2

I need to configure TLSv1.2 for JMX communication.

Unfortunately I can not find the appropriate configuration here: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

How to configure what TLS version is used for JMX over SSL?

PCI DSS 3.1 does not allow usage of TLS 1.0.

Michael
  • 10,063
  • 18
  • 65
  • 104

1 Answers1

3

You have obviously not read the documentation you have linked. It says:

  1. com.sun.management.jmxremote.ssl.enabled.protocols: Default SSL/TLS protocol version.

  2. com.sun.management.jmxremote.ssl.enabled.cipher.suites: Default SSL/TLS cipher suites.

This should solve your problem. After you have configured that, scan your JXM port with sslscan with a recent version (1.0.2+) of OpenSSL.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Thanks! I missed it :) May be you know how to bind JMX ports to localhost? Now when you configure ports it listen to every IP. http://stackoverflow.com/questions/20699068/tomcat7-with-enabled-jmx-opens-2-additional-random-listening-ports – Michael Feb 12 '16 at 07:28
  • Have you tried the boolean value of `com.sun.management.jmxremote.local.only`? – Michael-O Feb 12 '16 at 07:44
  • yes, but it is not bind. I still can not see `::ffff:127.0.0.1` – Michael Feb 12 '16 at 08:12
  • @Michael I am quite certain that there is a solution. All of my answers were found within 10 s of googling. You should be able to do so. – Michael-O Feb 12 '16 at 08:23
  • I have configured successfully `com.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2` and it works great! (I will award the bounty tommorow - today is not possible). regarding localhost bunging: I spent couple of hours and was not able to find the way to bind it to localhost. when I configure `remote.port` I can not bind it to the localhost. If you know how to do it I will ask a new question with the new bounty. – Michael Feb 12 '16 at 10:33
  • @Michael. A new bounty is appropriate! – Michael-O Feb 12 '16 at 10:36