[
https://issues.apache.org/jira/browse/ARTEMIS-3730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17508881#comment-17508881
]
Justin Bertram commented on ARTEMIS-3730:
-----------------------------------------
Is there something the broker itself could do differently or better to make
this work? As far as I can tell this is an environmental issue - especially
given that it works when the firewall is not present.
Have you tried using this?
{noformat}
service:jmx:rmi://broker_host:1417/jndi/rmi://broker_host:1416/jmxrmi{noformat}
This would correspond more closely to what the [broker is
using|https://github.com/apache/activemq-artemis/blob/3dea7eeb7126974cb9409478c46fe0b5a3aa0e8c/artemis-server/src/main/java/org/apache/activemq/artemis/core/config/JMXConnectorConfiguration.java#L73].
> SSL connection for JMX does not work behinds firewall
> -----------------------------------------------------
>
> Key: ARTEMIS-3730
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3730
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.20.0
> Reporter: Ning Kang
> Priority: Major
>
> We are using Artemis 2.20.0 as JMS broker, and got some problems when
> connecting from client side via SSL for JMX connection. There is a firewall
> between the server and client side, it only allows SSL communication in a few
> ports (1416 and 1417 ports are allowed for SSL communication).
>
> We have setup the JMX connections on the broker side by adding the following
> settings.
> 1. In management.xml, add this element
> {code:java}
> <connector connector-host="0.0.0.0"
> connector-port="1416"
> rmi-registry-port="1417"
> secured="true"
> key-store-path="/home/xxxxx/keys/keystore.jks"
> key-store-password="ENC(-xxxxxxxxxxxxxx)"
> />{code}
> 2. In artemis.profile, add this in JAVA_ARGS
> {code:java}
> -Djava.rmi.server.hostname= {broker_hostname}{code}
> 3. In broker.xml, add this
> {code:java}
> <jmx-management-enabled>true</jmx-management-enabled>{code}
>
> On the client side, the code is like this
> {code:java}
> Map<String,String[]> env = new HashMap<String, String[]>();
> String[] account = {BROKER_USER, BROKER_PASSWORD};
> env.put(JMXConnector.CREDENTIALS, account);
> JMXConnector connector = JMXConnectorFactory.connect(new
> JMXServiceURL("service:jmx:rmi:///jndi/rmi://broker_host:1416/jmxrmi"), env);
> MBeanServerConnection connection = connector.getMBeanServerConnection();{code}
> and add these JAVA_ARGS to start the client program
> {code:java}
> -Djavax.net.ssl.trustStore=./trustStore.jks
> -Djavax.net.ssl.trustStorePassword=password
> -Dcom.sun.management.jmxremote.ssl=true
> -Dcom.sun.management.jmxremote.authenticate=true
> -Dcom.sun.management.jmxremote.registry.ssl=true
> -Djava.rmi.server.hostname=broker_host
> -Dcom.sun.management.jmxremote.rmi.port=1417
> -Djavax.net.debug=all{code}
>
> When running on a node without the firewall, the client can connect with the
> broker without any problem, I can also see the SSL handshake debug
> information.
>
> However, if I run the client on another node behinds the firewall, the
> program breaks at the line of JMXConnectorFactory.connect(), and I got the
> following error.
> {code:java}
> java.lang.IllegalStateException: Failed to execute CommandLineRunner
> at
> org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:787)
> ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
> at
> org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:768)
> ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
> at
> org.springframework.boot.SpringApplication.run(SpringApplication.java:322)
> ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
> at
> org.springframework.boot.SpringApplication.run(SpringApplication.java:1226)
> ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
> at
> org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
> ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
> at nl.mendesgans.test.jmx.Application.main(Application.java:19)
> ~[classes!/:na]
> at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) ~[na:na]
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ~[na:na]
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:na]
> at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
> at
> org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
> ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
> at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
> ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
> at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
> ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
> at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52)
> ~[bmgm-jmx-client-tester-LOCALBUILD-SNAPSHOT.jar:na]
> Caused by: java.io.IOException: Failed to retrieve RMIServer stub:
> javax.naming.CommunicationException [Root exception is
> java.rmi.ConnectIOException: error during JRMP connection establishment;
> nested exception is:
> java.net.SocketException: Connection reset]
> at
> java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:370)
> ~[na:na]
> at
> java.management/javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
> ~[na:na]
> at
> nl.mendesgans.test.jmx.ArtemisServerConfig.getMBeanServerConnection(ArtemisServerConfig.java:51)
> ~[classes!/:na]
> at
> nl.mendesgans.test.jmx.ArtemisServerConfig.activeMQServerControl(ArtemisServerConfig.java:33)
> ~[classes!/:na]
> at
> nl.mendesgans.test.jmx.ArtemisService.getAllQueues(ArtemisService.java:19)
> ~[classes!/:na]
> at nl.mendesgans.test.jmx.Application.run(Application.java:24)
> ~[classes!/:na]
> at
> org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:784)
> ~[spring-boot-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]
> ... 13 common frames omitted
> Caused by: javax.naming.CommunicationException: null
> at
> jdk.naming.rmi/com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:137)
> ~[na:na]
> at
> java.naming/com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:207)
> ~[na:na]
> at
> java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
> ~[na:na]
> at
> java.management.rmi/javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1839)
> ~[na:na]
> at
> java.management.rmi/javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1813)
> ~[na:na]
> at
> java.management.rmi/javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:302)
> ~[na:na]
> ... 19 common frames omitted
> Caused by: java.rmi.ConnectIOException: error during JRMP connection
> establishment; nested exception is:
> java.net.SocketException: Connection reset
> at
> java.rmi/sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:300)
> ~[na:na]
> at
> java.rmi/sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:196)
> ~[na:na]
> at java.rmi/sun.rmi.server.UnicastRef.newCall(UnicastRef.java:343)
> ~[na:na]
> at
> java.rmi/sun.rmi.registry.RegistryImpl_Stub.lookup(RegistryImpl_Stub.java:116)
> ~[na:na]
> at
> jdk.naming.rmi/com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:133)
> ~[na:na]
> ... 24 common frames omitted
> Caused by: java.net.SocketException: Connection reset
> at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186)
> ~[na:na]
> at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140)
> ~[na:na]
> at
> java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252)
> ~[na:na]
> at
> java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271)
> ~[na:na]
> at java.base/java.io.DataInputStream.readByte(DataInputStream.java:270)
> ~[na:na]
> at
> java.rmi/sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:239)
> ~[na:na]
> ... 28 common frames omitted{code}
>
> By following the reference from
> [https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html,
>
> |https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html]I
> have changed the url to
> "service:jmx:rmi://broker_host:1416/jndi/rmi://broker_host:1417/jmxrmi" on
> the client side, but still get the same error.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
