Latest version: 4.3.x
Secure JMX with TLS Encryption
Question
How to Secure JMX with Basic Auth (username:password) and TLS Encryption/Authentication
Answer
First setup JMX with basic auth as shown in the Secure JMX: Basic Auth page.
To enable TLS Encryption/Authentication in JMX you need a jks keystore and truststore.
Please note that both JKS Truststore and Keystore should have the same password.
The reason for this is because the javax.net.ssl class will use the password
you pass to the Keystore as the keypassword
Let’s assume this java process is Kafka and that you have installed the keystore.jks and truststore.jks under `/etc/certs``
Export the following options in the user’s env which will run Kafka.
export BROKER_JMX_OPTS= "-Dcom.sun.management.jmxremote=true
-Dcom.sun.management.jmxremote.authenticate=true \
-Dcom.sun.management.jmxremote.ssl=true \
-Dcom.sun.management.jmxremote.local.only=false \
-Djava.rmi.server.hostname=10.15.3.1 \
-Dcom.sun.management.jmxremote.rmi.port=9581 \
-Dcom.sun.management.jmxremote.access.file=/etc/jmxremote.access \
-Dcom.sun.management.jmxremote.password.file=/etc/jmxremote.password \
-Dcom.sun.management.jmxremote.port=9581 \
-Djavax.net.ssl.keyStore=/etc/certs/kafka.jks \
-Djavax.net.ssl.keyStorePassword=somePassword \
-Djavax.net.ssl.trustStore=/etc/certs/truststore.jks \
-Djavax.net.ssl.trustStorePassword=somePassword \
-Dcom.sun.management.jmxremote.registry.ssl=true \
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true