Appendix D JMX Support

Message Queue includes support for Java-based client programs to configure and monitor Message Queue resources, such as message brokers, connections, and destinations, programmatically by means of the Java Management Extensions (JMX) application programming interface. Use of the JMX API from the client side is fully described in the Message Queue Developer’s Guide for JMX Clients. This appendix describes the administrative features provided to support such use.

Broker Properties for JMX Support

Broker configuration properties that support JMX are listed in Table 14–11. None of these properties can be set from the command line with the Message Queue Command utility (imqcmd). Instead, they can either be set at broker startup with the -D option of the Broker utility (imqbrokerd) or edited by hand in the broker's instance configuration file (config.properties). In addition, as described below, some of these properties can be set with corresponding Broker utility options.

The imq.jmx.connector.list property defines a set of named JMX connectors to be created at broker startup; imq.jmx.connector.activelist specifies which of these are to be activated. Each named connector then has its own set of properties:

   imq.jmx.connector.connectorName.urlpath
   imq.jmx.connector.connectorName.useSSL
   imq.jmx.connector.connectorName.brokerHostTrusted

By default, two JMX connectors are created, named jmxrmi and ssljmxrmi; the second is configured to use Secure Socket Layer (SSL) encryption (imq.jmx.connector.ssljmxrmi.useSSL = true), while the second is not (imq.jmx.connector.jmxrmi.useSSL = false). By default, only the jmxrmi connector is activated at broker startup; seeSSL Support for JMX Clients, below, for information on how to activate the ssljmxrmi connector for secure communications.

Message Queue’s JMX connectors use remote method invocation (RMI) as the infrastructure for communicating between client and server. The broker properties imq.jmx.rmiregistry.start and imq.jmx.rmiregistry.use specify whether to start a local RMI registry at broker startup or use an external registry. The imq.jmx.rmiregistry.port property specifies the port number for the RMI registry. For convenience, these properties can also be specified by using equivalent Broker utility (imqbrokerd) options at broker startup: -startRmiRegistry, -useRmiRegistry, and -rmiRegistryPort, respectively (see Table 13–1).

The Command utility (imqcmd) subcommand list jmx displays a list of JMX service URLs of JMX connectors created and started at broker startup. This information is needed by JMX clients that do not use the Message Queue convenience class AdminConnectionFactory to obtain their JMX connectors, and can also be used for managing or monitoring Message Queue via a generic JMX browser such as the Java Monitoring and Management Console (jconsole).

SSL Support for JMX Clients

As mentioned above, a Message Queue message broker is configured by default for insecure communication using the preconfigured JMX connector jmxrmi. Applications wishing to use the Secure Socket Layer (SSL) for secure communication must activate the alternate, secure JMX connector, ssljmxrmi, using the procedure shown below.

On the client side, the administrator connection factory (AdminConnectionFactory) must be configured with a URL specifying ssljmxrmi as the preferred connector:

   AdminConnectionFactory  acf = new AdminConnectionFactory();
   acf.setProperty(AdminConnectionConfiguration.imqAddress,
                   "mq://myhost:7676/ssljmxrmi");

If needed, use the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword to point the JMX client to the trust store.

Configuring JMX for SSL operation requires the following steps:

Configuring JMX for SSL Operation

1. Obtain and install a signed certificate.

   The procedure is the same as for the ssljms, ssladmin, or cluster connection service, as described under Using Signed Certificates.

2. Install the root certification authority certificate in the trust store if necessary.

3. Add the ssljmxrmi connector to the list of JMX connectors to be activated at broker startup:

      imq.jmx.connector.activelist=jmxrmi,ssljmxrmi
   

4. Start the broker.

   Use the Message Queue Broker utility (imqbrokerd, either passing it the key store password in a password file or typing it from the command line when prompted.

5. Disable validation of certificates if necessary.

   By default, the ssljmxrmi connector (or any other SSL-based connector) is configured to validate all broker SSL certificates presented to it. Validation will fail if the signer of the certificate is not in the client's trust store. To avoid this validation (for instance, when using self-signed certificates during software testing), set the broker property imq.jmx.connector.ssljmxrmi.brokerHostTrusted to true.