Securing JConsole to Application Server Connection

There are subtle differences in how to connect to Application Server, or any JMX Connector Server end based on the transport layer security of the connection. If the server end is secure (guarantees transport layer security), there is a little more configuration to be performed on the client end.

• By default, Platform Edition of Application Server has System JMX Connector Server end as insecure.

• By default, Enterprise Edition of Application Server has System JMX Connector Server end as secure.

• The protocol used for communication is RMI/JRMP. If security is enabled for the JMX Connector, the protocol used is RMI/JRMP over SSL.

  ---

  Note –

  RMI over SSL does not provide additional checks to ensure that the client is talking to the intended server. Thus, there is always a possibility, while using JConsole, that you are sending the user name and password to a malicious host. It is completely up to the administrator to make sure that security is not compromised.

  ---

When you install a Platform Edition domain on a machine such as appserver.sun.com, you will see the following in the DAS's (Domain Administration Server, the admin server or simply the domain) domain.xml:

<!- – The JSR 160 "system-jmx-connector" – –><jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="false"/><!- – The JSR 160 "system-jmx-connector" – –>

The security-enabled flag for the JMX Connector is false. If you are running the Enterprise Edition, or if you have turned on security for the JMX Connector in the Platform Edition, this flag is set to true.

<!- – The JSR 160 "system-jmx-connector" – –><jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="true"/>...</jmx-connector><!- – The JSR 160 "system-jmx-connector" – –>