Securing the Doradus JMX API

Doradus supports the Java Management Extensions (JMX) protocol for monitoring Doradus and performing certain administrative commands. JMX can be secured with authorization and/or encryption, however, security JMX security is disabled in the {doradus_home}/bin/doradus-server.bat file included with Doradus. The common JMX options are defined in variables at the top of the file as shown below:

set JMX_PORT=9999

set JMX_SSL=false

set JMX_AUTHENTICATE=false

These options are summarized below:

•	JMX_PORT: This variable sets the com.sun.management.jmxremote.port define in the JVM, which is the port number that the remote JMX clients must use. As shown, port 9999 is the default used for Doradus.

•	JMX_SSL: This variable sets the com.sun.management.jmxremote.ssl define in the JVM. When set to true, it requires remote clients to use SSL (TLS) to connect to the JMX port. When SSL is enabled, additional options are available to require remote clients to have a client-side certificate.

•

JMX_AUTHENTICATE: This variable sets the com.sun.management.jmxremote.authenticate define in the JVM. When set to true, it requires remote clients to provide a user ID and password in order to connect. Additional parameters are required to define allowed user IDs and passwords and the locations of the corresponding files.

Because JMX is a standard and external documentation is available for securing JMX, details for using SSL and/or authentication are not covered here. See for example the following:

http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html

Though not shown above, here is another useful option: On multi-homed systems, java.rmi.server.hostname can be set to a specific IP address, causing JMX to bind to that address instead of the default one. For example:

set JAVA_OPTS=

...

-Djava.rmi.server.hostname=10.1.82.121^

...

This causes the JMX port to bind to address 10.1.82.121.