WebSphere Application Server & Liberty

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

What's the fix patch version of WAS 9? Do you enable the global security?

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

Hello,

Im working on 9.0.5.12 right now and I do have Global Security enabled. If I disable Global Security, I am able to connect unauthenticated. When I enable it, it does require my JMX request to have username/password but doesn't seem to force/require SSL. Is there a setting I need to set to force JMX calls to require SSL?

Thanks!

What's the fix patch version of WAS 9? Do you enable the global security?

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

Here are script on WAS 9.0.5.14 on Windows

set WAS_HOME=C:\IBM\WebSphere\AppServer\9.0.5\
set JAVA_HOME=C:\IBM\WebSphere\AppServer\9.0.5\java\8.0
set HOST=localhost
set PORT=2809
set PROTOCOL=RMI
set PROFILE=AppSrvSingle

set CLASSPATH="%JAVA_HOME%\lib\jconsole.jar"
set CLASSPATH=%CLASSPATH%;"%JAVA_HOME%\lib\tools.jar"
set CLASSPATH=%CLASSPATH%;"%WAS_HOME%\runtimes\com.ibm.ws.admin.client_9.0.jar"

"%JAVA_HOME%\bin\java" -classpath %CLASSPATH% -Dcom.ibm.CORBA.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/sas.client.props" -Dcom.ibm.SSL.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/ssl.client.props" sun.tools.jconsole.JConsole service:jmx:%PROTOCOL%://%HOST%:%PORT%/jndi/JMXConnector

Hello,

Im working on 9.0.5.12 right now and I do have Global Security enabled. If I disable Global Security, I am able to connect unauthenticated. When I enable it, it does require my JMX request to have username/password but doesn't seem to force/require SSL. Is there a setting I need to set to force JMX calls to require SSL?

Thanks!

What's the fix patch version of WAS 9? Do you enable the global security?

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

Hello,
Configuration of SSL connections and client certificate authentication for basic java clients is done through the sas.client.props file.

• Make a copy of the sas.client.props and ssl.client.props (from WAS_HOME/profiles/<profile>/properties) file and place it in the startup dir of the client startup script.
• Edit sas.client.props file and set:
  • com.ibm.CSI.performTransportAssocSSLTLSSupported=true
• If the server has "client certificate authentication" set, also set the following:
  • com.ibm.CSI.performTLClientAuthenticationSupported=true
• In the client startup script, add the following JVM args
  • -Dcom.ibm.CORBA.ConfigURL=file:<JMX client dir>/sas.client.props
  • -Dcom.ibm.CORBA.ConfigURL=file:<JMX client dir>/ssl.client.props

hope this helps!

------------------------------
Claudia Barrett

Original Message:
Sent: Wed March 22, 2023 04:12 AM
From: LI MIN YU
Subject: WAS9 - Enable SSL for JMX Calls

Here are script on WAS 9.0.5.14 on Windows

set WAS_HOME=C:\IBM\WebSphere\AppServer\9.0.5\
set JAVA_HOME=C:\IBM\WebSphere\AppServer\9.0.5\java\8.0
set HOST=localhost
set PORT=2809
set PROTOCOL=RMI
set PROFILE=AppSrvSingle

set CLASSPATH="%JAVA_HOME%\lib\jconsole.jar"
set CLASSPATH=%CLASSPATH%;"%JAVA_HOME%\lib\tools.jar"
set CLASSPATH=%CLASSPATH%;"%WAS_HOME%\runtimes\com.ibm.ws.admin.client_9.0.jar"

"%JAVA_HOME%\bin\java" -classpath %CLASSPATH% -Dcom.ibm.CORBA.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/sas.client.props" -Dcom.ibm.SSL.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/ssl.client.props" sun.tools.jconsole.JConsole service:jmx:%PROTOCOL%://%HOST%:%PORT%/jndi/JMXConnector

------------------------------
LI MIN YU

Original Message:
Sent: Tue March 21, 2023 11:23 AM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls

Hello,

Im working on 9.0.5.12 right now and I do have Global Security enabled. If I disable Global Security, I am able to connect unauthenticated. When I enable it, it does require my JMX request to have username/password but doesn't seem to force/require SSL. Is there a setting I need to set to force JMX calls to require SSL?

Thanks!

------------------------------
Cam

Original Message:
Sent: Tue March 21, 2023 10:11 AM
From: LI MIN YU
Subject: WAS9 - Enable SSL for JMX Calls

What's the fix patch version of WAS 9? Do you enable the global security?

------------------------------
LI MIN YU

Original Message:
Sent: Tue March 14, 2023 01:13 AM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

------------------------------
Cam
------------------------------

Hello Claudia / Li Min Yu,

Thank you for your help. I am now calling my sas.client.props / ssl.client.props and it seems to be mostly working. Using the properties in the sas.client.props I was able to force it to use Basic Auth. However, when I remove basic auth and try to force SSL, it doesn't seem to work.

Right now my properties in the sas.client.props look like this:

# Does this client support/require BasicAuth (userid/password) client authentication?
com.ibm.CSI.performClientAuthenticationRequired=false
com.ibm.CSI.performClientAuthenticationSupported=false

# Does this client support/require SSL client authentication?  
com.ibm.CSI.performTLClientAuthenticationRequired=true
com.ibm.CSI.performTLClientAuthenticationSupported=false

# Note: You can perform BasicAuth (uid/pw) and SSL client authentication (certificate)
# simultaneously, however, the BasicAuth identity will always take precedence at the server.

