Remedy - Server - Securing "jmxremote" access in AR Server

Version 2
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy AR System Server


    COMPONENT:

    AR System


    APPLIES TO:

    Remedy AR System Server 9.x and higher



    QUESTION:

    Questions:
    How to secure "jmxremote" access in AR Server?
    Having "jmxremote" in AR Server is a security risk in our environment, how it can be disabled?


    ANSWER:

    Out of the box AR has the option to be monitored remotely using the Java JDK utility JVisualVM which for example is used during troubleshooting as described in the article:
    Remedy - Server - How to collect Java heap dumps (and thread dumps) for AR Server troubleshooting - ARS 9.x

    The specific setting is located in the arserver.config (Windows) / arserverd.conf (Linux/Unix) in the JVM option:
    jvm.option.(number)=-Dcom.sun.management.jmxremote

    If having this option posts a security breach on your organization, this line can be commented or delete it.
    To comment it just add a # at the beginning of the line:
    #jvm.option.(number)=-Dcom.sun.management.jmxremote

    If can have it but any remote connection using it needs to be secured using SSL as the preferred method, Oracle Java provides the following additional settings:
    ................
    -Dcom.sun.management.jmxremote.port=9999 
    -Dcom.sun.management.jmxremote.password.file=jmxremote.password 
    -Djavax.net.ssl.keyStore=/home/user/.keystore 
    -Djavax.net.ssl.keyStorePassword=myKeyStorePassword 
    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true 
    -Djavax.net.ssl.trustStore=/home/user/.truststore 
    -Djavax.net.ssl.trustStorePassword=myTrustStorePassword 
    -Dcom.sun.management.jmxremote.registry.ssl=true 
    -Djava.security.manager 
    -Djava.security.policy=jmx.policy 
    ................

    These are set in the arserver.config / arserverd.conf file as additional JVM option lines.

    Please check the Oracle Java documentation on how this needs to be done.
    This is not a Remedy native configuration so the following link needs to be checked to understand how to set it up:
    https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwdssl.html

    Also, some additional information from the Oracle Java documentation:
    https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html

    where:
    ..................
    Remote Monitoring and Management
    To enable monitoring and management from remote systems, you must set the following system property when you start the Java VM.
    com.sun.management.jmxremote.port=portNum

    In the property above, portNum is the port number through which you want to enable JMX RMI connections. Be sure to specify an unused port number. In addition to publishing an RMI connector for local access, setting this property publishes an additional RMI connector in a private read-only registry at the specified port using a well known name, "jmxrmi".

    Note - You must set the above system property in addition to any properties you might set for security.

    Remote monitoring and management requires security to ensure that unauthorized persons cannot control or monitor your application. Password authentication over the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) is enabled by default. You can disable password authentication and SSL separately, as described in the next sections.

    Note - For production systems, use both SSL client certificates to authenticate the client host and password authentication for user management. See the topics Using SSL and Using LDAP Authentication for more information.

    The Java platform supports pluggable login modules for authentication. You can plug in any login module depending on the authentication infrastructure in your organization. The section titled Using LDAP Authentication describes how to plug in the com.sun.security.auth.module.LdapLoginModule for Lightweight Directory Access Protocol (LDAP) based authentication.

    After you have enabled the JMX agent for remote use, you can monitor your application using JConsole, as described in Remote Monitoring with JConsole. How to connect to the management agent programmatically is described in Connecting to the JMX Agent Programmatically.
    ..................




     


    Article Number:

    000160932


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles