This discussion is archived
3 Replies Latest reply: Aug 20, 2011 7:05 AM by 881080 RSS

JMXRMI registry port stays unencrypted in spite of configuration

881080 Newbie
Currently Being Moderated
Hello,

I have managed to set up a JMX server (i.e. the agent) and a JMX client (in this case, jconsole) such that the JMX-RMI exchange goes over SSL.

I have additionally configured the JMX server to apply SSL to the RMI registry exchange and demand client authentication, as described in the JMX documentation at http://download.oracle.com/javase/6/docs/technotes/guides/management/agent.html

In effect, the following is passed to the JMX server:
JMXPREFIX=com.sun.management.jmxremote
KEYMAT=/usr/local/java/setup/keymaterial

-Djavax.net.ssl.trustStore=$KEYMAT/cacerts
-Djavax.net.ssl.keyStore=$KEYMAT/keystore.jmx.server
-Djavax.net.ssl.keyStorePassword=password_on_the_cmdline_omg_wtf_lol
-D${JMXPREFIX}.password.file=$KEYMAT/jmxremote.password
-D${JMXPREFIX}.access.file=$KEYMAT/jmxremote.access
-D${JMXPREFIX}.registry.ssl=true
-D${JMXPREFIX}.ssl.need.client.auth=true
On the client side, <tt>jconsole</tt> is started with:
-J-Djavax.net.ssl.trustStore=/home/user/jconsole/cacerts 
-J-Djavax.net.ssl.keyStore=/home/user/jconsole/keystore.jmx.client 
-J-Djavax.net.ssl.keyStorePassword=password_on_the_cmdline_omg_wtf_lol
So far so nice, stuff works, jconsole needs a username/password, then connects, all right.

But... how can I be sure the RMI registry exchange is really shielded by SSL. There is no indication in jconsole saying "this is encrypted" (ouch bad design etc. - applied crypto should be inspectable)

The log generated by the JVM (I have added JUL instructions to extract the log) is unclear at best.

And <tt>tcpdump</tt> on the purportedly encrypted RMI registry exchange yields this packet:
0x0000:  0000 0c9f f022 0025 9006 71be 0800 4500  .....".%..q...E.
0x0010:  0155 50e5 4000 4006 ca15 555d d80a bc73  .UP.@.@...U]...s
0x0020:  34cd 2487 d4fd b566 999b 7e1d b625 8018  4.$....f..~..%..
0x0030:  002e 1ff0 0000 0101 080a 9b1a c979 07a5  .............y..
0x0040:  1728 51ac ed00 0577 0f01 cd0e 8551 0000  .(Q....w.....Q..
0x0050:  0131 d92f b713 8099 7372 002e 6a61 7661  .1./....sr..java
0x0060:  782e 6d61 6e61 6765 6d65 6e74 2e72 656d  x.management.rem
0x0070:  6f74 652e 726d 692e 524d 4953 6572 7665  ote.rmi.RMIServe
0x0080:  7249 6d70 6c5f 5374 7562 0000 0000 0000  rImpl_Stub......
0x0090:  0002 0200 0070 7872 001a 6a61 7661 2e72  .....pxr..java.r
0x00a0:  6d69 2e73 6572 7665 722e 5265 6d6f 7465  mi.server.Remote
0x00b0:  5374 7562 e9fe dcc9 8be1 651a 0200 0070  Stub......e....p
0x00c0:  7872 001c 6a61 7661 2e72 6d69 2e73 6572  xr..java.rmi.ser
0x00d0:  7665 722e 5265 6d6f 7465 4f62 6a65 6374  ver.RemoteObject
0x00e0:  d361 b491 0c61 331e 0300 0070 7870 7720  .a...a3....pxpw.
0x00f0:  000b 556e 6963 6173 7452 6566 3201 000c  ..UnicastRef2...
0x0100:  3835 2e39 332e 3231 362e 3130 0000 248f  85.93.216.10..$.
0x0110:  7372 0027 6a61 7661 782e 726d 692e 7373  sr.'javax.rmi.ss
0x0120:  6c2e 5373 6c52 4d49 436c 6965 6e74 536f  l.SslRMIClientSo
0x0130:  636b 6574 4661 6374 6f72 798c aab4 bb81  cketFactory.....
0x0140:  8525 0f02 0000 7078 7077 175f 819f 51b1  .%....pxpw._..Q.
0x0150:  8c28 96cd 0e85 5100 0001 31d9 2fb7 1380  .(....Q...1./...
0x0160:  0101 78                                  ..x
{code}

THAT doesn't look encrypted at all. Indeed, more or less the same packet transits if RMI registry encryption is off.

