Karaf
  1. Karaf
  2. KARAF-541

Support JMX SSL via etc/org.apache.karaf.management.cfg

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.5, 3.0.0
    • Component/s: karaf-core
    • Labels:
      None
    • Environment:

      windows, linux, java 6

    1. KARAF-541-for-karaf-2.2.4.diff
      2 kB
      Dan Tran
    2. KARAF-541-2.diff
      14 kB
      Dan Tran
    3. org.apache.karaf.management.zip
      39 kB
      Jean.Lee
    4. dps-JMX.zip
      8 kB
      Jean.Lee
    5. KARAF-541.diff
      13 kB
      Dan Tran
    6. KARAF-541-initial.diff
      10 kB
      Dan Tran

      Issue Links

        Activity

        Hide
        Jean-Baptiste Onofré added a comment -

        Fixed on trunk: revision 1210803.

        Show
        Jean-Baptiste Onofré added a comment - Fixed on trunk: revision 1210803.
        Hide
        Jean-Baptiste Onofré added a comment -

        Fixed on karaf-2.2.x: revision 1210802.

        Show
        Jean-Baptiste Onofré added a comment - Fixed on karaf-2.2.x: revision 1210802.
        Hide
        Jean-Baptiste Onofré added a comment -

        Thanks Dan, I will review your patch.

        Show
        Jean-Baptiste Onofré added a comment - Thanks Dan, I will review your patch.
        Hide
        Dan Tran added a comment - - edited

        please apply this patch for karaf 2.2.4 to get jmx with ssl support (KARAF-541-for-karaf-2.2.4.diff). Tested with our karaf 2.2.4 base

        Show
        Dan Tran added a comment - - edited please apply this patch for karaf 2.2.4 to get jmx with ssl support ( KARAF-541 -for-karaf-2.2.4.diff). Tested with our karaf 2.2.4 base
        Hide
        Jean-Baptiste Onofré added a comment -

        Thanks for the update Dan, it will be included in 3.0.0 and 2.2.5.

        Show
        Jean-Baptiste Onofré added a comment - Thanks for the update Dan, it will be included in 3.0.0 and 2.2.5.
        Hide
        Dan Tran added a comment -

        It turns out there is a flaw, which was shaded by another unintentional sleep before setupSSL() is called.

        So instead of this method

        /**

        • Purely check for the availability of provided key stores and key
        • @param keyStore
        • @param keyAlias
        • @param trustStore
        • @param timeout
          */
          private void checkForKeystoresAvailability( String keyStore, String keyAlias, String trustStore, long timeout ) {
          for (int i = 0 ; i < timeout/1000; ++i) {
          KeystoreInstance keyInstance = getKeystore(keyStore);
          if (keyInstance != null && keyInstance.isKeystoreLocked()) {
          sleep(1000);
          logger.info( "Looking for keystore: {}...", keyStore );
          continue;
          }
          if (keyInstance != null && keyInstance.isKeyLocked(keyAlias)) {
          sleep(1000);
          logger.info( "Looking for keystore's key: {}...", keyAlias );
          continue;
          }

        KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore);
        if (trustInstance != null && trustInstance.isKeystoreLocked()) {
        sleep(1000);
        logger.info( "Looking for truststore: {}...", trustStore );
        continue;
        }

        }
        }

        it must be changed to

        /**

        • Purely check for the availability of provided key stores and key
        • @param keyStore
        • @param keyAlias
        • @param trustStore
        • @param timeout
          */
          private void checkForKeystoresAvailability( String keyStore, String keyAlias, String trustStore, long timeout ) {
          for (int i = 0 ; i < timeout/1000; ++i) {
          KeystoreInstance keyInstance = getKeystore(keyStore);
          if (keyInstance == null || ( keyInstance != null && keyInstance.isKeystoreLocked()) ) {
          sleep(1000);
          logger.info( "Looking for keystore: {}...", keyStore );
          continue;
          }
          if (keyInstance == null || (keyInstance != null && keyInstance.isKeyLocked(keyAlias))) {
          sleep(1000);
          logger.info( "Looking for keystore's key: {}...", keyAlias );
          continue;
          }

        KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore);
        if (trustInstance==null || (trustInstance != null && trustInstance.isKeystoreLocked())) {
        sleep(1000);
        logger.info( "Looking for truststore: {}...", trustStore );
        continue;
        }

