Securing JConsole to Application Server Connection

There are subtle differences in how to connect to Enterprise Server, or any JMX Connector Server end, based on the transport layer security of the connection. If the server end is secure (guarantees transport layer security), there is a little more configuration to be performed on the client end.

• By default, the developer profile of Enterprise Server is configured with a non-secure System JMX Connector Server.

• By default, cluster and enterprise profiles of Enterprise Server are configured with a secure System JMX Connector Server.

• The protocol used for communication is RMI/JRMP. If security is enabled for the JMX Connector, the protocol used is RMI/JRMP over SSL.

  ---

  Note –

  RMI over SSL does not provide additional checks to ensure that the client is talking to the intended server. Thus, there is always a possibility, while using JConsole, that you are sending the user name and password to a malicious host. It is completely up to the administrator to make sure that security is not compromised.

  ---

When you install a developer profile domain on a machine such as appserver.sun.com, you will see the following in the Domain Administration Server (DAS) domain.xml file:

<!- – The JSR 160 "system-jmx-connector" – –><jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="false"/><!- – The JSR 160 "system-jmx-connector" – –>

The security-enabled flag for the JMX Connector is false. If you are running the cluster or enterprise profile, or if you have turned on security for the JMX Connector in the developer profile, this flag is set to true.

<!- – The JSR 160 "system-jmx-connector" – –><jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="true"/>...</jmx-connector><!- – The JSR 160 "system-jmx-connector" – –>