[jira] [Created] (ARTEMIS-3730) SSL connection for JMX does not work

Fri, 18 Mar 2022 05:15:06 -0700 

Ning Kang created ARTEMIS-3730:
----------------------------------

             Summary: SSL connection for JMX does not work
                 Key: ARTEMIS-3730
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3730
             Project: ActiveMQ Artemis
          Issue Type: Bug
    Affects Versions: 2.20.0
            Reporter: Ning Kang


We are using Artemis 2.20.0 as JMS broker, and got some problems when 
connecting from client side via SSL for JMX connection. There is a firewall 
between the server and client side, it only allows SSL communication in a few 
ports (1416 and 1417 ports are allowed for SSL communication).

 

We have setup the JMX connections on the broker side by adding the following 
settings.

1. In management.xml, add this element
{code:java}
<connector connector-host="0.0.0.0"
connector-port="1416"
rmi-registry-port="1417"
secured="true"
key-store-path="/home/xxxxx/keys/keystore.jks"
key-store-password="ENC(-xxxxxxxxxxxxxx)"
/>{code}
2. In artemis.profile, add this in JAVA_ARGS
{code:java}
-Djava.rmi.server.hostname= {broker_hostname}{code}
3. In broker.xml, add this
{code:java}
<jmx-management-enabled>true</jmx-management-enabled>{code}
 

On the client side, the code is like this
{code:java}
Map<String,String[]> env = new HashMap<String, String[]>();
String[] account = {BROKER_USER, BROKER_PASSWORD};
env.put(JMXConnector.CREDENTIALS, account);
JMXConnector connector = JMXConnectorFactory.connect(new 
JMXServiceURL("service:jmx:rmi:///jndi/rmi://broker_host:1416/jmxrmi"), env);
MBeanServerConnection connection = connector.getMBeanServerConnection();{code}
and add these JAVA_ARGS to start the client program
{code:java}
-Djavax.net.ssl.trustStore=./trustStore.jks 
-Djavax.net.ssl.trustStorePassword=password 
-Dcom.sun.management.jmxremote.ssl=true 
-Dcom.sun.management.jmxremote.authenticate=true 
-Dcom.sun.management.jmxremote.registry.ssl=true 
-Djava.rmi.server.hostname=broker_host 
-Dcom.sun.management.jmxremote.rmi.port=1417 
-Djavax.net.debug=all{code}
 

When running on a node without the firewall, the client can connect with the 
broker without any problem, I can also see the SSL handshake debug information.

 

However, if I run the client on another node behinds the firewall, the program 
break at line of JMXConnectorFactory.connect(), and I got the following error.
{code:java}
java.lang.IllegalStateException: Failed to execute CommandLineRunner
    at 
org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:787)
 ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    at 
org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:768)
 ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:322) 
~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) 
~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) 
~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    at nl.mendesgans.test.jmx.Application.main(Application.java:19) 
~[classes!/:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[na:na]
    at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 ~[na:na]
    at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
    at 
org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) 
~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) 
~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) 
~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52) 
~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
Caused by: java.io.IOException: Failed to retrieve RMIServer stub: 
javax.naming.CommunicationException [Root exception is 
java.rmi.ConnectIOException: error during JRMP connection establishment; nested 
exception is:
    java.net.SocketException: Connection reset]
    at 
java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:370)
 ~[na:na]
    at 
java.management/javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
 ~[na:na]
    at 
nl.mendesgans.test.jmx.ArtemisServerConfig.getMBeanServerConnection(ArtemisServerConfig.java:51)
 ~[classes!/:na]
    at 
nl.mendesgans.test.jmx.ArtemisServerConfig.activeMQServerControl(ArtemisServerConfig.java:33)
 ~[classes!/:na]
    at 
nl.mendesgans.test.jmx.ArtemisService.getAllQueues(ArtemisService.java:19) 
~[classes!/:na]
    at nl.mendesgans.test.jmx.Application.run(Application.java:24) 
~[classes!/:na]
    at 
org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:784)
 ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
    ... 13 common frames omitted
Caused by: javax.naming.CommunicationException: null
    at 
jdk.naming.rmi/com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:137)
 ~[na:na]
    at 
java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:207)
 ~[na:na]
    at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409) 
~[na:na]
    at 
java.management.rmi/javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1839)
 ~[na:na]
    at 
java.management.rmi/javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1813)
 ~[na:na]
    at 
java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:302)
 ~[na:na]
    ... 19 common frames omitted
Caused by: java.rmi.ConnectIOException: error during JRMP connection 
establishment; nested exception is:
    java.net.SocketException: Connection reset
    at 
java.rmi/sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:300) 
~[na:na]
    at 
java.rmi/sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:196) 
~[na:na]
    at java.rmi/sun.rmi.server.UnicastRef.newCall(UnicastRef.java:343) ~[na:na]
    at 
java.rmi/sun.rmi.registry.RegistryImpl_Stub.lookup(RegistryImpl_Stub.java:116) 
~[na:na]
    at 
jdk.naming.rmi/com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:133)
 ~[na:na]
    ... 24 common frames omitted
Caused by: java.net.SocketException: Connection reset
    at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186) 
~[na:na]
    at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140) 
~[na:na]
    at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) 
~[na:na]
    at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271) 
~[na:na]
    at java.base/java.io.DataInputStream.readByte(DataInputStream.java:270) 
~[na:na]
    at 
java.rmi/sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:239) 
~[na:na]
    ... 28 common frames omitted{code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to