Author: robbie Date: Mon Mar 2 11:55:22 2009 New Revision: 749282 URL: http://svn.apache.org/viewvc?rev=749282&view=rev Log: QPID-1704: remove JMXMP ConnectorServer usage from the brokers JMX management capabilities
Modified: qpid/trunk/qpid/java/broker/etc/config.xml qpid/trunk/qpid/java/broker/etc/persistent_config.xml qpid/trunk/qpid/java/broker/etc/transient_config.xml qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java Modified: qpid/trunk/qpid/java/broker/etc/config.xml URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/etc/config.xml?rev=749282&r1=749281&r2=749282&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/etc/config.xml (original) +++ qpid/trunk/qpid/java/broker/etc/config.xml Mon Mar 2 11:55:22 2009 @@ -45,7 +45,6 @@ <management> <enabled>true</enabled> <jmxport>8999</jmxport> - <security-enabled>false</security-enabled> <ssl> <enabled>true</enabled> <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore --> Modified: qpid/trunk/qpid/java/broker/etc/persistent_config.xml URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/etc/persistent_config.xml?rev=749282&r1=749281&r2=749282&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/etc/persistent_config.xml (original) +++ qpid/trunk/qpid/java/broker/etc/persistent_config.xml Mon Mar 2 11:55:22 2009 @@ -37,7 +37,6 @@ <management> <enabled>true</enabled> <jmxport>8999</jmxport> - <security-enabled>false</security-enabled> <ssl> <enabled>true</enabled> <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore --> Modified: qpid/trunk/qpid/java/broker/etc/transient_config.xml URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/etc/transient_config.xml?rev=749282&r1=749281&r2=749282&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/etc/transient_config.xml (original) +++ qpid/trunk/qpid/java/broker/etc/transient_config.xml Mon Mar 2 11:55:22 2009 @@ -37,7 +37,6 @@ <management> <enabled>true</enabled> <jmxport>8999</jmxport> - <security-enabled>false</security-enabled> <ssl> <enabled>true</enabled> <!-- Update below path to your keystore location, eg ${conf}/qpid.keystore --> Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java?rev=749282&r1=749281&r2=749282&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java (original) +++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/configuration/ServerConfiguration.java Mon Mar 2 11:55:22 2009 @@ -304,11 +304,6 @@ return _config.getInt("advanced.framesize", DEFAULT_FRAME_SIZE); } - public boolean getManagementSecurityEnabled() - { - return _config.getBoolean("management.security-enabled", false); - } - public boolean getProtectIOEnabled() { return _config.getBoolean("broker.connector.protectio.enabled", false); Modified: qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java?rev=749282&r1=749281&r2=749282&view=diff ============================================================================== --- qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java (original) +++ qpid/trunk/qpid/java/broker/src/main/java/org/apache/qpid/server/management/JMXManagedObjectRegistry.java Mon Mar 2 11:55:22 2009 @@ -107,8 +107,6 @@ } IApplicationRegistry appRegistry = ApplicationRegistry.getInstance(); - - boolean jmxmpSecurity = appRegistry.getConfiguration().getManagementSecurityEnabled(); int port = appRegistry.getConfiguration().getJMXManagementPort(); //retrieve the Principal Database assigned to JMX authentication duties @@ -119,184 +117,152 @@ final JMXConnectorServer cs; HashMap<String,Object> env = new HashMap<String,Object>(); - if (jmxmpSecurity) + //Socket factories for the RMIConnectorServer, either default or SLL depending on configuration + RMIClientSocketFactory csf; + RMIServerSocketFactory ssf; + + //check ssl enabled option in config, default to true if option is not set + boolean sslEnabled = appRegistry.getConfiguration().getManagementSSLEnabled(); + + if (sslEnabled) { - // For SASL using JMXMP - JMXServiceURL jmxURL = new JMXServiceURL("jmxmp", null, port); + //set the SSL related system properties used by the SSL RMI socket factories to the values + //given in the configuration file, unless command line settings have already been specified + String keyStorePath; - String saslType = null; - if (db instanceof Base64MD5PasswordFilePrincipalDatabase) + if(System.getProperty("javax.net.ssl.keyStore") != null) { - saslType = "SASL/CRAM-MD5"; - env.put("jmx.remote.profiles", "SASL/CRAM-MD5"); - CRAMMD5HashedInitialiser initialiser = new CRAMMD5HashedInitialiser(); - initialiser.initialise(db); - env.put("jmx.remote.sasl.callback.handler", initialiser.getCallbackHandler()); + keyStorePath = System.getProperty("javax.net.ssl.keyStore"); } - else if (db instanceof PlainPasswordFilePrincipalDatabase) + else { - saslType = "SASL/PLAIN"; - PlainInitialiser initialiser = new PlainInitialiser(); - initialiser.initialise(db); - env.put("jmx.remote.sasl.callback.handler", initialiser.getCallbackHandler()); - env.put("jmx.remote.profiles", "SASL/PLAIN"); + keyStorePath = appRegistry.getConfiguration().getManagementKeyStorePath(); } - //workaround NPE generated from env map classloader issue when using Eclipse 3.4 to launch - env.put("jmx.remote.profile.provider.class.loader", this.getClass().getClassLoader()); + //check the keystore path value is valid + if (keyStorePath == null) + { + throw new ConfigurationException("JMX management SSL keystore path not defined, " + + "unable to start SSL protected JMX ConnectorServer"); + } + else + { + //ensure the system property is set + System.setProperty("javax.net.ssl.keyStore", keyStorePath); - _log.warn("Starting JMXMP based JMX ConnectorServer on port '" + port + "' with " + saslType); - _startupLog.warn("Starting JMXMP based JMX ConnectorServer on port '" + port + "' with " + saslType); - - cs = JMXConnectorServerFactory.newJMXConnectorServer(jmxURL, env, _mbeanServer); - } - else - { - //Socket factories for the RMIConnectorServer, either default or SLL depending on configuration - RMIClientSocketFactory csf; - RMIServerSocketFactory ssf; - - //check ssl enabled option in config, default to true if option is not set - boolean sslEnabled = appRegistry.getConfiguration().getManagementSSLEnabled(); - - if (sslEnabled) - { - //set the SSL related system properties used by the SSL RMI socket factories to the values - //given in the configuration file, unless command line settings have already been specified - String keyStorePath; - - if(System.getProperty("javax.net.ssl.keyStore") != null) + //check the file is usable + File ksf = new File(keyStorePath); + + if (!ksf.exists()) { - keyStorePath = System.getProperty("javax.net.ssl.keyStore"); + throw new FileNotFoundException("Cannot find JMX management SSL keystore file " + ksf); } - else{ - keyStorePath = appRegistry.getConfiguration().getManagementKeyStorePath(); + if (!ksf.canRead()) + { + throw new FileNotFoundException("Cannot read JMX management SSL keystore file: " + + ksf + ". Check permissions."); } - //check the keystore path value is valid - if (keyStorePath == null) + _log.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath()); + _startupLog.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath()); + } + + //check the key store password is set + if (System.getProperty("javax.net.ssl.keyStorePassword") == null) + { + + if (appRegistry.getConfiguration().getManagementKeyStorePassword() == null) { - throw new ConfigurationException("JMX management SSL keystore path not defined, " + - "unable to start SSL protected JMX ConnectorServer"); + throw new ConfigurationException("JMX management SSL keystore password not defined, " + + "unable to start requested SSL protected JMX server"); } else { - //ensure the system property is set - System.setProperty("javax.net.ssl.keyStore", keyStorePath); - - //check the file is usable - File ksf = new File(keyStorePath); - - if (!ksf.exists()) - { - throw new FileNotFoundException("Cannot find JMX management SSL keystore file " + ksf); - } - if (!ksf.canRead()) - { - throw new FileNotFoundException("Cannot read JMX management SSL keystore file: " - + ksf + ". Check permissions."); - } - - _log.