Running the samples  Using the Systems Management Console

Chapter 13: Using Systems Management

Using SSL

Using SSL allows clients to establish secure links to a JMX agent. Using SSL ensures that the client-server link is secure, and that the client has indeed set up a link to the correct server. However, it does not authenticate the client; the server does not know who the client is.

Further authentication—for example, identifying that the client is who it purports to be—must be performed separately. Only clients that have a copy of the server’s signed certificate can connect, so you can restrict connections to the set of clients to whom the certificates have been granted.


Setting up SSL

To set up SSL, you must generate a keystore to be used by the JMX agent’s RMI adapter. For detailed information about keystores, see the Sun Web page. Use this syntax to generate the keystore for each JMX agent installed in the network:

keytool [-alias <alias>] \
-genkey -v -keystore <keystore> \
-storepass <storepwd> -keypass <keypass> \
-dname <dname> \
-validity <validity>

Where:

This example generates a keystore and a key, then puts the new key in the keystore:

keytool -genkey -v -keystore key.store -storepass storepwd -keypass keypwd \
-dname "CN=Chris Jobson, O=Sybase\, Inc., C=UK" -validity 365

Next, you must export the X.509 certificate that authenticates the key you just created:

keytool [-alias <alias>] -export \
-v -storepass <storepwd> -keystore <keystore>
-file <certfile>

Where, in addition to the variables described in the previous example:

This example exports the X.509 certificate:

keytool -export -v -storepass storepwd -keystore -file x509cert

Once you have exported the key (in the X.509 certificate), you must import it into the truststore used by the clients that connect to the RMI adapter. Currently, the only clients run in servlets that are deployed in EAServer. Import the certificate into a truststore located in the servlet’s WEB-INF/lib directory, located under $JAGUAR/Repository/WebApplication/SysMgmtm/. You must copy the x509cert file to the same machine where the servlet is deployed, and then import it using this syntax:

keytool [-alias <alias>] -import \
-v -storepass <storepwd> -keystore <truststore> 
-file <certfile>

Where, in addition to the previously defined variables:

This example creates a truststore, which contains a single certificate that wraps the original key, and puts the X.509 certificate in C:\tmp\x509cert:

keytool -import -v -storepass storepwd -keystore trust.store \
-file C:\tmp\x509cert

NoteDelete the X.509 certificate after using it.

Do this for all clients that will connect to the JMX agent. After creating the various keys and truststores, you must ensure that the JMX agent starts the RMI adapter so that it uses SSL. To do this, make these changes to the boot.xml file:

  1. Locate the definition for the sybase.system.adaptor.service:Name=SSLServerSocketFactory MBean, then set the appropriate values for its KeyStoreName, KeyStorePassword, and KeyManagerPassword attributes:

  2. Locate the definition for the sybase.system.adaptor:Protocol=RMI-JRMP MBean, and to ensure that the JMX agent starts and the RMI adapter accepts only SSL connections, verify that the SSLFactory attribute is set to “sybase.system.adaptor.service:Name=SSLServerSocketFactory”.

The RMI adapter exports its certificate, which is checked by the client using its truststore. Therefore, the client can verify that the server is who it purports to be.

To configure the servlet to use SSL to connect:

  1. Change to the ROOT/WEB-INF/classes/com/sybase/servlet/jmx directory.

  2. In each <agent>.properties file—there is one for each agent that is defined—verify that the com.sybase.management.jmx.adaptor.rmi.truststore.resource property is set to point to the truststore that contains the trusted certificate for the appropriate JMX agent. For example:

    com.sybase.management.jmx.adaptor.rmi.truststore.resource=
    /clienttrust.store
    

    /clienttrust.store is loaded by appropriate class loaders, and should load the truststore created by the keytool -import command. To load a truststore from another location, verify that it can be loaded by the class loader used to load the servlet, or use one of these alternate properties, and set the location appropriately:

Each JMX agent requires its own trusted certificate; they can all be stored in the same truststore, or in separate ones.

NoteIf you are not using SSL, remove the trust_store property from the properties file.

The server can also verify whether the client is presenting a valid certificate. This is the inverse of the process described above. The server has a truststore it consults to verify that the client’s certificate matches. To set this up, create keystores for the clients, and matching truststores for the server (containing the exported key). Follow the steps outlined above using keytool, then:

  1. In boot.xml, locate the definition for the com.sybase.system.adaptor.service:Name=SSLServerSocketFactory MBean, then edit the values for the TrustStoreName, TrustStorePassword and NeedClientAuth attributes appropriately:

  2. On the client end, edit the agent.properties file, and set the value of the com.sybase.management.jmx.adaptor.rmi.keystore.resource property to point to the keystore containing the certificate for the relevant JMX agent. The resource is loaded by the appropriate class loaders, and should load the keystore that was created using the keytool -genkey command.

    Alternately, set the values for these properties:





Copyright © 2005. Sybase Inc. All rights reserved. Using the Systems Management Console