1. If we don't need authorization, just add the following to CATALINA_OPTS:
"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"
2. If we want to add user name and password
"-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9001 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access"
monitorRole readonly
controlRole readwrite
monitorRole [passwd]
controlRole [passwd]
remove other permission by doing
chmod 600 jmxremote.password
3. If we want to use ssl to encrypt the messages between jmx client and server:
"-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.keyStore=/home/www/etc/keystore/server.jks -Dcom.sun.management.jmxremo
te -Dcom.sun.management.jmxremote.port="9001" -Dcom.sun.management.jmxremote.password.file=/home/www/etc/jmx/jmxremote.password -Dco
m.sun.management.jmxremote.access.file=/home/www/etc/jmx/jmxremote.access -Dcom.sun.management.jmxremote.ssl="true""
convert the server's certificate and key to pkcs12 format (please note that the ca.crt is the ca that signed the server certificate, so it is the server CA, not the client CA)
openssl pkcs12 -in server.crt -inkey server.key -export -out server.p12 -nodes -CAfile ca.crt
afterwards, you should be able to look at the pkcs12 keystore using: /usr/local/jdk1.6.0/bin/keytool -list -keystore server.p12 -storetype pkcs12
convert the pkcs12 keystore to jks keystore:
/usr/local/jdk1.6.0/bin/keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12 -deststoretype jks
the default java keystore is normally at JAVA_HOME\jre\lib\security\cacerts
keytool -import -file c:\ca.crt -keystore ..\jre\lib\security\cacerts -alias MITCA