I wanted to get some monitoring information out from z/OSMF using jConsole on my Ubuntu machine. Eventually this worked, but I had a few problems on the way. The same technique can be used for base Liberty, MQWeb, z/OSMF and ZOWE all of which are based on Liberty.
Configuring z/OSMF
I changed the z/OSMF configuration to include
<featureManager> <feature>restConnector-2.0</feature> </featureManager>
and restarted the server.
In the stdout (or message log) will be something like
CWWKX0103I: The JMX REST connector is running and is available at the following service
URL: service:jmx:rest://sss.com:10443/IBMJMXConnectorREST
You need the URL. The message above gave service:jmx:rest://sss.com:10443/IBMJMXConnectorREST, but I needed to use service:jmx:rest://10.1.1.2:10443/IBMJMXConnectorREST .
The port number came from the httpEndpoint with id=”defaultHttpEndpoint” . I have another httpEndpoint with port 24993, and this also worked with jConsole.
Set up jConsole
I set up a script for jConsole
k1='-J-Djavax.net.ssl.keyStore=/home/colinpaice/ssl/ssl2/adcdc.p12' k2='-J-Djavax.net.ssl.keyStorePassword=password' k3='-J-Djavax.net.ssl.keyStoreType=pkcs12' t1='-J-Djavax.net.ssl.trustStore=/home/colinpaice/ssl/ssl2/zca.jks' t2='-J-Djavax.net.ssl.trustStorePassword=password' t3='-J-Djavax.net.ssl.trustStoreType=jks' d='-J-Djavax.net.debug=ssl:handshake' d=' ' de='-debug' de=' ' s='service:jmx:rest://10.1.1.2:10443/IBMJMXConnectorREST' jconsole $de $s $k1 $k2 $k3 $t1 $t2 $t3 $d
Where
- the -J .. parameters are passed through to java,
- the -Djava… are the standard set of parameters to define the key stores on the Linux
Running this script gave a pop up window with
Secure connection failed. Retry insecurely?
The connection to service:jmxLret://10.1.1.2:10443/IBMJMXConnectorREST could not be made using SSL.
Would you like to try without SSL?
This was because of the exception
java.io.IOException: jmx.remote.credentials not provided.
I could not see how to pass userid and password to jConsole.
I then used Cntrl+N to create a new connection and entered Username: and Password: which jConsole requires. After a short delay of a few seconds jConsole responded with a graphs of Heap Memory Usage, and Threads in use. You can then select from the Measurement Beans.
The TLS setup
In the keystore I had a certificate which I had used to talk to a Liberty instance before.
This was signed, and the CA certificate had been imported into the key trust keyring on z/OS, for that HttpEndPoint.
The server responded with a server certificate (“CN=SERVER,O=SSS,C=GB”) which had been signed on z/OS. The signing certificate had been exported from z/OS and downloaded to Linux
I created a jks key trust store using this certificate, using the command
keytool -importcert -file temp4ca.pem -keystore zca.jks -storetype jks -storepass password
and used this trust store to validate the server certificate sent down from z/OS.
This worked with jConsole.
I created a pkcs12 keystore using keytool
keytool -importcert -file temp4ca.pem -keystore zca2.p12 -storetype pkcs12 -storepass password
Which also worked.
Problems using a .p12 trust store
I used
runmqakm -keydb -create -db zca.p12 -type pkcs12 -pw password
runmqakm -cert -add -file temp4ca.pem -db zca.p12 -type pkcs12 -pw password -label tempca
runmqakm -cert -details -db zca.p12 -type pkcs12 -pw password -label tempca
to create a pkcs12 keystore and import the z/OS CA certificate. The -details option displayed it.
When I tried to use it, jConsole produced the message (after the Cntl+N)
Secure connection failed. Retry insecurely?
The connection to service:jmxLret://10.1.1.2:10443/IBMJMXConnectorREST could not be made using SSL.
Would you like to try without SSL?
I used Ctrl-N as before, and got the same message.
Using
d=’-J-Djavax.net.debug=ssl:handshake’
and rerunning the script, produced a TLS trace. At the bottom was
VMPanel.connect, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
%% Invalidated:…
VMPanel.connect, SEND TLSv1.2 ALERT: fatal, description = internal_error
Using a trace at the server, gave the unhelpful , SEND TLSv1.2 ALERT:
Using openssl also failed. Create the .p12 keystore
openssl pkcs12 -export -out zca.p12 -in temp4ca.pem -name zCA -nokeys
and rerun the jconsole script, and it failed the same way.
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
It looks like runmqakm and openssl do not create a valid trust store with an imported certificate.
Additional diagnostics
When the trust store created by keytool was used; at the top of the TLS trace output was
System property jdk.tls.client.cipherSuites is set to ‘null’
…
Ignoring disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
trustStore is: /home/colinpaice/ssl/ssl2/zca.p12
trustStore type is : pkcs12
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=TEMP4Certification Authority, OU=TEST, O=TEMP
Issuer: CN=TEMP4Certification Authority, OU=TEST, O=TEMP
Algorithm: RSA; Serial number: 0x0
Valid from Tue Jul 14 00:00:00 BST 2020 until Fri Jul 02 23:59:59 BST 2021keyStore is : /home/colinpaice/ssl/ssl2/adcdc.p12
keyStore type is : pkcs12
keyStore provider is :
init keystore
init keymanager of type SunX509
When the runmqakm or openssl was used, the green entries were missing.
When I used runmqakm to create the pkcs12 keystore
runmqakm -cert -details -db zca.p12 -type p12 -pw password -label tempca
listed the certificate successfully.
When I used keytool to list the contents
keytool -list -keystore zca.p12 -storetype pkcs12 -storepass password
Keystore type: PKCS12
Keystore provider: SunJSSEYour keystore contains 0 entries
When I created the key store with keytool, both runmqakm and keytool displayed the certificate.
The problem looks like Java is only able to process the imported CA certificates when keytool was used to create the trust store.