test

Java Dynamic Management Kit 5.1 Tutorial

23.3 Legacy HTTPS Connector

The legacy HTTPS connector provides data encryption and certificate-based security through a Secure Socket Layer (SSL). The Java Secure Socket Extension (JSSE) provides a implementation of secure sockets for the Java 2 platform, Standard Edition 1.4.

The web site for the JSSE is http://java.sun.com/products/jsse. For further information and details regarding the use of the secure sockets, refer to the JSSE documentation.

The legacy HTTPS connector exposes the same interfaces as all other legacy connectors and has exactly the same behavior. The development of a management application that relies on the HTTPS connector is no different from that of any other Java dynamic manager. See 21.2 Legacy Connector Clients for details about programming with the RemoteMBeanServer API.

This section covers the steps that are required to establish a secure connection between your agent and manager applications. These instructions do not guarantee total security. They just explain the programmatic steps needed to ensure data security between two remote Java applications.

Before performing these steps, run each of your manager and agent applications on a separate host, and ensure that each host has its own installation of the Java platform (not a shared network installation).

To Establish a Secure HTTPS Connection

  1. Generate public and private keys.

    Repeat this step on all agent and manager hosts.

    Generate a key pair (a public key and associated private key).

    Wrap the public key into an X.509 v1 self-signed certificate, which is stored as a single-element certificate chain. This certificate chain and the private key are stored in a new keystore entry identified by alias.

    In the following command, the –dname parameters designates the X.500 Distinguished Name for the host where you are generating the certificates. The commonName field must be the host name.


    $ keytool -genkey -alias alias -keyalg RSA -keysize 1024 -sigalg MD5withRSA
          -dname "CN=commonName, OU=orgUnit, O=org, L=location, 
S=state, C=country"
          -keypass passPhrase -storetype jks -keystore yourHome/.keystore
          -storepass passPhrase

  2. Export a local certificate

    Repeat this step on all agent and manager hosts.

    Read the certificate that is associated with your alias from the keystore and store it in a hostCertFile:


    $ keytool -export -alias alias -file hostCertFile -storetype jks
          -keystore yourHome/.keystore -storepass passPhrase -rfc

    When you are done with this step, you will have a certificate for each of your hosts.

  3. Import all remote certificates

    Repeat this step on both the agent and manager hosts for all pairs of agent-managers in your management architecture.

    In this step, agent and manager pairs must exchange their certificates. The manager imports the agent's hostCertFile and the agent imports the manager's hostCertFile. If a manager has two agents, it will import two certificates and each agent will import a copy of the manager's certificate.

    Import the certificate into the file containing the trusted Certificate Authorities (CA) certificates. This will add our self-signed certificate as a trusted CA certificate to the cacerts file so that the server and the client will be able to authenticate each other.


    $ keytool -import -alias alias -file hostCertFile -noprompt -trustcacerts
          -storetype jks -keystore JAVAhome/jre/lib/security/cacerts
          -storepass changeit

    This command modifies the JAVAhome/jre/lib/security/cacerts that will affect all applications running on that installation. If you do not want to modify this file, you can create a file named jssecacerts and use it instead. The default location of this file is either JAVAhome/lib/security/jssecacerts or if that does not exist, then JAVAhome/lib/security/cacerts.

  4. Run your Java dynamic management agent

    Start your agent applications with the following properties:


    $ java -Djavax.net.ssl.keyStore=yourHome/.keystore
       -Djavax.net.ssl.keyStoreType=jks
       -Djavax.net.ssl.keyStorePassword=passPhrase
       AgentClass

    If you are using the notification push mechanism, add the following property definition to the above command line:

    -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol

  5. Run your management application

    Start your management applications with the following properties:


    $ java -Djavax.net.ssl.keyStore=yourHome/.keystore
       -Djavax.net.ssl.keyStoreType=jks
       -Djavax.net.ssl.keyStorePassword=passPhrase
       -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
       ManagerClass