Kerberos authentication for JMX?

Harsha Wardhana B harsha.wardhana.b at oracle.com
Tue Jun 12 09:41:52 UTC 2018 

Hi Peter,

JMX agents support JAAS based authentication. The login module - 
Krb5LoginModule along with JAAS can be used to setup Kerberos-based 
authentication for JMX.

A JAAS config file for Kerberos clients could look like,

kerberosClient {
        com.sun.security.auth.module.Krb5LoginModule required
        debug=true
        useKeyTab=false
       ...........
};

where the configuration options for above login module can be found at,
https://docs.oracle.com/javase/10/docs/api/com/sun/security/auth/module/Krb5LoginModule.html

The default JMX agent can be started by setting below two system properties.

1. com.sun.management.jmxremote.login.config - The JAAS entry in config 
file above
2. java.security.auth.login.config - The path to the above file

Example:

java -Dcom.sun.management.jmxremote.port=5000
      -Dcom.sun.management.jmxremote.login.config=kerberosClient
      -Djava.security.auth.login.config=kerberos.config
      -jar MyApplication.jar


I have not tried the steps above myself but should work in theory. Give 
it a try and let me know if it works.

Thanks
Harsha

On Monday 11 June 2018 06:44 PM, Péter Gergely Horváth wrote:
> Hi All,
>
> I have been working with Big Data for a while and I have seen that a 
> number of the components have started to have their own custom baked 
> solutions (minimalistic Web UIs) for basic management operations, like 
> showing metrics, debugging etc instead of using JMX.
>
> I have the feeling that getting JMX working for dozens of different 
> Java services within a large cluster is an overly tough task, 
> especially if you do not want to make compromises around security. For 
> me it seems, that at the moment there is a gap between what the JDK 
> offers regarding JMX monitoring/management and what people would need 
> in a real world setting to use iteffectively in an easy and secure way.
>
> I am wondering if it would be possible to implement a Kerberos-based 
> authentication mechanism for JMX, allowing all services of a cluster 
> to authenticate JMX clients against a centrally managed Kerberos 
> service, that would also be officially supported by VisualVM so as to 
> give an easy-to-use user interface.
>
>
> Based on my understanding, this could either be a new protocol 
> implementation or assuming JDK-8171311: REST APIs for JMX gets done, 
> an additional feature around there to support GSS 
> Negotiate/SPNEGO based authentication.
>
> Could you please share your thoughts on this? Would anyone be 
> interested to sponsor this topic?
>
> Thanks,
> Peter
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20180612/91abfe92/attachment-0001.html>

More information about the serviceability-dev mailing list