Configuring the eG Manager's JMX with Security (SSL)

This involves the following broad steps:

  1. Obtaining an SSL certificate

  2. Enabling SSL support for the eG manager's JMX

  3. Protecting the SSL certificate password from unauthorized access

The sub-sections below will elaborate on each of these steps.

Obtaining an SSL Certificate

If the eG manager being monitored is already SSL-enabled, then you can use the same certificate for enabling SSL support for JMX.

On the other hand, if the eG manager in question is not SSL-enabled, then you should obtain an SSL certificate using one of the following ways:

  1. Obtain a signed certificate from an internal certifying authority (eg., Microsoft Active Directory Certificate Services), (OR)

  2. Obtain a signed certificate from a valid, external certifying authority (eg., Verisign)

If you pick option (a), then refer to theObtaining an SSL Certificate Signed by an Internal Certifying Authority (CA) topic of this document. On the other hand, if you opt for option (b), then refer to the Obtaining Certificate from External Certifying Authority section.

Enabling SSL Support for eG Manager's JMX

To achieve this, do the following:

  1. Login to the system hosting the eG manager.

  2. Edit the management.properties file in the <JAVA_HOME>\jre\lib\managementfolder (on Windows; on Unix, this will be the /opt/jre/lib/management folder).

  3. You will find the following code block in the file, by default:

    com.sun.management.jmxremote.port=13600

    com.sun.management.jmxremote.authenticate=false

    com.sun.management.jmxremote.ssl=false

    com.sun.management.jmxremote.ssl.config.file=c:/egurkha/manager/ssl.properties

  4. To enable security (SSL), first, set the com.sun.management.jmxremote.ssl entry in the code block above to true. Then, specify the full path to the ssl.properties file against the com.sun.management.jmxremote.ssl.config.file entry in the code block. This file contains the name and password of the certificate keystore, which holds the SSL certificate used for SSL-enabling JMX. To establish a secure (SSL) JMX connection with the eG manager's JRE, the details stored in the ssl.properties file are used. Typically, this file will be available in the <EG_MANAGER_INSTALL_DIR>\manager directory (on Windows; on Unix, this will be the /opt/egurkha/manager directory). For instance, if the eG manager is installed in the D:\egurkha directory, then the code block above will change as indicated by the lines in Bold below:

    com.sun.management.jmxremote.port=13600

    com.sun.management.jmxremote.authenticate=false

    com.sun.management.jmxremote.ssl=true

    com.sun.management.jmxremote.ssl.config.file=D:\egurkha\manager\ssl.properties

  5. Finally, save the management.properties file.

Protecting the SSL Certificate Password from Unauthorized Access

As part of the process to SSL-enable JMX, you will have to edit the ssl.properties file and configure the name and password of the certificate keystore there. Because this file contains sensitive information, you should ensure that Administrators alone have access to this file.

To achieve this, follow the steps below on a Windows manager:

  1. Login to the system hosting the eG manager.

  2. Open the command prompt, and switch to the <EG_INSTALL_DIR>\manager directory.

  3. Then, issue the following commands one after another:

    icacls ssl.properties /setowner Administrators

    icacls ssl.properties /grant Administrators:F

    icacls ssl.properties /inheritance:r

On a Unix manager, follow the steps below to grant only Administrators access to the ssl.properties file:

  1. Login to the system hosting the eG manager as a root user.

  2. Open the Shell prompt, and switch to the /opt/egurkha/manager directory.

  3. Then, issue the following command:

    chmod 500 ssl.properties