        }
        }

        Show
        Dan Tran added a comment - It turns out there is a flaw, which was shaded by another unintentional sleep before setupSSL() is called. So instead of this method /** Purely check for the availability of provided key stores and key @param keyStore @param keyAlias @param trustStore @param timeout */ private void checkForKeystoresAvailability( String keyStore, String keyAlias, String trustStore, long timeout ) { for (int i = 0 ; i < timeout/1000; ++i) { KeystoreInstance keyInstance = getKeystore(keyStore); if (keyInstance != null && keyInstance.isKeystoreLocked()) { sleep(1000); logger.info( "Looking for keystore: {}...", keyStore ); continue; } if (keyInstance != null && keyInstance.isKeyLocked(keyAlias)) { sleep(1000); logger.info( "Looking for keystore's key: {}...", keyAlias ); continue; } KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore); if (trustInstance != null && trustInstance.isKeystoreLocked()) { sleep(1000); logger.info( "Looking for truststore: {}...", trustStore ); continue; } } } it must be changed to /** Purely check for the availability of provided key stores and key @param keyStore @param keyAlias @param trustStore @param timeout */ private void checkForKeystoresAvailability( String keyStore, String keyAlias, String trustStore, long timeout ) { for (int i = 0 ; i < timeout/1000; ++i) { KeystoreInstance keyInstance = getKeystore(keyStore); if (keyInstance == null || ( keyInstance != null && keyInstance.isKeystoreLocked()) ) { sleep(1000); logger.info( "Looking for keystore: {}...", keyStore ); continue; } if (keyInstance == null || (keyInstance != null && keyInstance.isKeyLocked(keyAlias))) { sleep(1000); logger.info( "Looking for keystore's key: {}...", keyAlias ); continue; } KeystoreInstance trustInstance = trustStore == null ? null : getKeystore(trustStore); if (trustInstance==null || (trustInstance != null && trustInstance.isKeystoreLocked())) { sleep(1000); logger.info( "Looking for truststore: {}...", trustStore ); continue; } } }
        Hide
        Jean-Baptiste Onofré added a comment -

        Added on karaf-2.2.x: revision 1179144.

        Show
        Jean-Baptiste Onofré added a comment - Added on karaf-2.2.x: revision 1179144.
        Hide
        Jean-Baptiste Onofré added a comment -

        Added on trunk: revision 1179140.

        Show
        Jean-Baptiste Onofré added a comment - Added on trunk: revision 1179140.
        Hide
        Dan Tran added a comment -

        KARAF-738 is now optional as system bundle perspective, user who wants to have secured JMX can use KARAF-738 as template to create his/her own keystore bundle

        Show
        Dan Tran added a comment - KARAF-738 is now optional as system bundle perspective, user who wants to have secured JMX can use KARAF-738 as template to create his/her own keystore bundle
        Hide
        Dan Tran added a comment -

        KARAF-541-2.diff is now check to make sure KeyStore are loaded by jaas config

        Show
        Dan Tran added a comment - KARAF-541 -2.diff is now check to make sure KeyStore are loaded by jaas config
        Show
        Dan Tran added a comment - some discussion about the keystore issue is at http://karaf.922171.n3.nabble.com/Ability-to-deploy-new-keystores-or-truststores-at-runtime-td3025230.html
        Hide
        Jean.Lee added a comment -

        Roger that, you means if you define the <jaas:config> outside of management bundle, it will not work as you expected, right? that is a problem, because management bundle will be started before your <jaas:config> bundles, I am also not sure if karaf will use outside keystore dynamically.

        Show
        Jean.Lee added a comment - Roger that, you means if you define the <jaas:config> outside of management bundle, it will not work as you expected, right? that is a problem, because management bundle will be started before your <jaas:config> bundles, I am also not sure if karaf will use outside keystore dynamically.
        Hide
        Dan Tran added a comment -

        Hi Jean, If you dont mind I would like to continue the discussion to get more exposure from the dev environment.

        For my case, with my patch, I create a new karaf management bundle ( call it 2.2.1.1 ), and replace the original one under karaf/system. It works like a charm.

        The draw back, is I have to use <jass:config> to create my own keystore and trustore right in management bundle. This is the remaining issue i need to solve before I can ask for Karaf dev team to accept this patch.

        For now, the workaround works for me, I just need to get this officially accepted.

        Show
        Dan Tran added a comment - Hi Jean, If you dont mind I would like to continue the discussion to get more exposure from the dev environment. For my case, with my patch, I create a new karaf management bundle ( call it 2.2.1.1 ), and replace the original one under karaf/system. It works like a charm. The draw back, is I have to use <jass:config> to create my own keystore and trustore right in management bundle. This is the remaining issue i need to solve before I can ask for Karaf dev team to accept this patch. For now, the workaround works for me, I just need to get this officially accepted.
        Hide
        Jean.Lee added a comment - - edited

        BTW, I also attached the org.apache.karaf.management.zip here, it also gets working, it is based on your diff file

        <cm:property name="keyStore" value="dps3_keystore"/>
        <cm:property name="keyAlias" value="dps3"/>
        <cm:property name="trustStore" value="dps3_trust_keystore"/>

        <!-- default keystore/trustore -->
        <jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" name="dps3_keystore" rank="1"
        path="file:etc/dps3.keystore" keystorePassword="ecwise" keyPasswords="dps3=ecwise" />

