Forum Discussion

Keimond's avatar
Keimond
Icon for Neophyte rankNeophyte
4 years ago

Tomcat/JMX monitoring with SSL

Has anyone enabled SSL on JMX and gotten it to work ?

Following directions on Tomcat | LogicMonitor, I can make it work with authentication but "com.sun.management.jmxremote.ssl=false"

If I set that to true I'm getting 
"Fail to get the jmx result - java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"

I have also tried to pass "Djavax.net.ssl.keyStore" and "Djavax.net.ssl.keyStorePassword" with no luck.

SSL to my web page (using the same keystore) works fine so I would assume that the file is ok.. the only item I see in the catalina.out log that might have something that helps  ?
"03-May-2021 12:18:05.238 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]"

  • Anonymous's avatar
    Anonymous
    4 years ago

    Definitely something to take up with support, if you haven't already.

  • Keimond's avatar
    Keimond
    Icon for Neophyte rankNeophyte
    4 years ago

    Thanks I have reached out to support for their suggestions!

  • Keimond's avatar
    Keimond
    Icon for Neophyte rankNeophyte
    4 years ago

    So I gave up on SSL as it turns out the behavior is not what I thought it was and we do not need it. I do have it working great with authentication which is all I need.

    Now I just have to figure out why our test server works and our production server doesn't !

    my setenv.sh file sources a file set up by ansible...
      

    CATALINA_OPTS="-Dcom.sun.management.jmxremote=true \
-Dcom.sun.management.jmxremote.port={{ jira_lm_jmxport }} \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.password.file={{ jira_lm_jmxpath }}/jmxremote.password \
-Dcom.sun.management.jmxremote.access.file={{ jira_lm_jmxpath }}/jmxremote.access \
-Djava.rmi.server.hostname={{ ansible_default_ipv4.address }}"


    I've run tcpdump on the production server and wireshark back on my windows collector and verified that the two are in fact talking to each other on the jira_lm_jmxport

    The error indicates that it's timing out. I tried increasing the timeout for jmx on the collector and was still getting a timeout but perhaps I need to try longer...

    On Friday I'll be restarting the service after adding these two lines to see if that helps after reading some posts
      

    -Dcom.sun.management.jmxremote.rmi.port={{ jira_lm_jmxport }} \
-Dcom.sun.management.jmxremote.local.only=false \