Java Management Extensions

Overview

JMX (Java Management Extensions) is a Java technology that provides tools for building dynamic solutions for managing and monitoring applications, devices, and service-driven networks. JMX technology is included in the Java SE platform, starting with the J2SE platform 5.0. The JMX specification defines the architecture, design patterns, APIs, and services in the Java programming language for management and monitoring of applications and networks. Using the JMX technology, a given resource is instrumented by one or more Java objects known as Managed Beans, or MBeans. These MBeans are registered in a core-managed object server, known as an MBean server. The MBean server acts as a management agent and can run on most devices that have been enabled for the Java programming language.

JMX Inside Genius Server

The Genius Server can be managed and monitored via JMX. Genius Server expose via JMX a set of MBeans. Those MBeans are used by the Genius EAM to monitor the entire Genius Platform (also Genius Relay can be monitored via JMX).

By default JMX is disabled on Genius Server.

Warning

When an EAM Service is to be used, JMX needs to be activated. See below for instructions on how to activate it.

JMX can be enabled without authentication. This is needed, if an EAM Service is to be used. Even if this configuration is unsafe, it is tolerable for the following two reason:

• the Genius Server normally is not exposed on the internet

• the monitoring via Genius EAM does not need additional configurations

This guide instructs how to secure the JMX inside the Genius Server.

JMX Activation/Deactivation

To activate JMX, it needs to be enabled on port 7070 without authentication, default JMX related java options follows:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=7070
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

This options allows monitoring of Genius Server via JMX without authentication and without SSL (also remotely), connecting on port 7070. To disable the JMX simply remove this options and restart the Genius Server service.

The following paragraphs explain how to create a secure JMX environment for Genius Server.

Secure JMX With Basic Authentication

1. Create a folder named jmx inside the Genius Server installation directory.

2. Create a file named jmxremote.password inside jmx directory.

3. Edit the jmxremote.password file content with something similar to:

   monitor GeniusServerJMX
   control GeniusServerJMX
   

   where each line contains a couple of username and password separated by a space character.

4. Create a file named jmxremote.access inside jmx directory.

5. Edit the jmxremote.access file content with something similar to:

   monitor readonly
   control readwrite
   

   where each line contains a couple of username and access rights separated by a space character.

6. Set limited access rights to the files

   6a. On MS Windows OS execute following commands in a command line:

   icacls jmxremote.password /setowner system
   echo Y| cacls jmxremote.password /P SYSTEM:R
   icacls jmxremote.access /setowner system
   echo Y| cacls jmxremote.access /P SYSTEM:R
   

   6b. On *nix OS execute following commands in a command line:

   chown system:system jmxremote.password
   chmod 400 jmxremote.password
   chown system:system jmxremote.access
   chmod 400 jmxremote.access
   

   where "system" is assumed to be the username of the user with which the Genius Server service runs.

7. Change JMX related java options:

   -Dcom.sun.management.jmxremote
   -Dcom.sun.management.jmxremote.port=7070
   -Dcom.sun.management.jmxremote.authenticate=true
   -Dcom.sun.management.jmxremote.password.file=jmx\jmxremote.password
   -Dcom.sun.management.jmxremote.access.file=jmx\jmxremote.access
   -Dcom.sun.management.jmxremote.ssl=false
   

8. Re-start Genius Server service.

Note

If the Genius service runs with another user, replace system with the effective username. Credentials and roles, showed before, are purely illustrative, customize them with desired inside jmxremote.password and jmxremote.access files contents.

Secure JMX with SSL

1. Create a folder named jmx inside the Genius Server installation directory

2. Create a file named jmxremote.properties inside jmx directory

3. Edit the jmxremote.properties file content (1) with:

   javax.net.ssl.keyStore=C:\\Program Files\\Genius CDDS Server\\jmx\\serverkeystore
   javax.net.ssl.keyStorePassword=serverpass
   javax.net.ssl.trustStore=C:\\Program Files\\Genius CDDS Server\\jmx\\servertruststore
   javax.net.ssl.trustStorePassword=servertrustpass
   

4. Set limited access rights to the file

   4a. On MS Windows OS execute following commands in a command line:

   icacls jmxremote.properties /setowner system
   echo Y| cacls jmxremote.properties /P SYSTEM:R
   

   4b. On *nix OS execute following commands in a command line:

   chown system:system jmxremote.properties
   chmod 400 jmxremote.properties
   

   where system is assumed to be the username of the user with which the Genius Server service runs.

5. Change JMX related java options:

   -Dcom.sun.management.jmxremote.registry.ssl=true
   -Dcom.sun.management.jmxremote.ssl.config.file=jmx\jmxremote.properties
   

6. Re-start Genius Server service

Note

If the Genius Server service runs with another user, replace system with the effective username. Keystore and truststore location and password, showed before, are purely illustrative, customize them with desired inside jmxremote.properties file content. Ensure that the server certificate is imported in the client trust-store and viceversa the client certificate is imported in the server trust-store.