Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-12109

Configuring SSL for JMX connections forces requirement of local truststore

    XMLWordPrintableJSON

    Details

    • Severity:
      Normal

      Description

      In CASSANDRA-10091 we changed the way the JMX server is constructed such that this is always done programatically, which gives us control over the authentication and authorization mechanisms. Previously, when LOCAL_JMX=no, Cassandra would allow the JMX setup to be done by the built in JVM agent, which delegates to sun.management.jmxremote.ConnectorBootstrap to do the actual JMX & RMI setup.

      This change has introduced a regression when SSL is enabled for JMX connections, namely that now it is not possible to start C* with only the server-side elements of the SSL setup specified. That is, if enabling SSL with com.sun.management.jmxremote.ssl=true, it should only be necessary to specify a keystore (via javax.net.ssl.keyStore), and a truststore should only be necessary if client authentication is also enabled (com.sun.management.jmxremote.ssl.need.client.auth=true).

      As it is, C* cannot currently startup without a truststore containing the server's own certificate, which is clearly a bug.

        Attachments

          Activity

            People

            • Assignee:
              samt Sam Tunnicliffe
              Reporter:
              samt Sam Tunnicliffe
              Authors:
              Sam Tunnicliffe
              Reviewers:
              T Jake Luciani
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: