Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1247
Views
0
Helpful
3
Replies

CVP 12.5 Enabling SSL for JMX

jvanderwood
Level 1
Level 1

‎08-04-2020 09:39 AM

Software: CVP 12.5 (no E.S.)

 

I've found myself a bit stumped following the steps outlined in Chapter 17 "Unified CVP Security" of the CVP 12.5 Configuration Guide. In particular, I am struggling with 'Secure JMX Communication between OAMP and Call Server using Mutual Authentication'.

 

I have completed all the steps using an Internal CA (Microsoft Certificate Authority). Everything is fine until I change the config files for jmx_*.conf to com.sun.management.jmxremote.ssl.need.client.auth = true. I rebooted afterward rather than worry about restarting the processes.

 

At that point, the OAMP Control Center flags the device as Unreachable. This is a labonly configuration (which I hope isn't the issue because it seemed like an all in one box would be a lot easier to learn on than multiple boxes). I believe the OAMP log messages here reflect this issue:


4: 192.168.223.20: Aug 04 2020 08:22:10.522 -0700: %CVP_12_5_OAMP-3-OAMP_OMGR_JMX_CONNECTION_ERROR: Unable to establish JMX connector to URI service:jmx:rmi:///jndi/rmi://192.168.223.20:2099/jmxrmi: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown [id:7513]

 

The CSR was generated with the FQDN as the CN.

 

I also completed the 'Generate CA-Signed Client Certificate for WSM' in case it was related.

 

The only steps not done were:

1) The Regedit steps as the installer apparently already took care of those. I confirmed the password matched the one int he properties file.

2) The note about importing cacerts into .keystore. I did a compare of the certs in each file and while there were a few in cacerts that were not in .keystore they were all external CAs and I couldn't see the relevance since I'm using an Internal CA.

 

Any advice would be appreciated.

 

-Jay

Labels:
0 Helpful
3 Replies 3

Koen Van Impe
Level 4
Level 4

‎04-26-2022 07:03 AM

Hi Jay,

Did you get to fixing this issue?
I'm running into a similar issue, on a full deployment in lab.

Managed to secure JMX communication by implementing certificates signed by internal CA.

It started to go wrong when enabling com.sun.management.jmxremote.ssl.need.client.auth = true

I did create a client certificate with CN=<server hostname> (not FQDN) and added that to .keystore

I had this working on v11.6, but there are some changes: orm functionality seems to be replaced by WSM, although orm config files still seem to be around.

Hope you can shed some light here!

 

Rgds,

Koen

0 Helpful

jvanderwood
Level 1
Level 1
In response to Koen Van Impe

‎04-26-2022 08:44 AM

Nope. I've just left:

com.sun.managment.jmxremote.ssl.needds.client.auth = false

 

but I do the rest of the steps. That seems sufficient to appease the PCCE validations. Is it secure? I have no idea how to ensure that, but it seems enough to keep moving.

0 Helpful

Koen Van Impe
Level 4
Level 4
In response to jvanderwood

‎04-26-2022 01:12 PM

That's too bad!

The rest of the settings do make sure communication is encrypted, but does not prevent unwanted "visitors" to connect a JConsole and start messing with settings.

I'll play around some more and let you know if I come to a solution.

 

0 Helpful
Customers Also Viewed These Support Documents