Configure JMX security for WebSphere Application Server Community Edition Version 2.1 servers

If we use the JMX security feature in WebSphere Application Server Community Edition Version 2.1, additional steps are required to enable the Intelligent Management security feature.

• We must have WebSphere Application Server Community Edition Version 2.1 installed with JMX security enabled.

JMX security is a feature added in WebSphere Application Server Community Edition Version 2.1. When creating new servers or dynamic clusters in the console , we can use the wasce21s server template to create servers that have JMX security enabled. If we have discovered servers, perform the additional steps in this topic to configure JMX security.

1. If we have an existing server, start the WAS Community Edition Version 2.1 server for which JMX security needs to be enabled.

2. Import the WAS Community Edition certificates into the WAS trust store.

   1. In the console, click Security > SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates.

   2. Enter the host name of the node where WebSphere Application Server Community Edition Version 2.1 is running, the HTTPS port number, and an alias for the certificate.

   3. Click Retrieve signer information.

   4. Save and synchronize the settings.

3. Configure the WAS Community Edition Version 2.1 server. If we have not yet created the servers in the environment, we can create the server using the wasce21s server template. If the server has already been discovered by Intelligent Management, perform the additional steps required to enable security listed in this step.

   To create a new WebSphere Application Server Community Edition Version 2.1 server or dynamic cluster with JMX security enabled, perform the following steps:

   1. To create a WAS Community Edition server in the console, click Servers > Server types > WebSphere Application Server Community Edition servers > New. To create a WAS Community Edition dynamic cluster in the console, click Servers > Clusters > Dynamic clusters > New. Choose WebSphere Application Server Community Edition as the server type.

   2. Select the wasce21s template in the wizard.

   3. Save and synchronize the changes.
   For a server that has already been discovered by Intelligent Management, perform the following steps:

   1. Stop the WAS Community Edition Version 2.1 server.

   2. Edit the config.xml file to disable the JMX service and enable the JMX secure connector.

      1. In the console, open the WAS Community Edition Version 2.1 server configuration. Click Servers > Server types > WebSphere Application Server Community Edition servers > wasce_server.

      2. Click the External configuration tab. Edit the config.xml file.

      3. Make the following changes, highlighted in bold text:

         <module name="org.apache.geronimo.framework/j2ee-security/2.1.1/car">
          <gbean name="JMXService" load="false">
           <attribute name="protocol">rmi</attribute>
           <attribute name="host">${ServerHostname}</attribute>
           <attribute name="port">${JMXPort + PortOffset}</attribute>
           <attribute name="urlPath">/jndi/rmi://${ServerHostname}:${NamingPort + PortOffset}/JMXConnector</attribute>
          </gbean>
         </module>
         ...
         ...
         ...
         <module name="org.apache.geronimo.configs/clustering/2.1.1/car" load="false">
          <gbean name="Node">
           <attribute name="nodeName">${clusterNodeName}</attribute>
          </gbean>
         </module>
         ...
         ...
         ...
         <module name="org.apache.geronimo.framework/jmx-security/2.1.1/car" load="true">
          <gbean name="JMXSecureConnector load="true">
           <attribute name="protocol">rmi</attribute>
           <attribute name="host">${ServerHostname}</attribute>
           <attribute name="port">${JMXSecurePort + PortOffset}</attribute>
           <attrubute name="urlPath">/jndi/rmi://${ServerHostname}:${NamingPort + PortOffset}/JMXSecureConnector</attribute>
           <attribute name="clientAuth">false</attribute>
          </gbean>
         </module>

   3. Add the JAVA_OPTS variable.

      1. In the console, click Servers > Server types > WebSphere Application Server Community Edition servers > wasce_server > Variables > New.

      2. Create a new variable called JAVA_OPTS.

      3. Enter the following text in the Value field, specifying the appropriate values for the system properties:
         -Djavax.net.ssl.keyStore=${GERONIMO_HOME}/var/security/keystores/geronimo-default -Djavax.net.ssl.keyStorePassword=secret -Djavax.net.ssl.trustStore=${GERONIMO_HOME}/var/security/keystores/geronimo-default -Djavax.net.ssl.trustStorePassword=secret

      4. Click OK.

   4. Add the UseJMXSecureConnector custom property.

      1. In the console, click Servers > Server types > WebSphere Application Server Community Edition servers > wasce_server > Custom properties > New

      2. Enter UseJMXSecureConnector as the value in the Name field.

      3. Enter true in the Value field.

      4. Click OK.

   5. Save and synchronize the changes.

   6. Restart the server.

Results

We can use WebSphere Application Server Community Edition Version 2.1 with JMX security enabled.

What to do next

Configure the WAS Community Edition servers. See configuring complete lifecycle WebSphere Application Server Community Edition servers and dynamic clusters.

Related concepts

WebSphere Application Server Community Edition servers

Related tasks

Create complete life-cycle WebSphere Application Server Community Edition servers and dynamic clusters

Configure middleware descriptors

Related information:

Intelligent Management: middleware server custom properties and variables