OCSS7 2.1.0 :: OCSS7 Installation and Administration Guide :: Securing the SGC JMX management connection with SSL/TLS

On this page...

Default configuration of the JMX management connection
Securing the JMX management connection with SSL/TLS
SGC stack JMX configuration properties
SGC stack JMX connector configuration details

Default configuration of the JMX management connection

The default JMX configuration allows for unsecured JMX management connections from the local machine only. That is, the SGC SS7 stack by default listens for management connections on a local loopback interface. This allows for any JMX management client running on the same machine as the SGC stack instance to connect and manage that instance with no additional configuration.

Securing the JMX management connection with SSL/TLS

SGC_HOME

SGC_HOME in the following instructions represents the path to the SGC Stack installation directory.

SGC stack secure configuration

The SGC SS7 stack can be configured to secure JMX management connections using the SSL/TLS protocol. The default installation package provides a helper shell script (SGC_HOME/bin/sgckeygen) that generates:

SGC_HOME/config/sgc-server.keystore — a JKS repository of security certificates containing two entries: an SGC JMX server private key and a trust entry for the SGC JMX client certificate
SGC_HOME/config/sgc-client.keystore — a JKS repository of security certificates containing two entries: an SGC JMX client private key and a trust entry for the SGC JMX server certificate
SGC_HOME/config/netssl.properties — a Java properties file containing the configuration the SGC Stack uses during start-up (properties in this file point to the generated sgc-server.keystore)
SGC_HOME/config/sgc-trust.cert — the SGC JMX server certificate, which can be imported to any pre-existing KeyStore to establish a trust relation.

To enable a secure JMX management connection:

Generate appropriate server / client private keys and certificates: run the SGC_HOME/bin/sgckeygen script.
Change the SGC stack configuration to enable the secure connection: edit the configuration file SGC_HOME/config/sgcenv, changing the JMX_SECURE variable value to true.

By default, the SGC stack is configured to require client authorization with a trusted client certificate. The straightforward approach is to use the generated SGC_HOME/config/sgc-client.keystore as part of the JMX management client configuration.

For detailed information about creating a KeyStore, please see the Java Virtual Machine vendor documentation on the Oracle JDK Tools and Utilities page.
For general information about SSL/TLS support, see the JSSE Reference Guide.
Configuration changes take effect on SGC stack instance restart.

Example client configuration for a JMX management secure connection

You can configure the JMX management connection from the command line or using a JDK tool.

Configuring from the command line

To configure a secure JMX connection for the SGC Stack using a command-line management console, please see Command-Line Management Console.

Configuring with a generic JMX management tool

The Command-Line Management Console is a dedicated tool for operating and configuring the SGC stack; but there are many tools that support the JMX standard. Below are tips for letting them communicate with the SGC stack.

The SGC stack is equipped with scripts that enable JMX connector and provide a simple way to prepare all the necessary keys and certificates used during the SSL/TLS authentication process.

In order to connect to the SGC stack with an external tool, follow the tool’s SGC stack secure configuration instructions.

For example, for Java VisualVM (part of the Sun/Oracle JDK) :

Generate the appropriate server / client private keys and certificates.
Copy the SGC_HOME/config/sgc-client.keystore to the machine where you want to start the Java VisualVM.
Start the Java VisualVM with parameters pointing to the relevant KeyStore file. For example: jvisualvm -J-Djavax.net.ssl.keyStore=sgc-client.keystore -J-Djavax.net.ssl.keyStorePassword=changeit -J-Djavax.net.ssl.trustStore=sgc-client.keystore -J-Djavax.net.ssl.trustStorePassword=changeit

The connection is secured only when using a remote/local JMX connector. Java VisualVM uses the "Attach API" to connect to locally running Java Virtual Machines, in effect bypassing the secure connection. In this case, client setup of a secure JMX connection is not required.

SGC stack JMX configuration properties

During SGC Stack instance startup, Java system properties are interrogated to derive configuration of the JMX RMI connector. Values of relevant properties can be configured using variables in the SGC_HOME/config/sgcenv configuration file.

Properties configurable using the sgcenv configuration file

The following JMX connector settings are supported in the SGC_HOME/config/sgcenv configuration file:

Variable What it specifies Values Default

Variable	What it specifies	Values	Default
`JMX_SECURE`	whether to secure the JMX connection with SSL/TLS	`true`/`false`	`false`
`JMX_NEED_CLIENT_AUTH`	whether the SGC Stack requires a trusted client certificate for an SSL/TLS-secured JMX connection	`true`/`false`	`true`
`JMX_SECURE_CFG_FILE`	path to the configuration file with properties used to secure the JMX management connection		`SGC_HOME/config/netssl.properties`
`DEFAULT_STORE_PASSWORD`	password used to secure the KeyStore and TrustStore when generating them using the `SGC_HOME/bin/sgckeygen` script		`changeit`

JMX_SECURE

whether to secure the JMX connection with SSL/TLS

true/false

false

JMX_NEED_CLIENT_AUTH

whether the SGC Stack requires a trusted client certificate for an SSL/TLS-secured JMX connection

true/false

true

JMX_SECURE_CFG_FILE

path to the configuration file with properties used to secure the JMX management connection

SGC_HOME/config/netssl.properties

DEFAULT_STORE_PASSWORD

password used to secure the KeyStore and TrustStore when generating them using the SGC_HOME/bin/sgckeygen script

changeit

The file specified by JMX_SECURE_CFG_FILE should be in the Java properties file format (as described in Javadoc for Properties class). Properties configurable using JMX_SECURE_CFG_FILE are related to the location and security of Java KeyStores containing the SGC stack private key, certificate, and trusted client certificate. Here are the properties configurable using JMX_SECURE_CFG_FILE:

