Geronimo
  1. Geronimo
  2. GERONIMO-5148

Remove the dependency of clustering over JMXConnector

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.5, 2.2.1, 3.0.0
    • Fix Version/s: 2.1.5, 2.2.1, 2.2.2
    • Component/s: Clustering
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      It should be possible to make use of JMXSecureConnector for clustering. Currently if we use JMXSecureConnector than we have to disable the clustering modules.

      1. 5148.patch
        3 kB
        Ashish Jain
      2. JavaAgent.jar
        4 kB
        Ashish Jain
      3. 5148_updated_21.patch
        10 kB
        Ashish Jain

        Activity

        Hide
        Shawn Jiang added a comment -

        Closing this for 21 and 22 branch.

        https://issues.apache.org/jira/browse/GERONIMO-5294 was opened to continue track this problem in geronimo 3.x.

        Show
        Shawn Jiang added a comment - Closing this for 21 and 22 branch. https://issues.apache.org/jira/browse/GERONIMO-5294 was opened to continue track this problem in geronimo 3.x.
        Hide
        Ashish Jain added a comment -

        Applied to 2.2 @revision 938358.

        Show
        Ashish Jain added a comment - Applied to 2.2 @revision 938358.
        Hide
        Rex Wang added a comment - - edited

        Hi, Ashish,
        Could you please commit the changes to branch 2.2 & trunk when you are available?

        Show
        Rex Wang added a comment - - edited Hi, Ashish, Could you please commit the changes to branch 2.2 & trunk when you are available?
        Hide
        Rex Wang added a comment -

        Looks good to me.
        rev924795 @ branch 21

        Thanks

        Show
        Rex Wang added a comment - Looks good to me. rev924795 @ branch 21 Thanks
        Hide
        Ashish Jain added a comment -

        Rex, Here is the updated patch. Using this both the JMXSecure and JMX Non Secure connector can be used simultaneously. I have tested this with farming and seems to be working fine. Please verify and apply.

        Show
        Ashish Jain added a comment - Rex, Here is the updated patch. Using this both the JMXSecure and JMX Non Secure connector can be used simultaneously. I have tested this with farming and seems to be working fine. Please verify and apply.
        Hide
        Ashish Jain added a comment -

        Hi Rex, As per your comment #1 "providing an arguments "--secure" in cli" do you mean to say when we start the server we should have an option say "geronimo.bat --secure run"??
        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Hi Rex, As per your comment #1 "providing an arguments "--secure" in cli" do you mean to say when we start the server we should have an option say "geronimo.bat --secure run"?? Thanks Ashish
        Hide
        Ashish Jain added a comment -

        Rex, Your comments are well taken, I will soon upload a new modified patch.

        Show
        Ashish Jain added a comment - Rex, Your comments are well taken, I will soon upload a new modified patch.
        Hide
        Rex Wang added a comment -

        one more point..
        From the patch, I see you move the name of JMXSecureConnector to JMXService, is that only because the cluster's Node gbean has a reference to "JMXService"? If so, I think we should keep the name as is, and make the reference name configurable in config.xml by adding <reference> in pom's <config-xml-content>.

        Show
        Rex Wang added a comment - one more point.. From the patch, I see you move the name of JMXSecureConnector to JMXService, is that only because the cluster's Node gbean has a reference to "JMXService"? If so, I think we should keep the name as is, and make the reference name configurable in config.xml by adding <reference> in pom's <config-xml-content>.
        Hide
        Rex Wang added a comment - - edited

        Hi Ashish, thanks for the quick answer. I would avoid using a java agent to intercept users setting and prefer providing an arguments "--secure" in cli. Could you take a look at if you can offer a solution in geronimo-cli?

        Show
        Rex Wang added a comment - - edited Hi Ashish, thanks for the quick answer. I would avoid using a java agent to intercept users setting and prefer providing an arguments "--secure" in cli. Could you take a look at if you can offer a solution in geronimo-cli?
        Hide
        Ashish Jain added a comment -

        Hi Rex,

        You can find the source code in the jar itself. The jar has been uploaded in the JIRA. The class does not hard code any values and is based on the same logic as 4896.
        This Java agent is required when you will want to establish a secure communication b/w 2 servers say in case of clustering. Actually java agent is just an interceptor in front
        of the main method, --secure option is to invoke any command using the JMXSecure connector.