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath()); - _startupLog.info("JMX ConnectorServer using SSL keystore file " + ksf.getAbsolutePath()); + System.setProperty("javax.net.ssl.keyStorePassword", + appRegistry.getConfiguration().getManagementKeyStorePassword()); } + } - //check the key store password is set - if (System.getProperty("javax.net.ssl.keyStorePassword") == null) - { - - if (appRegistry.getConfiguration().getManagementKeyStorePassword() == null) - { - throw new ConfigurationException("JMX management SSL keystore password not defined, " + - "unable to start requested SSL protected JMX server"); - } - else - { - System.setProperty("javax.net.ssl.keyStorePassword", - appRegistry.getConfiguration().getManagementKeyStorePassword()); - } - } + //create the SSL RMI socket factories + csf = new SslRMIClientSocketFactory(); + ssf = new SslRMIServerSocketFactory(); + + _log.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + + (port +PORT_EXPORT_OFFSET) + ") with SSL"); + _startupLog.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + + (port +PORT_EXPORT_OFFSET) + ") with SSL"); + } + else + { + //Do not specify any specific RMI socket factories, resulting in use of the defaults. + csf = null; + ssf = null; - //create the SSL RMI socket factories - csf = new SslRMIClientSocketFactory(); - ssf = new SslRMIServerSocketFactory(); - - _log.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + - (port +PORT_EXPORT_OFFSET) + ") with SSL"); - _startupLog.warn("Starting JMX ConnectorServer on port '"+ port + "' (+" + - (port +PORT_EXPORT_OFFSET) + ") with SSL"); - } - else - { - //Do not specify any specific RMI socket factories, resulting in use of the defaults. - csf = null; - ssf = null; - - _log.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")"); - _startupLog.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")"); - } - - //add a JMXAuthenticator implementation the env map to authenticate the RMI based JMX connector server - RMIPasswordAuthenticator rmipa = new RMIPasswordAuthenticator(); - rmipa.setPrincipalDatabase(db); - env.put(JMXConnectorServer.AUTHENTICATOR, rmipa); - - /* - * Start a RMI registry on the management port, to hold the JMX RMI ConnectorServer stub. - * Using custom socket factory to prevent anyone (including us unfortunately) binding to the registry using RMI. - * As a result, only binds made using the object reference will succeed, thus securing it from external change. - */ - System.setProperty("java.rmi.server.randomIDs", "true"); - _rmiRegistry = LocateRegistry.createRegistry(port, null, new CustomRMIServerSocketFactory()); - - /* - * We must now create the RMI ConnectorServer manually, as the JMX Factory methods use RMI calls - * to bind the ConnectorServer to the registry, which will now fail as for security we have - * locked it from any RMI based modifications, including our own. Instead, we will manually bind - * the RMIConnectorServer stub to the registry using its object reference, which will still succeed. - * - * The registry is exported on the defined management port 'port'. We will export the RMIConnectorServer - * on 'port +1'. Use of these two well-defined ports will ease any navigation through firewall's. - */ - final RMIServerImpl rmiConnectorServerStub = new RMIJRMPServerImpl(port+PORT_EXPORT_OFFSET, csf, ssf, env); - final String hostname = InetAddress.getLocalHost().getHostName(); - final JMXServiceURL externalUrl = new JMXServiceURL( - "service:jmx:rmi://"+hostname+":"+(port+PORT_EXPORT_OFFSET)+"/jndi/rmi://"+hostname+":"+port+"/jmxrmi"); + _log.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")"); + _startupLog.warn("Starting JMX ConnectorServer on port '" + port + "' (+" + (port +PORT_EXPORT_OFFSET) + ")"); + } - final JMXServiceURL internalUrl = new JMXServiceURL("rmi", hostname, port+PORT_EXPORT_OFFSET); - cs = new RMIConnectorServer(internalUrl, env, rmiConnectorServerStub, _mbeanServer) + //add a JMXAuthenticator implementation the env map to authenticate the RMI based JMX connector server + RMIPasswordAuthenticator rmipa = new RMIPasswordAuthenticator(); + rmipa.setPrincipalDatabase(db); + env.put(JMXConnectorServer.AUTHENTICATOR, rmipa); + + /* + * Start a RMI registry on the management port, to hold the JMX RMI ConnectorServer stub. + * Using custom socket factory to prevent anyone (including us unfortunately) binding to the registry using RMI. + * As a result, only binds made using the object reference will succeed, thus securing it from external change. + */ + System.setProperty("java.rmi.server.randomIDs", "true"); + _rmiRegistry = LocateRegistry.createRegistry(port, null, new CustomRMIServerSocketFactory()); + + /* + * We must now create the RMI ConnectorServer manually, as the JMX Factory methods use RMI calls + * to bind the ConnectorServer to the registry, which will now fail as for security we have + * locked it from any RMI based modifications, including our own. Instead, we will manually bind + * the RMIConnectorServer stub to the registry using its object reference, which will still succeed. + * + * The registry is exported on the defined management port 'port'. We will export the RMIConnectorServer + * on 'port +1'. Use of these two well-defined ports will ease any navigation through firewall's. + */ + final RMIServerImpl rmiConnectorServerStub = new RMIJRMPServerImpl(port+PORT_EXPORT_OFFSET, csf, ssf, env); + final String hostname = InetAddress.getLocalHost().getHostName(); + final JMXServiceURL externalUrl = new JMXServiceURL( + "service:jmx:rmi://"+hostname+":"+(port+PORT_EXPORT_OFFSET)+"/jndi/rmi://"+hostname+":"+port+"/jmxrmi"); + + final JMXServiceURL internalUrl = new JMXServiceURL("rmi", hostname, port+PORT_EXPORT_OFFSET); + cs = new RMIConnectorServer(internalUrl, env, rmiConnectorServerStub, _mbeanServer) + { + @Override + public synchronized void start() throws IOException { - @Override - public synchronized void start() throws IOException + try { - try - { - //manually bind the connector server to the registry at key 'jmxrmi', like the out-of-the-box agent - _rmiRegistry.bind("jmxrmi", rmiConnectorServerStub); - } - catch (AlreadyBoundException abe) - { - //key was already in use. shouldnt happen here as its a new registry, unbindable by normal means. - - //IOExceptions are the only checked type throwable by the method, wrap and rethrow - IOException ioe = new IOException(abe.getMessage()); - ioe.initCause(abe); - throw ioe; - } - - //now do the normal tasks - super.start(); - } - - @Override - public JMXServiceURL getAddress() - { - //must return our pre-crafted url that includes the full details, inc JNDI details - return externalUrl; - } + //manually bind the connector server to the registry at key 'jmxrmi', like the out-of-the-box agent + _rmiRegistry.bind("jmxrmi", rmiConnectorServerStub); + } + catch (AlreadyBoundException abe) + { + //key was already in use. shouldnt happen here as its a new registry, unbindable by normal means. - }; - } + //IOExceptions are the only checked type throwable by the method, wrap and rethrow + IOException ioe = new IOException(abe.getMessage()); + ioe.initCause(abe); + throw ioe; + } + + //now do the normal tasks + super.start(); + } + + @Override + public JMXServiceURL getAddress() + { + //must return our pre-crafted url that includes the full details, inc JNDI details + return externalUrl; + } + + }; + //Add the custom invoker as an MBeanServerForwarder, and start the RMIConnectorServer. MBeanServerForwarder mbsf = MBeanInvocationHandlerImpl.newProxyInstance(); --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:commits-subscr...@qpid.apache.org