Enabling JMX Security
When a GridGain node is started using the
ignite.[sh|bat] script, it automatically starts a JMX server and allows remote connections from monitoring tools like VisualVM. While this gives good monitoring capabilities (e.g., exposes all metrics via MX beans), it’s not secure.
If you don’t need to connect to nodes via JMX, you can simply disable it via the
-nojmx command line argument:
In this case you should see a line like this in the log:
[18:45:20,178][INFO][main][IgniteKernal] Remote Management [restart: on, REST: on, JMX (remote: off)]
JMX (remote: off) indicates that JMX is disabled.
If you still need JMX connectivity, it can be secured with login/password authentication and/or SSL.
To enable simple file-based authentication, you need to do the following:
Go to the
JRE_HOME/lib/managementfolder and rename the
jmxremote.passwordfile in any editor and uncomment last two lines (you can also change the passwords if you want):
monitorRole QED controlRole R&D
Change permissions of the
jmxremote.passwordfile so that only the user can read and write it:
chmod 600 jmxremote.password
Start a GridGain node with JMX authentication enabled:
You should see this line in the log:
[18:13:46,747][INFO][main][IgniteKernal] Remote Management [restart: on, REST: on, JMX (remote: on, port: 49115, auth: on, ssl: off)]
Authentication is now enabled. If you try to connect to port 49115 using VisualVM or any other tool, you will be asked for a username and password.
Advanced Authentication Techniques
File-based authentication as described above doesn’t provide enough security in most cases and is suitable only during the development process. When running in production, you should consider using SSL and secure authentication protocols (like LDAP). For more information and details refer to this Oracle documentation.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.