Java Management Extensions (JMX) security
You can secure managed beans (MBean) invocations in a distributed environment.
For more information about the MBeans that are available, see Administering with Managed Beans (MBeans).
- Authentication: The remote client needs to be authenticated in the connector server.
- Access control: MBean access control limits who can access the MBean information and who can perform the MBean operations.
- Secure transport: The transport between the JMX client and server can be secured with TLS/SSL.
Authentication
JMX provides methods for the connector servers to authenticate the remote clients. For the RMI connector, authentication is completed by supplying an object that implements the JMXAuthenticator interface when the connector server is created. So eXtreme Scale implements this JMXAuthenticator interface to use the ObjectGrid Authenticator plug-in to authenticate the remote clients. See Java SE security tutorial - Step 2 for details on how eXtreme Scale authenticates a client.
The JMX client follows the JMX APIs to provide credentials to connect to the connector server. The JMX framework passes the credential to the connector server, and then calls the JMXAuthenticator implementation for authentication. As described previously, the JMXAuthenticator implementation then delegates the authentication to the ObjectGrid Authenticator implementation.
Review the following example that describes how to connect to a connector server with a credential:
javax.management.remote.JMXServiceURL jmxUrl = new JMXServiceURL(
"service:jmx:rmi:///jndi/rmi://localhost:1099/objectgrid/MBeanServer");
environment.put(JMXConnector.CREDENTIALS, new UserPasswordCredential("admin", "xxxxxx"));
// Create the JMXCconnectorServer
JMXConnector cntor = JMXConnectorFactory.newJMXConnector(jmxUrl, null);
// Connect and invoke an operation on the remote MBeanServer
cntor.connect(environment);
In the preceding example, a UserPasswordCredential object is provided with the user ID set to admin and the password set to xxxxx. This UserPasswordCredential object is set in the environment map, which is used in the JMXConnector.connect(Map) method. This UserPasswordCredential object is then passed to the server by the JMX framework, and finally passed to the ObjectGrid authentication framework for authentication.
The client programming model strictly follows the JMX specification.
Access control
A JMX MBean server might have access to sensitive information and might be able to perform sensitive operations. JMX provides necessary access control that identifies which clients can access that information and who can perform those operations. The access control is built on the standard Java security model by defining permissions that control access to the MBean server and its operations.
For JMX operation access control or authorization, eXtreme Scale relies on the JAAS support provided by the JMX implementation. At any point in the execution of a program, there is a current set of permissions that a thread of execution holds. When such a thread calls a JMX specification operation, these permissions are known as the held permissions. When a JMX operation is performed, a security check is done to check whether the needed permission is implied by the held permission.
The MBean policy definition follows the Java policy format. For example, the following policy grants all signers and all code bases with the right to retrieve the server JMX address for the PlacementServiceMBean. However, the signers and code bases are restricted to the com.ibm.websphere.objectgrid domain.
grant {
permission javax.management.MBeanPermission
"com.ibm.websphere.objectgrid.management.PlacementServiceMBean#retrieveServerJMXAddress
[com.ibm.websphere.objectgrid:*,type=PlacementService]",
"invoke";
}
You can use the following policy example to complete authorization based on remote client identity. The policy grants the same MBean permission as shown in the preceding example, except only to users with X500Principal name as: CN=Administrator,OU=software,O=IBM,L=Rochester,ST=MN,C=US.
grant principal javax.security.auth.x500.X500Principal "CN=Administrator,OU=software,O=IBM,
L=Rochester,ST=MN,C=US" {permission javax.management.MBeanPermission
"com.ibm.websphere.objectgrid.management.PlacementServiceMBean#retrieveServerJMXAddress
[com.ibm.websphere.objectgrid:*,type=PlacementService]",
"invoke";
}
Java policies are checked only if the security manager is turned on. Start catalog servers and container servers with the -Djava.security.manager JVM argument to enforce the MBean operation access control.
Secure transport
The transport between the JMX client and server can be secured with TLS/SSL. If the transportType of catalog server or container server is set to SSL_Required or SSL_Supported, then you must use SSL to connect to the JMX server.
- -Djavax.net.ssl.trustStore=TRUST_STORE_LOCATION
- -Djavax.net.ssl.trustStorePassword=TRUST_STORE_PASSWORD
- -Djavax.net.ssl.trustStoreType=TRUST_STORE_TYPE
- -Dcom.ibm.ssl.trustStore=TRUST_STORE_LOCATION
- -Dcom.ibm.ssl.trustStorePassword=TRUST_STORE_PASSWORD
- -Dcom.ibm.ssl.trustStoreType=TRUST_STORE_TYPE
- Use the -JMXServicePort option on the startOgServer or startXsServer script.
- If you are using an embedded server, call the setJMXServicePort method in the ServerProperties interface to set the JMX service port.
Setting the JMX service port is required when you want to display container server information from the catalog server. For example, the port is required when you are using the xscmd -c showMapSizes command.
- Use the -JMXConnectorPort option on the startOgServer or startXsServer script.
- If you are using an embedded server, call the setJMVConnectorPort method in the ServerProperties interface.