[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: AW: TLS configuration TLS for JMX port
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2022-11-07 21:14:50
Message-ID: 6369fbab-4065-3723-be41-cd252ce34486 () christopherschultz ! net
[Download RAW message or body]

Markus,

On 11/4/22 06:04, Bärtschi, Markus-MGB wrote:
> On 04/11/2022 08:06, Bärtschi, Markus-MGB wrote:
> > > How can I configure TSL for my JMX port without the keystore information \
> > > showing up on the command line ?
> 
> > Don't use passwords. Rely on operating system file permissions to limit access to \
> > the file to the Tomcat process (and root).
> 
> So you recommend to use a passwordless keystore and chmod 600 it to protect it ?
> 
> > Keep in mind that JMX has various security issues you can do very little about \
> >                 including:
> > - extremely coarse grained security (read-only or read/write)
> > - no protection against brute force attacks
> > - no logging to identify brute force attacks
> > Note that Tomcat is implemented from the point of view that *any* JMX access is \
> > equivalent to full administrative access.
> 
> I'm aware the JMX is not great from a security perspective. But we need a way to \
> monitor what is going on.

I highly recommend using the JMXProxyServlet which is provided by 
Tomcat, though you do have to deploy the "Manager" application in order 
to use it.

You can lock that down much more tightly than a (relatively) wide-open 
JMX port.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]