        <jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" name="dps3_trust_keystore" rank="1"
        path="file:etc/dps3_client.keystore" keystorePassword="ecwise" keyPasswords="dps3=ecwise" />

        my env is Karaf 2.1.4-fuse-00-15, fuse esb 4.4

        Show
        Jean.Lee added a comment - - edited BTW, I also attached the org.apache.karaf.management.zip here, it also gets working, it is based on your diff file <cm:property name="keyStore" value="dps3_keystore"/> <cm:property name="keyAlias" value="dps3"/> <cm:property name="trustStore" value="dps3_trust_keystore"/> <!-- default keystore/trustore --> <jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" name="dps3_keystore" rank="1" path="file:etc/dps3.keystore" keystorePassword="ecwise" keyPasswords="dps3=ecwise" /> <jaas:keystore xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0" name="dps3_trust_keystore" rank="1" path="file:etc/dps3_client.keystore" keystorePassword="ecwise" keyPasswords="dps3=ecwise" /> my env is Karaf 2.1.4-fuse-00-15, fuse esb 4.4
        Hide
        Jean.Lee added a comment -

        I have tested the bundle, it could work, so I can connect the platform MBean server using the command:

        jconsole -J-Djavax.net.ssl.trustStore=C:/fuse-01-15/etc/dps3_client.keystore -J-Djavax.net.ssl.trustStoreType=JKS -J-Djavax.net.ssl.trustStorePassword=ecwise

        if you have any questions, you could send email to me, it is jlee@ecwise.com

        Show
        Jean.Lee added a comment - I have tested the bundle, it could work, so I can connect the platform MBean server using the command: jconsole -J-Djavax.net.ssl.trustStore=C:/fuse-01-15/etc/dps3_client.keystore -J-Djavax.net.ssl.trustStoreType=JKS -J-Djavax.net.ssl.trustStorePassword=ecwise if you have any questions, you could send email to me, it is jlee@ecwise.com
        Hide
        Jean.Lee added a comment -

        yes, I see, you know, when Karaf gets started, and if you want to replace existing management bundle using the changed management bundle, that is not easy, you have to find the bundle id and delete the bundle directory from the data directory, you could not deploy the bundle dynamically, so I think for deployer, that is more technical, so I created a bundle, you could put the bundle in deploy directory, when it gets started, it will replace the JMX connector with new connector, the new connector could support SSL

        Show
        Jean.Lee added a comment - yes, I see, you know, when Karaf gets started, and if you want to replace existing management bundle using the changed management bundle, that is not easy, you have to find the bundle id and delete the bundle directory from the data directory, you could not deploy the bundle dynamically, so I think for deployer, that is more technical, so I created a bundle, you could put the bundle in deploy directory, when it gets started, it will replace the JMX connector with new connector, the new connector could support SSL
        Hide
        Dan Tran added a comment -

        Jean, thank you for the suggestion, I am not sure what is your intention here.

        My goal is the enhance existing karaf's management bundle to support SSL. The draw back is I could not get keystore to initialize before management bundle started.

        Show
        Dan Tran added a comment - Jean, thank you for the suggestion, I am not sure what is your intention here. My goal is the enhance existing karaf's management bundle to support SSL. The draw back is I could not get keystore to initialize before management bundle started.
        Hide
        Jean.Lee added a comment -

        I got some idea from your change, so I create a bundle which could be used to replace existing JMX connector, so that you could not hack Karaf Management bundle, hope it will help you

        Show
        Jean.Lee added a comment - I got some idea from your change, so I create a bundle which could be used to replace existing JMX connector, so that you could not hack Karaf Management bundle, hope it will help you
        Hide
        Dan Tran added a comment -

        A complete solution to add SSL support. ( KARAF-541.diff)

        Note: Currently due to a timing issue preconfigured keystore via <jaas:config> on any bundle does not get loaded before management bundle starts. Therefor we need to find a way to get Karaf to load the keystore first, perhaps via another new bunlde like: o.a.k.keymanager to to load before management bundle starts

        Show
        Dan Tran added a comment - A complete solution to add SSL support. ( KARAF-541 .diff) Note: Currently due to a timing issue preconfigured keystore via <jaas:config> on any bundle does not get loaded before management bundle starts. Therefor we need to find a way to get Karaf to load the keystore first, perhaps via another new bunlde like: o.a.k.keymanager to to load before management bundle starts
        Hide
        Dan Tran added a comment -

        I finally got Karaf JMX to support SSL include client certificate authentication ( in a hacky way ):

        • implement setupSSL method as suggested in the discussion ( karaf.management.ConnectorServerFactory )
        • reference keyStoreManager under karaf.jaas.config.
        • create keystore and trustore using <jaas:keystore>. This is tricky since I have to do it under karaf.management which should not aware of custom keystores.
          I need help on this area to get this fix to completion. See the initial patch for detail
        Show
        Dan Tran added a comment - I finally got Karaf JMX to support SSL include client certificate authentication ( in a hacky way ): implement setupSSL method as suggested in the discussion ( karaf.management.ConnectorServerFactory ) reference keyStoreManager under karaf.jaas.config. create keystore and trustore using <jaas:keystore>. This is tricky since I have to do it under karaf.management which should not aware of custom keystores. I need help on this area to get this fix to completion. See the initial patch for detail

          People

          • Assignee:
            Jean-Baptiste Onofré
            Reporter:
            Dan Tran
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development