To Activate the SSL-Based JMX connector

1. Obtain and install a signed certificate.

   The procedure is the same as for the ssljms, ssladmin, or cluster connection service, as described under Using Signed Certificates.

2. Install the root certification authority certificate in the trust store if necessary.
3. Add the ssljmxrmi connector to the list of JMX connectors to be activated at broker startup: imq.jmx.connector.activelist=jmxrmi,ssljmxrmi
4. Start the broker.

   Use the Broker utility (imqbrokerd), either passing it the keystore password in a passfile or typing it from at the command line when prompted.

5. Disable validation of certificates if desired.

   By default, the ssljmxrmi connector (or any other SSL-based connector) is configured to validate all broker SSL certificates presented to it. Validation will fail if the signer of the certificate is not in the client's trust store. To avoid this validation (for instance, when using self-signed certificates during software testing), set the broker property imq.jmx.connector.ssljmxrmi.brokerHostTrusted to true.

JMX Client Side SSL Configuration

On the client side, if the AdminConnectionFactory class is being used to obtain a JMX connector, the AdminConnectionFactory object must be configured with a URL specifying the ssljmxrmi connector:

AdminConnectionFactory  acf = new AdminConnectionFactory();
   acf.setProperty(AdminConnectionConfiguration.imqAddress,
                   "mq://myhost:7676/ssljmxrmi");

In addition, if the JMX client needs to access the trust store, use the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to point the JMX client to the trust store. For example:

java -Djavax.net.ssl.trustStore=/tmp/myStrustsore -Djavax.net.ssl.trustStorePassword=myTurstword MyApp

JMX Connections Through a Firewall

If a JMX client application needs to connect to a broker that is located behind a firewall, the broker must be configured to use fixed JMX ports so the firewall can, in turn, be configured to allow traffic on these ports. The relevant ports are the following:

• The port used by the JMX connector. The property used to configure this port is imq.jmx.connector.connectorName.port, where connectorName can be jmxrmi or ssljmxrmi.

• The port used by the RMI registry, if any. The property used to configure this port is imq.jmx.rmiregistry.port. The equivalent command line option for imqbrokerd is -rmiRegistryPort.

Once these ports are specified, configure the firewall to allow traffic on these ports.

Example D-3 JMX Configuration for Firewall When Not Using a RMI Registry

The following example starts a broker with no RMI registry and a jmxrmi connector on port 5656 on a host called yourhost, as follows:

# imqbrokerd -Dimq.jmx.connector.jmxrmi.port=5656

The resulting JMX service URL is:

service:jmx:rmi://yourhost:5656/stub/rO0ABdmVyLlJlpIDJy==

The JMX service URL shows the connector port. In this case, you need to configure the firewall to allow traffic only on port 5656.

Example D-4 JMX Configuration for Firewall When Using an RMI Registry

The following example starts a broker with an RMI registry on port 1098 and a jmxrmi connector on port 5656 on a host called yourhost, as follows:

# imqbrokerd -startRmiRegistry -rmiRegistryPort 1098 -Dimq.jmx.connector.jmxrmi.port=5656

The resulting JMX service URL is:

 service:jmx:rmi://yourhost:5656/jndi/rmi://yourhost:1098
                 /yourhost/7676/jmxrmi

The JMX service URL shows both these ports. You need to configure the firewall to allow traffic on ports 1098 and 5656.