Whereas dumped traffic on the JMXRMI port indeed looks encrypted. If encryption is configured, off, things like

{code}
0x0000:  0000 0c9f f022 0025 9006 71be 0800 4500  .....".%..q...E.
0x0010:  01be b138 4000 4006 6959 555d d80a bc73  ...8@.@.iYU]...s
0x0020:  34cd 248f a573 f44b 9a14 bd3d cd8f 8018  4.$..s.K...=....
0x0030:  01f5 2059 0000 0101 080a 9b29 074c 07b3  ...Y.......).L..
0x0040:  54fb 51ac ed00 0577 0f01 215e 286d 0000  T.Q....w..!^(m..
0x0050:  0131 d93a 9208 8110 7372 001e 6a61 7661  .1.:....sr..java
0x0060:  782e 6d61 6e61 6765 6d65 6e74 2e41 7474  x.management.Att
0x0070:  7269 6275 7465 4c69 7374 c76b 4818 1b48  ributeList.kH..H
0x0080:  606c 0200 0070 7872 0013 6a61 7661 2e75  `l...pxr..java.u
0x0090:  7469 6c2e 4172 7261 794c 6973 7478 81d2  til.ArrayListx..
0x00a0:  1d99 c761 9d03 0001 4900 0473 697a 6570  ...a....I..sizep
0x00b0:  7870 0000 0003 7704 0000 0003 7372 001a  xp....w.....sr..
0x00c0:  6a61 7661 782e 6d61 6e61 6765 6d65 6e74  javax.management
0x00d0:  2e41 7474 7269 6275 7465 2279 b907 538b  .Attribute"y..S.
0x00e0:  3b0e 0200 024c 0004 6e61 6d65 7400 124c  ;....L..namet..L
0x00f0:  6a61 7661 2f6c 616e 672f 5374 7269 6e67  java/lang/String
0x0100:  3b4c 0005 7661 6c75 6574 0012 4c6a 6176  ;L..valuet..Ljav
0x0110:  612f 6c61 6e67 2f4f 626a 6563 743b 7078  a/lang/Object;px
0x0120:  7074 000f 436f 6c6c 6563 7469 6f6e 436f  pt..CollectionCo
0x0130:  756e 7473 7200 0e6a 6176 612e 6c61 6e67  untsr..java.lang
0x0140:  2e4c 6f6e 673b 8be4 90cc 8f23 df02 0001  .Long;.....#....
0x0150:  4a00 0576 616c 7565 7078 7200 106a 6176  J..valuepxr..jav
0x0160:  612e 6c61 6e67 2e4e 756d 6265 7286 ac95  a.lang.Number...
0x0170:  1d0b 94e0 8b02 0000 7078 7000 0000 0000  ........pxp.....
0x0180:  0000 0373 7100 7e00 0374 000e 436f 6c6c  ...sq.~..t..Coll
0x0190:  6563 7469 6f6e 5469 6d65 7371 007e 0008  ectionTimesq.~..
0x01a0:  0000 0000 0000 000f 7371 007e 0003 7400  ........sq.~..t.
0x01b0:  044e 616d 6574 0013 436f 6e63 7572 7265  .Namet..Concurre
0x01c0:  6e74 4d61 726b 5377 6565 7078            ntMarkSweepx
{code}

transit, whereas only noise can be snarfed if encryption is on.

So it looks like encryption on the RMI registry is not actually working - or am I forgetting something? Something vital??

Edited by: user13544767 on Aug 20, 2011 7:06 AM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points