Use > JMX Reference > Introduction > Java JMX Access Hardening

Java JMX Access Hardening

Note The procedure described here can also be used for the Data Flow Probe JMX.

In order to ensure that the JMX RMI port is accessible only when providing user credentials, perform the following procedure:

  1. In the wrapper.conf file on the server, located at C:\UCMDB\UCMDBServer\bin, set the following:

    wrapper.java.additional.16=-Dcom.sun.management.jmxremote.authenticate=true

    This setting requires the JMX to ask for authentication.

    • For the Data Flow Probe JMX, perform the following:

      In the files WrapperGateway.conf and WrapperManager.conf, located at C:\UCMDB\DataFlowProbe\bin\, set the following:

      wrapper.java.additional.17=-Dcom.sun.management.jmxremote.authenticate=true

  2. Rename the file jmxremote.password.template (located at: C:\UCMDB\UCMDBServer\bin\jre\lib\management\) to jmxremote.password.

    Note For the Data Flow Probe JMX, this file is located at: C:\UCMDB\DataFlowProbe\bin\jre\lib\management\.

  3. In jmxremote.password, add passwords for the roles monitorRole and controlRole.

    For example:

    monitorRole QED

    controlRole R&D

    would assign the password QED to monitorRole and the password R&D to controlRole.

    Note Ensure that only the owner has read and write permissions on jmxremote.password because it contains the passwords in clear text. The file owner must be the same user under which UCMDB Server is running.

  4. In the file jmxremote.access (located at C:\UCMDB\UCMDBServer\bin\jre\lib\management\), assign access to monitorRole and controlRole.

    For example:

    monitorRole readonly

    controlRole readwrite

    would assign read-only access to monitorRole and read-write access to controlRole.

    Note For the Data Flow Probe JMX, this file is located at: C:\UCMDB\DataFlowProbe\bin\jre\lib\management\.

  5. Secure files as follows:

    • For Windows only: Run the following commands from the command line to secure files:

      icacls jmxremote.password /grant Administrator:F

      icacls jmxremote.access /grant Administrator:R

      where <username> is the file owner visible in the properties of both files. Open properties of these files and ensure that they are correct and have only one owner.

    • For Solaris and Linux operating systems: Set the file permissions for the password file by running:

      chmod 600 jmxremote.password

  6. For Service Pack upgrades, Server migrations and Disaster Recovery: Change ownership of the file jmxremote.access (located at C:\UCMDB\UCMDBServer\bin\jre\lib\management\) to the operating system user running the upgrade or migration installation.

    Note  

    • For the Data Flow Probe JMX, this file is located at: C:\UCMDB\DataFlowProbe\bin\jre\lib\management\.

    • Before uninstalling the product, edit the file permissions for <UCMDB_install_dir>\bin\jre\lib\management\jmxremote.password so the user you are logged in with can edit it.