        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Hi Rex, You can find the source code in the jar itself. The jar has been uploaded in the JIRA. The class does not hard code any values and is based on the same logic as 4896. This Java agent is required when you will want to establish a secure communication b/w 2 servers say in case of clustering. Actually java agent is just an interceptor in front of the main method, --secure option is to invoke any command using the JMXSecure connector. Thanks Ashish
        Hide
        Rex Wang added a comment - - edited

        Hi, Ashish,
        Could you provide the source code of your JavaAgent.jar? I am afraid I do not feel comfortable to add such jar into georonimo_home/lib/, does the JavaAgent just hardcode the location/pwd of keystore/truststore?

        Is there any difference between using "-javaagent" and the geronimo options "--secure" you proposed in GERONIMO-4896?

        Show
        Rex Wang added a comment - - edited Hi, Ashish, Could you provide the source code of your JavaAgent.jar? I am afraid I do not feel comfortable to add such jar into georonimo_home/lib/, does the JavaAgent just hardcode the location/pwd of keystore/truststore? Is there any difference between using "-javaagent" and the geronimo options "--secure" you proposed in GERONIMO-4896 ?
        Hide
        Ashish Jain added a comment -

        Hi Rex, This is how you can use the JavaAgent.jar. You have to set it in geronimo.bat as follows:

        %_EXECJAVA% %JAVA_OPTS% %GERONIMO_OPTS% %JAVA_AGENT_OPTS% -Djava.endorsed.dirs="%GERONIMO_HOME%\lib\endorsed;%JRE_HOME%\lib\endorsed" -Djava.ext.dirs="%GERONIMO_HOME%\lib\ext;%JRE_HOME%\lib\ext" -Dorg.apache.geronimo.home.dir="%GERONIMO_HOME%" -Djava.io.tmpdir="%GERONIMO_TMPDIR%" -javaagent:%GERONIMO_HOME%\lib\JavaAgent.jar -jar %_JARFILE% %_LONG_OPT% %CMD_LINE_ARGS%.

        If you are using your own keystore and truststore than you may want to specify "org.apache.geronimo.keyStoreTrustStorePasswordFile". Else the default will be taken from config-substituion.properties. Chck out GERONIMO-5146.

        The jar has to be copied to lib folder of geronimo.

        Thanks
        Ashish

        Show
        Ashish Jain added a comment - Hi Rex, This is how you can use the JavaAgent.jar. You have to set it in geronimo.bat as follows: %_EXECJAVA% %JAVA_OPTS% %GERONIMO_OPTS% %JAVA_AGENT_OPTS% -Djava.endorsed.dirs="%GERONIMO_HOME%\lib\endorsed;%JRE_HOME%\lib\endorsed" -Djava.ext.dirs="%GERONIMO_HOME%\lib\ext;%JRE_HOME%\lib\ext" -Dorg.apache.geronimo.home.dir="%GERONIMO_HOME%" -Djava.io.tmpdir="%GERONIMO_TMPDIR%" -javaagent:%GERONIMO_HOME%\lib\JavaAgent.jar -jar %_JARFILE% %_LONG_OPT% %CMD_LINE_ARGS%. If you are using your own keystore and truststore than you may want to specify "org.apache.geronimo.keyStoreTrustStorePasswordFile". Else the default will be taken from config-substituion.properties. Chck out GERONIMO-5146 . The jar has to be copied to lib folder of geronimo. Thanks Ashish
        Hide
        Rex Wang added a comment -

        Hi Ashish,
        how to set the JavaAgent.jar in geronimo.bat? please provide a example or shall we update the doc?

        Show
        Rex Wang added a comment - Hi Ashish, how to set the JavaAgent.jar in geronimo.bat? please provide a example or shall we update the doc?
        Hide
        Ashish Jain added a comment -

        The new code for the java agent has been modfied to pick up the default keystore, truststore password.

        Show
        Ashish Jain added a comment - The new code for the java agent has been modfied to pick up the default keystore, truststore password.
        Hide
        Ashish Jain added a comment -

        Uploading a patch and a jar file for this. I have tested JMXSecureConnector with farming, Tomcat Native Clustering. I do not see any issues with both of these scenario. I have also tested plain JMXConnector and it works well for me.

        The JavaAgent.jar needs to be set in geronimo.bat so that server knows the location/password of keystore and truststore. This jar hsa to be copied to lib folder of geronimo.

        Please review and provide comments which can further improve the fix.

        Show
        Ashish Jain added a comment - Uploading a patch and a jar file for this. I have tested JMXSecureConnector with farming, Tomcat Native Clustering. I do not see any issues with both of these scenario. I have also tested plain JMXConnector and it works well for me. The JavaAgent.jar needs to be set in geronimo.bat so that server knows the location/password of keystore and truststore. This jar hsa to be copied to lib folder of geronimo. Please review and provide comments which can further improve the fix.

          People

          • Assignee:
            Ashish Jain
            Reporter:
            Ashish Jain
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development