Current state: Adopted (2.3.0)
Discussion thread: here
Vote thread: here
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Currently both password authentication and SSL are disabled by default (namely all security are disabled) when monitoring remotely. If we enable either of them when starting the Java VM, the current JmxTool will no longer work and result in a "java.rmi.ConnectIOException". The problem is that JmxTool does not specify
JMXConnector.CREDENTIALS when it tries to connect a security-enabled JMX RMI port.
In order to add capability to connect to a secured RMI port, we can leverage JmxTool to add two options "--jmx-ssl-enable" and "--jmx-auth-prop" to pass an environment map that contains relevant certification entry.
This change would add two additional options "--jmx-ssl-enable" and "--jmx-auth-prop" to JmxTool:
The change proposed in this KIP is to add two extra options as stated above and to connect to a secured RMI port when enable either SSL or Password Authentication. This would be a backward compatible change leaving the previous options available.
Specific behavior changes
--jmx-ssl-enablewhen enable SSL
--jmx-auth-propwhen enable Password Authentication
- Providing both options above when enable all security
Compatibility, Deprecation, and Migration Plan
The proposed change has no impact on existing code and is backwards compatible.
None so far.