Enabling remote JMX with password authentication and SSL

This example shows how to start the Network Server as follows.

This level of protection may or may not be adequate for you, but it is more secure than the previous examples.

The command line appears on multiple lines to improve readability, but you would enter it as a single java command.

java -Dcom.sun.management.jmxremote.port=9999 
-jar lib/derbyrun.jar server start -h
Note: When password authentication is enabled and a Java Security Manager is installed, a number of JMX-related permissions need to be granted to trusted users in the security policy used. See Fine-grained authorization using a security policy for details.

In the example above, system properties specify the keystore containing the server's key pair, the keystore password, the truststore containing the client certificates, and the truststore password. Setting up SSL keystores and truststores is partly described in Key and certificate handling. Other topics in the section Network encryption and authentication with SSL/TLS provide information on protecting database network traffic using SSL.

When you configure SSL as described above, the following requirements apply:

The system property com.sun.management.jmxremote.ssl.need.client.auth=true specifies that clients must use SSL to authenticate themselves. This property, as well as the truststore properties, may be removed if you do not want to authenticate clients using SSL. However, there may be security risks associated with using password authentication only.

The system property com.sun.management.jmxremote.registry.ssl=true was new in JDK 6 and aims at resolving security issues with the RMI registry used in relation with JMX. This property must be used in conjunction with com.sun.management.jmxremote.ssl.need.client.auth=true in order to fully secure the RMI registry.

If you use a Java SE 5 JDK, clients must provide an additional entry in the environment map passed to the JMXConnector when enabling SSL protection of the registry:

env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());

See Connecting to the MBean Server for details.

Clients must also specify and use proper keystores and/or truststores (the truststores must contain the server's SSL certificate).

For more information about the system properties used above and potential security risks, see "Monitoring and Management Using JMX Technology" at http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html .

Related reference
Enabling remote JMX with no authentication or SSL
Enabling remote JMX with password authentication only
Simple authorization using an access file
Fine-grained authorization using a security policy
Disabling access to MBeans