Uploading a patch and a jar file for this. I have tested JMXSecureConnector with farming, Tomcat Native Clustering. I do not see any issues with both of these scenario. I have also tested plain JMXConnector and it works well for me.

The JavaAgent.jar needs to be set in geronimo.bat so that server knows the location/password of keystore and truststore. This jar hsa to be copied to lib folder of geronimo.

Please review and provide comments which can further improve the fix.

The new code for the java agent has been modfied to pick up the default keystore, truststore password.

Hi Ashish,
how to set the JavaAgent.jar in geronimo.bat? please provide a example or shall we update the doc?

Hi Rex, This is how you can use the JavaAgent.jar. You have to set it in geronimo.bat as follows:

%_EXECJAVA% %JAVA_OPTS% %GERONIMO_OPTS% %JAVA_AGENT_OPTS% -Djava.endorsed.dirs="%GERONIMO_HOME%\lib\endorsed;%JRE_HOME%\lib\endorsed" -Djava.ext.dirs="%GERONIMO_HOME%\lib\ext;%JRE_HOME%\lib\ext" -Dorg.apache.geronimo.home.dir="%GERONIMO_HOME%" -Djava.io.tmpdir="%GERONIMO_TMPDIR%" -javaagent:%GERONIMO_HOME%\lib\JavaAgent.jar -jar %_JARFILE% %_LONG_OPT% %CMD_LINE_ARGS%.

If you are using your own keystore and truststore than you may want to specify "org.apache.geronimo.keyStoreTrustStorePasswordFile". Else the default will be taken from config-substituion.properties. Chck out GERONIMO-5146.

The jar has to be copied to lib folder of geronimo.

Thanks
Ashish

Hi, Ashish,
Could you provide the source code of your JavaAgent.jar? I am afraid I do not feel comfortable to add such jar into georonimo_home/lib/, does the JavaAgent just hardcode the location/pwd of keystore/truststore?

Is there any difference between using "-javaagent" and the geronimo options "--secure" you proposed in GERONIMO-4896?

Hi Rex,

You can find the source code in the jar itself. The jar has been uploaded in the JIRA. The class does not hard code any values and is based on the same logic as 4896.
This Java agent is required when you will want to establish a secure communication b/w 2 servers say in case of clustering. Actually java agent is just an interceptor in front
of the main method, --secure option is to invoke any command using the JMXSecure connector.

Thanks
Ashish

Hi Ashish, thanks for the quick answer. I would avoid using a java agent to intercept users setting and prefer providing an arguments "--secure" in cli. Could you take a look at if you can offer a solution in geronimo-cli?

one more point..
From the patch, I see you move the name of JMXSecureConnector to JMXService, is that only because the cluster's Node gbean has a reference to "JMXService"? If so, I think we should keep the name as is, and make the reference name configurable in config.xml by adding <reference> in pom's <config-xml-content>.

Rex, Your comments are well taken, I will soon upload a new modified patch.

Hi Rex, As per your comment #1 "providing an arguments "--secure" in cli" do you mean to say when we start the server we should have an option say "geronimo.bat --secure run"??
Thanks
Ashish

Rex, Here is the updated patch. Using this both the JMXSecure and JMX Non Secure connector can be used simultaneously. I have tested this with farming and seems to be working fine. Please verify and apply.

Looks good to me.
rev924795 @ branch 21

Thanks

Hi, Ashish,
Could you please commit the changes to branch 2.2 & trunk when you are available?

Applied to 2.2 @revision 938358.

Closing this for 21 and 22 branch.

https://issues.apache.org/jira/browse/GERONIMO-5294 was opened to continue track this problem in geronimo 3.x.