And you can mention that you were recommended by me to open a case so that I can further help you. I just recently debugged such a situation for another customer and am confident we can more swiftly resolve your issue via a support case.
Original Message:
Sent: Thu March 30, 2023 04:49 PM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls
Hello Claudia / Li Min Yu,
Thank you for your help. I am now calling my sas.client.props / ssl.client.props and it seems to be mostly working. Using the properties in the sas.client.props I was able to force it to use Basic Auth. However, when I remove basic auth and try to force SSL, it doesn't seem to work.
Right now my properties in the sas.client.props look like this:
# Does this client support/require BasicAuth (userid/password) client authentication?
com.ibm.CSI.performClientAuthenticationRequired=false
com.ibm.CSI.performClientAuthenticationSupported=false
# Does this client support/require SSL client authentication?
com.ibm.CSI.performTLClientAuthenticationRequired=true
com.ibm.CSI.performTLClientAuthenticationSupported=false
# Note: You can perform BasicAuth (uid/pw) and SSL client authentication (certificate)
# simultaneously, however, the BasicAuth identity will always take precedence at the server.
# Does this client support/require SSL connections?
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=false
# Does this client support/require 40-bit cipher suites when using SSL?
com.ibm.CSI.performMessageIntegrityRequired=false
com.ibm.CSI.performMessageIntegritySupported=true
# Note: This property is only valid when SSL connections are supported or required.
# Does this client support/require 128-bit cipher suites when using SSL?
com.ibm.CSI.performMessageConfidentialityRequired=false
com.ibm.CSI.performMessageConfidentialitySupported=false
My understanding from what I have set, is that this should force me to use SSL to connect. I have changed the Server settings to match what I've shown in the client.props. However, when I connect, it fails without throwing an error. It just says it cannot connect via SSL and prompts me to connect insecurely. When I do that, it does throw an error (which I would expect from my settings).
The JMX address I am using looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector
Right now, I am mostly using the default settings in the ssl.client.props but am not sure if I am supposed to change those. Do my ssl.client.props settings need to match something on the server side?
Thanks again for your help so far. Anything additional would be highly appreciated.
------------------------------
Cam
Original Message:
Sent: Fri March 24, 2023 08:58 AM
From: Claudia Barrett
Subject: WAS9 - Enable SSL for JMX Calls
Hello,
Configuration of SSL connections and client certificate authentication for basic java clients is done through the sas.client.props file.
- Make a copy of the sas.client.props and ssl.client.props (from WAS_HOME/profiles/<profile>/properties) file and place it in the startup dir of the client startup script.
- Edit sas.client.props file and set:
- com.ibm.CSI.performTransportAssocSSLTLSSupported=true
- If the server has "client certificate authentication" set, also set the following:
- com.ibm.CSI.performTLClientAuthenticationSupported=true
- In the client startup script, add the following JVM args
- -Dcom.ibm.CORBA.ConfigURL=file:<JMX client dir>/sas.client.props
- -Dcom.ibm.CORBA.ConfigURL=file:<JMX client dir>/ssl.client.props
hope this helps!
------------------------------
Claudia Barrett
Original Message:
Sent: Wed March 22, 2023 04:12 AM
From: LI MIN YU
Subject: WAS9 - Enable SSL for JMX Calls
Here are script on WAS 9.0.5.14 on Windows
set WAS_HOME=C:\IBM\WebSphere\AppServer\9.0.5\
set JAVA_HOME=C:\IBM\WebSphere\AppServer\9.0.5\java\8.0
set HOST=localhost
set PORT=2809
set PROTOCOL=RMI
set PROFILE=AppSrvSingle
set CLASSPATH="%JAVA_HOME%\lib\jconsole.jar"
set CLASSPATH=%CLASSPATH%;"%JAVA_HOME%\lib\tools.jar"
set CLASSPATH=%CLASSPATH%;"%WAS_HOME%\runtimes\com.ibm.ws.admin.client_9.0.jar"
"%JAVA_HOME%\bin\java" -classpath %CLASSPATH% -Dcom.ibm.CORBA.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/sas.client.props" -Dcom.ibm.SSL.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/ssl.client.props" sun.tools.jconsole.JConsole service:jmx:%PROTOCOL%://%HOST%:%PORT%/jndi/JMXConnector
------------------------------
LI MIN YU
Original Message:
Sent: Tue March 21, 2023 11:23 AM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls
Hello,
Im working on 9.0.5.12 right now and I do have Global Security enabled. If I disable Global Security, I am able to connect unauthenticated. When I enable it, it does require my JMX request to have username/password but doesn't seem to force/require SSL. Is there a setting I need to set to force JMX calls to require SSL?
Thanks!
------------------------------
Cam
Original Message:
Sent: Tue March 21, 2023 10:11 AM
From: LI MIN YU
Subject: WAS9 - Enable SSL for JMX Calls
What's the fix patch version of WAS 9? Do you enable the global security?
------------------------------
LI MIN YU
Original Message:
Sent: Tue March 14, 2023 01:13 AM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls
Hello,
I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.
Now I am trying to enable SSL for JMX and test if I can get a connection.
In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"
I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).
Finally,
I have added
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.
Am I missing a step? I would deeply appreciate any support somebody can give.
Thanks!
------------------------------
Cam
------------------------------