JMX Monitoring SSL Setup Guide

Patrick Russell
2020-10-15 15:27


If your JMX monitoring application requires SSL, this guide will describe how to set up the certificates.

Supported Versions

Artifactory 6.X and 7.X (7.X paths are used)


On the Artifactory server, set these environment variables:

DNAME="cn=App, ou=Java, o=Zabbix, c=LV"
CACERTS="/etc/ssl/certs/java/cacerts" #Used to create a new keystore

First, create the keystore and truststore for the application, Apache Tomcat in this case. 

Use the $CACERTS variable as the basis for the new keystore and truststore. This is so all public CAs are used as well as the new certificates. Make sure to set the variable to an existing cacerts file, the above path is an example.

Generate the new keystore using these commands:

#Initialize the keystore 
keytool -genkey -alias tomcat -keyalg RSA -validity ${DAYS} -keystore tomcat.keystore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

#Update the Truststore with the new Tomcat Keystore
cp ${CACERTS} tomcat.truststore

keytool -storepasswd -keystore tomcat.truststore -storepass changeit -new ${PASSWORD}

keytool -genkey -alias tomcat -keyalg RSA -validity ${DAYS} -keystore tomcat.truststore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

On the the JMX client, such as jconsole, do the same steps to create a new keystore:

DNAME="cn=App, ou=Java, o=Zabbix, c=LV"
keytool -genkey -alias jconsole -keyalg RSA -validity ${DAYS} -keystore jconsole.keystore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

cp ${CACERTS} jconsole.truststore

keytool -storepasswd -keystore jconsole.truststore -storepass changeit -new ${PASSWORD}

keytool -genkey -alias jconsole -keyalg RSA -validity ${DAYS} -keystore jconsole.truststore -storepass ${PASSWORD} -keypass ${PASSWORD} -dname "${DNAME}"

Then, export the public certificates from the keystores:

keytool -export -alias tomcat -keystore tomcat.keystore -file tomcat.cer -storepass ${PASSWORD}

keytool -export -alias jconsole -keystore jconsole.keystore -file jconsole.cer -storepass ${PASSWORD}

Finally, import the certificates into each other's truststores.This allows the application (Tomcat) to trust the client (JConsole), and vice versa:

keytool -import -alias jconsole -file jconsole.cer -keystore tomcat.truststore -storepass ${PASSWORD} -noprompt

keytool -import -alias tomcat -file tomcat.cer -keystore jconsole.truststore -storepass ${PASSWORD} -noprompt

#Get rid of any remaining CER certificate files
rm -f *.cer

On the Artifactory instance, add the JMX Remote properties to the file:

vim /var/opt/jfrog/artifactory/etc/artifactory/

#Restart the application
$ systemctl restart artifactory

On Zabbix Java Gateway (Exact steps will differ depending on the JMX monitoring application):

$ vim /usr/sbin/zabbix_java_gateway

ZABBIX_OPTIONS="$ZABBIX_OPTIONS -Dsun.rmi.transport.tcp.responseTimeout=$tcp_timeout"

$ systemctl restart zabbix-java-gateway  # Verify in the UI if it works