Ning Kang created ARTEMIS-3730: ---------------------------------- Summary: SSL connection for JMX does not work Key: ARTEMIS-3730 URL: https://issues.apache.org/jira/browse/ARTEMIS-3730 Project: ActiveMQ Artemis Issue Type: Bug Affects Versions: 2.20.0 Reporter: Ning Kang
We are using Artemis 2.20.0 as JMS broker, and got some problems when connecting from client side via SSL for JMX connection. There is a firewall between the server and client side, it only allows SSL communication in a few ports (1416 and 1417 ports are allowed for SSL communication). We have setup the JMX connections on the broker side by adding the following settings. 1. In management.xml, add this element {code:java} <connector connector-host="0.0.0.0" connector-port="1416" rmi-registry-port="1417" secured="true" key-store-path="/home/xxxxx/keys/keystore.jks" key-store-password="ENC(-xxxxxxxxxxxxxx)" />{code} 2. In artemis.profile, add this in JAVA_ARGS {code:java} -Djava.rmi.server.hostname= {broker_hostname}{code} 3. In broker.xml, add this {code:java} <jmx-management-enabled>true</jmx-management-enabled>{code} On the client side, the code is like this {code:java} Map<String,String[]> env = new HashMap<String, String[]>(); String[] account = {BROKER_USER, BROKER_PASSWORD}; env.put(JMXConnector.CREDENTIALS, account); JMXConnector connector = JMXConnectorFactory.connect(new JMXServiceURL("service:jmx:rmi:///jndi/rmi://broker_host:1416/jmxrmi"), env); MBeanServerConnection connection = connector.getMBeanServerConnection();{code} and add these JAVA_ARGS to start the client program {code:java} -Djavax.net.ssl.trustStore=./trustStore.jks -Djavax.net.ssl.trustStorePassword=password -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.registry.ssl=true -Djava.rmi.server.hostname=broker_host -Dcom.sun.management.jmxremote.rmi.port=1417 -Djavax.net.debug=all{code} When running on a node without the firewall, the client can connect with the broker without any problem, I can also see the SSL handshake debug information. However, if I run the client on another node behinds the firewall, the program break at line of JMXConnectorFactory.connect(), and I got the following error. {code:java} java.lang.IllegalStateException: Failed to execute CommandLineRunner at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:787) ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE] at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:768) ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:322) ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE] at nl.mendesgans.test.jmx.Application.main(Application.java:19) ~[classes!/:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na] at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na] at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na] at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na] at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na] at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52) ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na] Caused by: java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: java.net.SocketException: Connection reset] at java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:370) ~[na:na] at java.management/javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270) ~[na:na] at nl.mendesgans.test.jmx.ArtemisServerConfig.getMBeanServerConnection(ArtemisServerConfig.java:51) ~[classes!/:na] at nl.mendesgans.test.jmx.ArtemisServerConfig.activeMQServerControl(ArtemisServerConfig.java:33) ~[classes!/:na] at nl.mendesgans.test.jmx.ArtemisService.getAllQueues(ArtemisService.java:19) ~[classes!/:na] at nl.mendesgans.test.jmx.Application.run(Application.java:24) ~[classes!/:na] at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:784) ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE] ... 13 common frames omitted Caused by: javax.naming.CommunicationException: null at jdk.naming.rmi/com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:137) ~[na:na] at java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:207) ~[na:na] at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) ~[na:na] at java.management.rmi/javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1839) ~[na:na] at java.management.rmi/javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1813) ~[na:na] at java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:302) ~[na:na] ... 19 common frames omitted Caused by: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: java.net.SocketException: Connection reset at java.rmi/sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:300) ~[na:na] at java.rmi/sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:196) ~[na:na] at java.rmi/sun.rmi.server.UnicastRef.newCall(UnicastRef.java:343) ~[na:na] at java.rmi/sun.rmi.registry.RegistryImpl_Stub.lookup(RegistryImpl_Stub.java:116) ~[na:na] at jdk.naming.rmi/com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:133) ~[na:na] ... 24 common frames omitted Caused by: java.net.SocketException: Connection reset at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186) ~[na:na] at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140) ~[na:na] at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) ~[na:na] at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271) ~[na:na] at java.base/java.io.DataInputStream.readByte(DataInputStream.java:270) ~[na:na] at java.rmi/sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:239) ~[na:na] ... 28 common frames omitted{code} -- This message was sent by Atlassian Jira (v8.20.1#820001)