I'm trying to get SSL-enabled JMX access to ActiveMQ (5.8.0 or 5.9.0 running under java 1.6.0) but I'm not having any luck. I've dealt with SSL-enabled JMX access in the past, so I'm quite familiar with setting up keystores, truststores, etc. Our servers are all located in AWS, so we have to deal with poking holes through firewalls as well. I'm able to get unencrypted JMX working to our ActiveMQ server by specifying the following in the activemq.xml file:
<managementContext>
<managementContext connectorPort="1099" rmiServerPort="1098" connectorHost="<local IP of AWS instance>" />
</managementContext>
And by also specifying the following Java parameters when starting up ActiveMQ:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.password.file=/path/to/jmx.passwd
-Dcom.sun.management.jmxremote.access.file=/path/to/jmx.access
-Djava.rmi.server.hostname=<public IP of AWS instance>
The managementContext apparently doesn't have parameters for supporting SSL, so I'm trying to also include the following on my Java command line (which works fine with our other Java apps to access JMX over SSL):
-Dcom.sun.management.jmxremote.ssl=true
-Djavax.net.ssl.keyStore=/path/to/keystore
-Djavax.net.ssl.trustStore=/path/to/truststore
-Djavax.net.ssl.keyStorePassword=<password>
-Djavax.net.ssl.trustStorePassword=<password>
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
It appears that ActiveMQ is simply ignoring these settings. If I use the command 'openssl s_client -connect :' to query the RMI server port of a java process where JMX/SSL is working then it displays all the details about the certificate being used. However if I run the command against the ActiveMQ RMI server port I get a message indicating that no peer certificate is available.
Is it possible to SSL-encrypt JMX access to ActiveMQ, or am I out of luck since it appears their managementContext doesn't support it?