Key What it specifies

Key	What it specifies
`javax.net.ssl.keyStore`	path to the Java KeyStore file containing the SGC Stack private key
`javax.net.ssl.keyStorePassword`	password protecting the KeyStore denoted by the `javax.net.ssl.keyStore` property
`javax.net.ssl.trustStore`	path to the Java KeyStore file containing the trusted client certificate
`javax.net.ssl.trustStorePassword `	password protecting the KeyStore denoted by the `javax.net.ssl.trustStore` property

javax.net.ssl.keyStore

path to the Java KeyStore file containing the SGC Stack private key

javax.net.ssl.keyStorePassword

password protecting the KeyStore denoted by the javax.net.ssl.keyStore property

javax.net.ssl.trustStore

path to the Java KeyStore file containing the trusted client certificate

`javax.net.ssl.trustStorePassword `

password protecting the KeyStore denoted by the javax.net.ssl.trustStore property

Example JMX_SECURE_CFG_FILE properties file

The JMX_SECURE_CFG FILE generated by the SGC_HOME/bin/sgckeygen script looks like this:

#This is a SSL configuration file.
#A properties file that can be used to supply the KeyStore
#and truststore location and password settings thus avoiding
#to pass them as cleartext in the command-line.

javax.net.ssl.keyStore=./config/sgc-server.keystore
javax.net.ssl.keyStorePassword=changeit

javax.net.ssl.trustStore=./config/sgc-server.keystore
javax.net.ssl.trustStorePassword=changeit

SGC stack JMX connector configuration details

The details presented above should be sufficient to secure the SGC JMX management connection. However, for a customized solution (for example, using other start-up scripts), see the following JMX connector parameters supported by SGC stack.

Usually there is no need to customize the operation of the SGC stack JMX RMI connector, as relevant configuration is exposed through SGC start-up scripts.

Here are the Java system properties used to configure the SGC stack JMX RMI connector:

Key What it specifies

Key	What it specifies
	Values
`com.cts.ss7.management.jmxremote.host`	host that SGC should bind to in order to listen for incoming JMX connections
resolvable host name or IP address (`0.0.0.0` to listen on all local interfaces)
`com.cts.ss7.management.jmxremote.port`	port where SGC binds for incoming JMX connections
Valid port value `0..65535` inclusive (`0` = system assigned)
`com.cts.ss7.management.jmxremote.ssl`	whether to enable secure monitoring using SSL (if false, then SSL is not used)
`true`/`false` Default is `false`.
`com.cts.ss7.management.jmxremote.ssl.enabled.cipher.suites`	a comma-delimited list of SSL/TLS cipher suites to enable; used in conjunction with `com.cts.ss7.management.jmxremote.ssl`
default SSL/TLS cipher suites
`com.cts.ss7.management.jmxremote.ssl.enabled.protocols`	a comma-delimited list of SSL/TLS protocol versions to enable; used in conjunction with `com.cts.ss7.management.jmxremote.ssl`
default SSL/TLS protocol version
`com.cts.ss7.management.jmxremote.ssl.need.client.auth`	whether to perform client-based certificate authentication, if both this property and `com.cts.ss7.management.jmxremote.ssl` are true
`true`/`false` Default is `true`.
`com.cts.ss7.management.jmxremote.ssl.config.file`	path to the configuration file with properties used to secure the JMX management connection (should be in Java properties file format)
no default path (`SGC_HOME/config/netssl.properties` is assigned by the SGC start scripts)
`javax.net.ssl.keyStore`	KeyStore location *
no default path
`javax.net.ssl.keyStorePassword`	KeyStore password *
no default path
`javax.net.ssl.trustStore`	truststore location *
no default path
`javax.net.ssl.trustStorePassword truststore password`	truststore password *
no default path

Values

com.cts.ss7.management.jmxremote.host

host that SGC should bind to in order to listen for incoming JMX connections

resolvable host name or IP address
(0.0.0.0 to listen on all local interfaces)

com.cts.ss7.management.jmxremote.port

port where SGC binds for incoming JMX connections

Valid port value 0..65535 inclusive
(0 = system assigned)

com.cts.ss7.management.jmxremote.ssl

whether to enable secure monitoring using SSL (if false, then SSL is not used)

true/false
Default is false.

com.cts.ss7.management.jmxremote.ssl.enabled.cipher.suites

a comma-delimited list of SSL/TLS cipher suites to enable; used in conjunction with com.cts.ss7.management.jmxremote.ssl

default SSL/TLS cipher suites

com.cts.ss7.management.jmxremote.ssl.enabled.protocols

a comma-delimited list of SSL/TLS protocol versions to enable; used in conjunction with com.cts.ss7.management.jmxremote.ssl

default SSL/TLS protocol version

com.cts.ss7.management.jmxremote.ssl.need.client.auth

whether to perform client-based certificate authentication, if both this property and com.cts.ss7.management.jmxremote.ssl are true

true/false
Default is true.

com.cts.ss7.management.jmxremote.ssl.config.file

path to the configuration file with properties used to secure the JMX management connection (should be in Java properties file format)

no default path
(SGC_HOME/config/netssl.properties is assigned by the SGC start scripts)

javax.net.ssl.keyStore

KeyStore location *

no default path

javax.net.ssl.keyStorePassword

KeyStore password *

no default path

javax.net.ssl.trustStore

truststore location *

no default path

javax.net.ssl.trustStorePassword truststore password

truststore password *

no default path

* Can be defined in the com.cts.ss7.management.jmxremote.ssl.config.file configuration file

Previous page Next page