Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-2192

JMX and SSL with fabric

    XMLWordPrintable

Details

    • % %

    Description

      There is no easy way to configure JMX with SSL for JBoss Fuse with fabric8.
      If we think of its core functionality- Fabric8 with Hawtio, where new containers can be created, we will find that it completly doesn't work in case of JMX with SSL.

      That is because if we want child containers provisioned by fabric8, to be secured with JMX and SSL, then it can be done only with profiles. But in turn it cannot be done in profiles due to Karafs dependencies and the way how SSL for JMX is supported in Karaf- by providing blueprint with jaas:keystore definition.
      The thing is, that pids are deployed before bundles, so then if we provide with fabric a pid in profile: org.apache.karaf.management.properties, then this pid is deployed 1st, forcing karaf management to restart.
      BUT inside of this PID we have configured to secure JMX with SSL, pointing to jaas:keystore, which is not yet deployed- forcing karaf management to fail.
      jaas:keystore definition is deployed altogether with bundles, but karaf management has already failed.

      So would be great to somehow solve this problem and enable users to let them easly secure JMX, not sacrificing Hawtio and fabric8 functionality.

      A workaround for this is:
      1. Create fragment bundle for host: org.apache.karaf.management.server;bundle-version="[2,3)", and Import-Service: io.fabric8.api.FabricService
      2. To default profile add above fragment bundle
      3. In default profile in io.fabric8.agent.properties file, add:
      metadata#org.apache.karaf.management.server#[2.0,3.0)#Require-Capability = osgi.extender;filter:="(osgi.extender=jmx.secure.configuration)"
      metadata#jmx-authentication.xml#[0,1)#Provide-Capability = osgi.extender;osgi.extender=jmx.secure.configuration

      So then once we will deploy default profile, we will deploy a fragment for karaf management, forcing it to restart.
      Step 3 is required to make sure, that jmx-authentication.xml blueprint file which defines jaas:keystore for JMX's SSL, will be deployed before fragment bundle to karaf managemnt, so we can be sure that there will be keystores already deployed in karaf, before we will try to use them.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-5398 JMX and SSL with fabric

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          KARAF-3513 Loading...

          KARAF-3887 Loading...

          relates to

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-6246 Keystore Errors after Upgrading to Rollup 4

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              pantinor@redhat.com Paolo Antinori
              pklimcza_jira Piotr Klimczak (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: