Configuring password authentication for JMX connections

The JMX (Java Management Extensions) is used mainly for system monitoring. For its proper functionality, it needs to have some ports open, which can cause security vulnerabilities.

  • Since MU38 these ports are accessible only from localhost by default.

  • Since MU67 JMX supports the authenticated connection.

By default, the password authentication for connections is disabled for backward compatibility, but it is recommended to enable it. For this purpose, you can set these system properties to "Enabled" in Management:

  • managementJmxUseAuthentication - enables the password authentication for JMX connections to the Management Service ( by default running on the port 19898)

  • ldapReplicatorJmxUseAuthentication - enables the password authentication for JMX connections to the LDAP replicator (by default running on the port 9696)

  • spocJmxUseAuthentication - enables the password authentication for JMX connections to Spooler Controller (by default running on the port 9898)

  • distributedLayerJmxUseAuthentication - enables the password authentication for JMX connections to Spooler Controller Distributed layer (by default running on the port 9999)

The JMX server reads the configuration from jmxremote.password and jmxremote.access files. Both files are created during the installation process with default values.

The JMX configuration files location:

  • LDAP replicator and Management Service share the same configuration path C:\SafeQ6\Management\conf

  • Spooler Controller stores the configuration is in C:\SafeQ6\SPOC\conf

  • For Spooler Controller Distributed Layer the configuration is in C:\SafeQ6\SPOC\distServer\config.

The JMX configuration files content:

  • jmxremote.access

    • This file stores users' access rights.

    • Basic rights are read-only and read-write.

    • For specific needs check the JMX documentation.

  • jmxremote.password

    • This file stores credentials for admin and monitor users (it is recommended to change their passwords).

    • It is required that the admin account must exist for the connection to the LDAP replicator.


The administrator is responsible for restricting access to these files because the data in these files are stored in plain text (this is required by JMX server).


Example of the configuration files:

jmxremote.password
monitor <monitor_password>
admin <admin_password>


jmxremote.access
monitor readonly
admin readwrite \
create javax.management.monitor.*,javax.management.timer.* \
unregister

After changing roles or passwords in the config files or after changing a system property in Management Service It is required to restart the Management Service, LDAP Replicator, and Spooler Controller so that the changes take effect.