Default configuration of the JMX management connection
The default JMX configuration allows for unsecured JMX management connections from the local machine only. That is, the SGC SS7 stack by default listens for management connections on a local loopback interface. This allows for any JMX management client running on the same machine as the SGC stack instance to connect and manage that instance with no additional configuration.
Securing the JMX management connection with SSL/TLS
SGC_HOME
SGC_HOME in the following instructions represents the path to the SGC Stack installation directory.
|
SGC stack secure configuration
The SGC SS7 stack can be configured to secure JMX management connections using the SSL/TLS protocol. The default installation package provides a helper shell script (SGC_HOME/bin/sgckeygen
) that generates:
-
SGC_HOME/config/sgc-server.keystore
— a JKS repository of security certificates containing two entries: an SGC JMX server private key and a trust entry for the SGC JMX client certificate -
SGC_HOME/config/sgc-client.keystore
— a JKS repository of security certificates containing two entries: an SGC JMX client private key and a trust entry for the SGC JMX server certificate -
SGC_HOME/config/netssl.properties
— a Java properties file containing the configuration the SGC Stack uses during start-up (properties in this file point to the generatedsgc-server.keystore
) -
SGC_HOME/config/sgc-trust.cert
— the SGC JMX server certificate, which can be imported to any pre-existing KeyStore to establish a trust relation.
To enable a secure JMX management connection:
-
Generate appropriate server / client private keys and certificates: run the
SGC_HOME/bin/sgckeygen
script. -
Change the SGC stack configuration to enable the secure connection: edit the configuration file
SGC_HOME/config/sgcenv
, changing theJMX_SECURE
variable value to true.
By default, the SGC stack is configured to require client authorization with a trusted client certificate. The straightforward approach is to use the generated SGC_HOME/config/sgc-client.keystore as part of the JMX management client configuration.
|
|
Example client configuration for a JMX management secure connection
You can configure the JMX management connection from the command line or using a JDK tool.
Configuring from the command line
To configure a secure JMX connection for the SGC Stack using a command-line management console, please see Command-Line Management Console.
Configuring with a generic JMX management tool
The Command-Line Management Console is a dedicated tool for operating and configuring the SGC stack; but there are many tools that support the JMX standard. Below are tips for letting them communicate with the SGC stack.
The SGC stack is equipped with scripts that enable JMX connector and provide a simple way to prepare all the necessary keys and certificates used during the SSL/TLS authentication process.
In order to connect to the SGC stack with an external tool, follow the tool’s SGC stack secure configuration instructions. |
For example, for Java VisualVM (part of the Sun/Oracle JDK) :
-
Generate the appropriate server / client private keys and certificates.
-
Copy the
SGC_HOME/config/sgc-client.keystore
to the machine where you want to start the Java VisualVM. -
Start the Java VisualVM with parameters pointing to the relevant KeyStore file. For example:
jvisualvm -J-Djavax.net.ssl.keyStore=sgc-client.keystore -J-Djavax.net.ssl.keyStorePassword=changeit -J-Djavax.net.ssl.trustStore=sgc-client.keystore -J-Djavax.net.ssl.trustStorePassword=changeit
The connection is secured only when using a remote/local JMX connector. Java VisualVM uses the "Attach API" to connect to locally running Java Virtual Machines, in effect bypassing the secure connection. In this case, client setup of a secure JMX connection is not required. |
SGC stack JMX configuration properties
During SGC Stack instance startup, Java system properties are interrogated to derive configuration of the JMX RMI connector. Values of relevant properties can be configured using variables in the SGC_HOME/config/sgcenv
configuration file.
Properties configurable using the sgcenv configuration file
The following JMX connector settings are supported in the SGC_HOME/config/sgcenv
configuration file:
Variable | What it specifies | Values | Default |
---|---|---|---|
|
whether to secure the JMX connection with SSL/TLS |
|
|
|
whether the SGC Stack requires a trusted client certificate for an SSL/TLS-secured JMX connection |
|
|
|
path to the configuration file with properties used to secure the JMX management connection |
|
|
|
password used to secure the KeyStore and TrustStore when generating them using the |
|
The file specified by JMX_SECURE_CFG_FILE
should be in the Java properties file format (as described in Javadoc for Properties class). Properties configurable using JMX_SECURE_CFG_FILE
are related to the location and security of Java KeyStores containing the SGC stack private key, certificate, and trusted client certificate. Here are the properties configurable using JMX_SECURE_CFG_FILE
:
Key | What it specifies |
---|---|
|
path to the Java KeyStore file containing the SGC Stack private key |
|
password protecting the KeyStore denoted by the |
|
path to the Java KeyStore file containing the trusted client certificate |
|
password protecting the KeyStore denoted by the |
Example JMX_SECURE_CFG_FILE properties file
The JMX_SECURE_CFG_FILE
generated by the SGC_HOME/bin/sgckeygen
script looks like this:
#This is a SSL configuration file.
#A properties file that can be used to supply the KeyStore
#and truststore location and password settings thus avoiding
#to pass them as cleartext in the command-line.
javax.net.ssl.keyStore=./config/sgc-server.keystore
javax.net.ssl.keyStorePassword=changeit
javax.net.ssl.trustStore=./config/sgc-server.keystore
javax.net.ssl.trustStorePassword=changeit
SGC stack JMX connector configuration details
The details presented above should be sufficient to secure the SGC JMX management connection. However, for a customized solution (for example, using other start-up scripts), see the following JMX connector parameters supported by SGC stack.
Usually there is no need to customize the operation of the SGC stack JMX RMI connector, as relevant configuration is exposed through SGC start-up scripts. |
Here are the Java system properties used to configure the SGC stack JMX RMI connector:
Key | What it specifies |
---|---|
Values |
|
|
host that SGC should bind to in order to listen for incoming JMX connections |
resolvable host name or IP address |
|
|
port where SGC binds for incoming JMX connections |
Valid port value |
|
|
whether to enable secure monitoring using SSL (if false, then SSL is not used) |
|
|
|
a comma-delimited list of SSL/TLS cipher suites to enable; used in conjunction with |
default SSL/TLS cipher suites |
|
|
a comma-delimited list of SSL/TLS protocol versions to enable; used in conjunction with |
default SSL/TLS protocol version |
|
|
whether to perform client-based certificate authentication, if both this property and |
|
|
|
path to the configuration file with properties used to secure the JMX management connection (should be in Java properties file format) |
no default path |
|
|
KeyStore location * |
no default path |
|
|
KeyStore password * |
no default path |
|
|
truststore location * |
no default path |
|
|
truststore password * |
no default path |
* Can be defined in the com.cts.ss7.management.jmxremote.ssl.config.file
configuration file