jmxremote.password.file=<conf-path>/password.properties

Click OK.
Restart the N4 service.

Next step(s):

Step 3: Configure your monitoring tool to use SSL (on page 1)

Step 3: Configure your monitoring tool to use SSL

After you have enabled remote JMX security, then remote JMX clients must connect using SSL and authentication options according to JSR-160 (https://www.jcp.org/en/jsr/detail?id=160). For each client application that you use for JMX monitoring, check the documentation provided by the application provider.

JConsole: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
JVisualVM: http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
Hyperic: http://pubs.vmware.com/hyperic-58/topic/com.vmware.hyperic.install.config.doc/GUID-554EF776-D5D2-4C88-A956-0D405D413053.html
Zabbix: https://www.zabbix.com/documentation/3.2/manual/config/items/itemtypes/jmx_monitoring

Example for JConsole:

jconsole -J-Djavax.net.ssl.trustStore=c:/temp/170816-jmx-security/cacerts.jks -J-Djavax.net.trustStorePassword=jmxpass