How to Secure JMX with Basic Auth (username:password) and TLS Encryption/Authentication
First set up JMX with basic auth as shown in the Secure JMX: Basic Auth page.
To enable TLS Encryption/Authentication in JMX you need a jks keystore and truststore.
TLS Encryption/Authentication
Please note that both JKS Truststore and Keystore should have the same password.
The reason for this is because the javax.net.ssl class will use the password you pass to the Keystore as the keypassword
javax.net.ssl
keypassword
Let’s assume this java process is Kafka and that you have installed the keystore.jks and truststore.jks under `/etc/certs``
Export the following options in the user’s env which will run Kafka.
export BROKER_JMX_OPTS= "-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.authenticate=true \ -Dcom.sun.management.jmxremote.ssl=true \ -Dcom.sun.management.jmxremote.local.only=false \ -Djava.rmi.server.hostname=10.15.3.1 \ -Dcom.sun.management.jmxremote.rmi.port=9581 \ -Dcom.sun.management.jmxremote.access.file=/etc/jmxremote.access \ -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote.password \ -Dcom.sun.management.jmxremote.port=9581 \ -Djavax.net.ssl.keyStore=/etc/certs/kafka.jks \ -Djavax.net.ssl.keyStorePassword=somePassword \ -Djavax.net.ssl.trustStore=/etc/certs/truststore.jks \ -Djavax.net.ssl.trustStorePassword=somePassword \ -Dcom.sun.management.jmxremote.registry.ssl=true \ -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
On this page