# Does this client support/require SSL connections?
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=false

# Does this client support/require 40-bit cipher suites when using SSL?
com.ibm.CSI.performMessageIntegrityRequired=false
com.ibm.CSI.performMessageIntegritySupported=true
# Note: This property is only valid when SSL connections are supported or required.

# Does this client support/require 128-bit cipher suites when using SSL?
com.ibm.CSI.performMessageConfidentialityRequired=false
com.ibm.CSI.performMessageConfidentialitySupported=false

My understanding from what I have set, is that this should force me to use SSL to connect. I have changed the Server settings to match what I've shown in the client.props. However, when I connect, it fails without throwing an error. It just says it cannot connect via SSL and prompts me to connect insecurely. When I do that, it does throw an error (which I would expect from my settings).

The JMX address I am using looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector

Right now, I am mostly using the default settings in the ssl.client.props but am not sure if I am supposed to change those. Do my ssl.client.props settings need to match something on the server side?

Thanks again for your help so far. Anything additional would be highly appreciated.

------------------------------
Cam

Original Message:
Sent: Fri March 24, 2023 08:58 AM
From: Claudia Barrett
Subject: WAS9 - Enable SSL for JMX Calls

Hello,
Configuration of SSL connections and client certificate authentication for basic java clients is done through the sas.client.props file.

• Make a copy of the sas.client.props and ssl.client.props (from WAS_HOME/profiles/<profile>/properties) file and place it in the startup dir of the client startup script.
• Edit sas.client.props file and set:
  • com.ibm.CSI.performTransportAssocSSLTLSSupported=true
• If the server has "client certificate authentication" set, also set the following:
  • com.ibm.CSI.performTLClientAuthenticationSupported=true
• In the client startup script, add the following JVM args
  • -Dcom.ibm.CORBA.ConfigURL=file:<JMX client dir>/sas.client.props
  • -Dcom.ibm.CORBA.ConfigURL=file:<JMX client dir>/ssl.client.props

hope this helps!

------------------------------
Claudia Barrett

Original Message:
Sent: Wed March 22, 2023 04:12 AM
From: LI MIN YU
Subject: WAS9 - Enable SSL for JMX Calls

Here are script on WAS 9.0.5.14 on Windows

set WAS_HOME=C:\IBM\WebSphere\AppServer\9.0.5\
set JAVA_HOME=C:\IBM\WebSphere\AppServer\9.0.5\java\8.0
set HOST=localhost
set PORT=2809
set PROTOCOL=RMI
set PROFILE=AppSrvSingle

set CLASSPATH="%JAVA_HOME%\lib\jconsole.jar"
set CLASSPATH=%CLASSPATH%;"%JAVA_HOME%\lib\tools.jar"
set CLASSPATH=%CLASSPATH%;"%WAS_HOME%\runtimes\com.ibm.ws.admin.client_9.0.jar"

"%JAVA_HOME%\bin\java" -classpath %CLASSPATH% -Dcom.ibm.CORBA.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/sas.client.props" -Dcom.ibm.SSL.ConfigURL=file:"%WAS_HOME%\profiles\%PROFILE%/properties/ssl.client.props" sun.tools.jconsole.JConsole service:jmx:%PROTOCOL%://%HOST%:%PORT%/jndi/JMXConnector

------------------------------
LI MIN YU

Original Message:
Sent: Tue March 21, 2023 11:23 AM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls

Hello,

Im working on 9.0.5.12 right now and I do have Global Security enabled. If I disable Global Security, I am able to connect unauthenticated. When I enable it, it does require my JMX request to have username/password but doesn't seem to force/require SSL. Is there a setting I need to set to force JMX calls to require SSL?

Thanks!

------------------------------
Cam

Original Message:
Sent: Tue March 21, 2023 10:11 AM
From: LI MIN YU
Subject: WAS9 - Enable SSL for JMX Calls

What's the fix patch version of WAS 9? Do you enable the global security?

------------------------------
LI MIN YU

Original Message:
Sent: Tue March 14, 2023 01:13 AM
From: Cam
Subject: WAS9 - Enable SSL for JMX Calls

Hello,

I've had success connecting to WAS9 using JMX calls (via JConsole) without using SSL. I've used a JMX address that uses iiop and looks like this: service:jmx:iiop://<hostname>:2809/jndi/JMXConnector.

Now I am trying to enable SSL for JMX and test if I can get a connection.

In the WebSphere UI, I went to "Global Security" > "Authentication" > "RMI/IIOP" > "CSIv2 inbound communications"
On this page I changed:
* Client certificate authentication to "Supported"
* Transport to "SSL-required"
* Use specific SSL alias to "NodeDefaultSSLSettings"

I restarted the server. Then, when I tried to call JMX using the same command it denied me (which makes me assume it is indeed requiring SSL now).

Finally,
I have added 
-J-Djavax.net.ssl.trustStore="<path_to_node_truststore>" -J-Djavax.net.ssl.trustStorePassword=<password>
to my JConsole command, but I am still unable to connect.

Am I missing a step? I would deeply appreciate any support somebody can give.

Thanks!

------------------------------
Cam
------------------------------