Connect to JMX via SSL on Spring

Question

In my messagedriven project I have one point that needs JMX, the deletion of message queues.

Currently, I create my MBean of the qpid broker like the following:

<bean name="jmxConnection"
    class="org.springframework.jmx.support.MBeanServerConnectionFactoryBean"
    p:serviceUrl="service:jmx:rmi:///jndi/rmi://localhost:8999/jmxrmi" >
    <property name="environment">
        <map>
            <entry key="jmx.remote.credentials">
                <bean class="org.springframework.util.StringUtils"
                    factory-method="commaDelimitedListToStringArray">
                    <constructor-arg value="username, password" />
                </bean>
            </entry>
        </map>
    </property>
</bean>

<bean id="managedBroker" class="org.springframework.jmx.access.MBeanProxyFactoryBean"
    p:objectName='org.apache.qpid:type=VirtualHost.VirtualHostManager,VirtualHost="default"'
    p:server-ref="jmxConnection" 
    p:proxyInterface="org.apache.qpid.management.common.mbeans.ManagedBroker" />

That works, but I want to use SSL. On broker side I can set SSL to the JMX connection.

Qpid manual says that the truststore must be set via jconsole.

jconsole -J-Djavax.net.ssl.trustStore=jmxtruststore.jks -J-Djavax.net.ssl.trustStorePassword=password

Is it possible to set the truststore directly on the jmxConnection with Spring?

Answer 1

No, you cannot set the truststore directly on the jmxConnection, however, you can use that environment map to set the SslRMIServerSocketFactory and SslRMIClientSocketFactory for the jmxConnection. These two classes will manage the SSL sockets for both the server and client. I believe the environment map's keys for the above two classes are "jmx.remote.rmi.server.socket.factory" and "jmx.remote.rmi.client.socket.factory" respectively.

You will also need to set both "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" java properties in your spring project (either by passing in the environment variables at runtime or by explicitly setting them in the application yourself. After this your jmxConnection will also be utilizing SSL.