Configuring JMX Security
The operations interface is based upon
Java Management Extensions (JMX), which allows components of the application to be managed and monitored from
JSR160 compliant consoles including
jconsole or Oracle Enterprise Manager.
Refer to the Server Administration Guide and to the Batch Server Administration Guide for more details of the JMX operations interface.
By default, the JMX implementation and configuration uses the default simple file based security as outlined in the
JMX Specification.
Default Simple File-Based Security
The default configuration is based upon a properties file containing name/value pairs corresponding to role/password pairs and authorization can be also based on a properties file containing name/value pairs corresponding to role/access pairs where access can be any of readonly access which grants read access to any remote operation and readwrite access which grants access to read and update operations in the interface.
Note: By default, the user (BSN_JMX_SYSUSER) and password (BSN_JMX_SYSPASS) for the administrator are automatically added to the configuration files.
To use this facility the following file should be maintained using an appropriate editor located in $SPLBASE/scripts directory:
• ouaf.jmx.access.file – This file contains the Userid and access Permissions in the format separated by a blank space:
• ouaf.jmx.password.file - This file contains Userid and Password in the format separated by a blank space:
Note: These files are also tailored using custom templates. ouaf.jmx.access.file.template and ouaf.jmx.password.file.template are used for the configuration.
SSL-Based Security
To secure communications for JMX using the Java SSL support the following process must be performed:
• Set additional java parameters using the WEB_ADDITIONAL_OPT for the online/Web Services and BATCH_MEMORY_ADDITIONAL_OPT for Batch. Refer to the Server Administration Guide and Batch Server Administration Guide for details of these parameters. The following additional system properties must be set:
System Property | Comments |
---|
javax.net.ssl.keyStore | Keystore location |
javax.net.ssl.keyStoreType | Default keystore type |
javax.net.ssl.keyStorePassword | Default keystore password |
javax.net.ssl.trustStore | Truststore location |
javax.net.ssl.trustStoreType | Default truststore type |
javax.net.ssl.trustStorePassword | Default truststore password |
com.sun.management.jmxremote.ssl | Set to true |
com.sun.management.jmxremote.registry.ssl | Set to true |
com.sun.management.jmxremote.ssl.need.client.auth | Set to true |
Note: For sites using Oracle WebLogic in native mode, configuration of SSL requires
Configuring SSL in WebLogic Server and altering the startup scripts for Oracle WebLogic to include the above options.
Note: In line with industry standards either HTTP or HTTPS can be used. They cannot be used simultaneously.
Other Security Sources
Whilst, by default, the file-based repository is supported, it is possible to configure the authentication of JMX to use an alternative data source such as an LDAP Server. This involves changing the
Java Authentication and Authorization Service (JAAS) configuration stored in the
java.login.config file $SPLEBASE/splapp/config directory.
In the JAAS configuration file there is a default jmxrealm that contains the default JMX LoginModule. This can be changed, using custom templates, to support an alternative source for authentication. Refer to the LdapLoginModule documentation for information and examples of login configurations.
Note: To implement the custom security source custom templates for java.login.config must be implemented according to the process outlined in the Server Administration Guide.