I spent much working on adding support JMX into a enterprise application. JMX should use SSL and client authentication by SQL. That´s not the problem. I`m using system properties to enable SSL. System properties are global to a JVM. Especially in a large application, conflicts can quickly arise if alternate configuration methods aren't available.
Especially in a large enterprise application, calls need to be made to different services that require different certificates, and especially with limitations around automatic certificate selection, there needs to be a way to hook into this through flexible code when required. Unfortunately, JMX and RMI currently provide no such hooks, relying exclusively on system properties or the default socket factory.
Is there any way to make JMX using SSL by not using system properties?
Edit:
Using SslRMIClientSocketFactory did not work.
// System.setProperty( "java.rmi.server.randomIDs", "true" );
// System.setProperty( "javax.net.ssl.keyStore", keystore );
// System.setProperty( "javax.net.ssl.keyStorePassword",
// "password" );
// SSL-based RMI socket factories.
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
map.put( RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf );
map.put( RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf );
Exception:
java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
You can create your own RMIConnectorServer, and conditionally enable it for SSL. When constructing the server instance, the environment map can be loaded with defined RMIClientSocketFactory and RMIServerSocketFactory instances. To enable SSL, these factories can be set as configured SslRMIClientSocketFactory and SslRMIServerSocketFactory instances and you will have recreated the equivalent of the system props configured connector server. I have not done this with SSL, but it seems fairly well documented.