Enabling JMX port using SSL

To enable JMX port by using SSL in your Linux environment, you must perform the following actions:

1. Create keystore, certificate, and truststore with the keytool of security of the Java installed in Linux.
2. Enable JMX port to use the SSL connection in TrueSight Presentation Server process.
3. Create an infrastructure policy to monitor the process.

Creating keystore, certificate, and truststore

1. To verify if the keytool is installed, run the following command: keytool.
   When you run the command, a message is displayed. If you get an error, keytool is not installed. 

2. If the keytool is not installed in your Linux environment, install it using the Linux tools or download it.

   Note

   The keytool is part of Java JRE/JDK (1.8 and higher) package.

3. Generate the key pair in the Linux system.
4. Run the following commands:
   cd $JAVA_HOME/lib
   keytool -genkeypair -keystore serverkeystore.jks -alias serverkey -validity 180 -storepass <storepass password> -keypass <keypass password>
   Where serverkeystore is the keystore name and validity is validation for 180 days.
5. Answer the questions asked by the system.
   For the question - What is your first and last name, enter the FQDN or the IP address of the TrueSight Presentation Server host.
   The new file - serverkeystore.jks - is created.
6. To generate a certificate from the keystore of the server, run the following command:
   keytool -exportcert -keystore serverkeystore.jks -alias serverkey -storepass <storepass password> -file server.cer
   The clienttruststore file is created.

Enabling the SSL connection in TrueSight Presentation Server

1. To configure TrueSight Presentation Server to use the certificates:
   1. Stop the TrueSight Presentation Server process, for example the csr process.
   2. Go to /opt/bmc/TrueSightPServer/truesightpserver/conf/services and back up the <process name>.conf file (for example, csr.conf).
   3. Add the following entries to the file:
      vm.args.system.40=-Dcom.sun.management.jmxremote.port=<port number>
      #to enable SSL
      vm.args.system.41=-Dcom.sun.management.jmxremote.ssl=true
      vm.args.system.42=-Dcom.sun.management.jmxremote.authenticate=false
      vm.args.system.44=-Djava.rmi.server.hostname=<FQDN or the IP address of the TrueSight Presentation Server host>
      #Set to false to create one-way SSL
      vm.args.system.45=-Dcom.sun.management.jmxremote.ssl.need.client.auth=false
      #Use the keystore password.
      vm.args.system.46=-Djavax.net.ssl.keyStorePassword=<keystore password>
      #Use the serverkeystore.jks file.
      vm.args.system.47=-Djavax.net.ssl.keyStore=/home/tsps/cert/serverkeystore.jks
   4. Start TrueSight Presentation Server.
2. To validate if the JMX SSL is working, run the following command in jconsole:
   ./jconsole -J-Djavax.net.ssl.trustStore=/home/tsps/cert/clienttruststore -J-Djavax.net.ssl.trustStorePassword=<truststore password> service:jmx:rmi:///jndi/rmi://<FQDN or the IP address of the TrueSight Presentation Server host>:<port number>/jmxrmi
   Where in the javax.net.ssl.trustStore attribute, you need to enter the client certificate file name that you created and in the javax.net.ssl.trustStorePassword attribute, enter the client certificate file password. 
   Note: Repeat these steps for each Java process with which you want to use JMX with SSL. Ensure that you use unique port for each process.

Creating an infrastructure policy

1. On the Add Monitoring Configuration window, from the Monitoring Solution list, select Apache Tomcat and Generic Java Server.
2. From the Version list, select the latest version of the KM that you have deployed.
3. From the Monitor Profile and Monitor Type lists, select Generic JVM Server and Generic JVM Server Setup.
4. In the Configure Generic JVM Environments section, click Add.
5. In the Environment Configuration section, in the Environment Name field, enter the display name of the environment.
6. Ensure that the name does not contain any special characters.
7. In the Host/IP field, enter the FQDN or the IP address of the TrueSight Presentation Server host.
8. Enter the JMX port.
9. In the SSL Certificates Details section, in the TrustStore file field, enter client certificate file name (for example, clienttruststore).
10. In the TrustStore password field, enter client certificate file password.
11. Complete the other configuration.
    For more information, see Registering-a-Generic-JVM-environment-in-TrueSight.