线上服务器等保测试爆出系统问题——Java JMX代理不安全配置,一时间摸不到头脑。直到联系到了该问题的检测结构道出了其检测机理。
一、检测机理
所谓“Java JMX代理不安全配置”,是检测发现1099端口被jmxremote启用了,而1099端口正是jmx开启的默认端口。
二、问题定位方法总结
子涵先生对于问题定位的过程就不啰嗦了,本节内容将作一些总结。
1、找出占用端口的进程
[root@iZ1adui04qZ webapps]# netstat -anp|grep 1099
tcp 0 0 0.0.0.0:1099 0.0.0.0:* LISTEN 5325/java
[root@iZ1adui04qZ webapps]# ps -ef|grep java
root 601 32282 0 16:48 pts/1 00:00:00 grep java
root 5325 5323 1 Jul14 ? 00:46:03 /usr/java/jdk/bin/java -Djava.util.logging.config.file=/app/usr/local/tomcat7-sec/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms1024m -Xmx4096m -Xss1024K -XX:PermSize=512m -XX:MaxPermSize=2048m -Djava.endorsed.dirs=/app/usr/local/tomcat7-sec/endorsed -classpath /app/usr/local/tomcat7-sec/bin/bootstrap.jar:/app/usr/local/tomcat7-sec/bin/tomcat-juli.jar -Dcatalina.base=/app/usr/local/tomcat7-sec -Dcatalina.home=/app/usr/local/tomcat7-sec -Djava.io.tmpdir=/app/usr/local/tomcat7-sec/temp org.apache.catalina.startup.Bootstrap start
2、查找对应的配置项
查找该进程中配置有1099端口的文件
[root@iZ1adui04qZ webapps]# grep -rl "1099" ./
./activemq-web-console-5.14.3/WEB-INF/classes/org/apache/activemq/web/config/OsgiConfiguration.class
./activemq-web-console-5.14.3/META-INF/maven/org.apache.activemq/activemq-web-console/pom.xml
至此,1099端口占用的位置就清楚了,是一个旧版本的activeMq的console是启用的。
接下来我们看看这两个文件里究竟有什么东东,以及这两个文件的功能分别是什么?
OsgiConfiguration.class
package org.apache.activemq.web.config;
import java.util.Collection;
import java.util.Dictionary;
import java.util.Hashtable;
import javax.jms.ConnectionFactory;
import javax.management.remote.JMXServiceURL;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ConfigurationException;
import org.osgi.service.cm.ManagedService;
public class OsgiConfiguration
extends AbstractConfiguration
implements ManagedService
{
private ServiceRegistration service;
private String jmxUrl = "service:jmx:rmi:///jndi/rmi://localhost:1099/karaf-root";
private String jmxUser = "karaf";
private String jmxPassword = "karaf";
private String jmsUrl = "tcp://localhost:61616";
private String jmsUser = "karaf";
private String jmsPassword = "karaf";
public OsgiConfiguration()
{
BundleContext context = FrameworkUtil.getBundle(getClass()).getBundleContext();
Dictionary<String, String> properties = new Hashtable();
properties.put("service.pid", "org.apache.activemq.webconsole");
this.service = context.registerService(ManagedService.class.getName(), this, properties);
}
public String getJmxPassword()
{
return this.jmxPassword;
}
public Collection<JMXServiceURL> getJmxUrls()
{
return makeJmxUrls(this.jmxUrl);
}
public String getJmxUser()
{
return this.jmxUser;
}
public ConnectionFactory getConnectionFactory()
{
return makeConnectionFactory(this.jmsUrl, this.jmsUser, this.jmsPassword);
}
public void updated(Dictionary dictionary)
throws ConfigurationException
{
if (dictionary != null)
{
this.jmxUrl = ((String)dictionary.get("webconsole.jmx.url"));
if (this.jmxUrl == null) {
throw new IllegalArgumentException("A JMS-url must be specified (system property webconsole.jmx.url");
}
this.jmxUser = ((String)dictionary.get("webconsole.jmx.user"));
this.jmxPassword = ((String)dictionary.get("webconsole.jmx.password"));
this.jmsUrl = ((String)dictionary.get("webconsole.jms.url"));
this.jmsUser = ((String)dictionary.get("webconsole.jms.user"));
this.jmsPassword = ((String)dictionary.get("webconsole.jms.password"));
}
}
}
以下内容出现在META-INF/maven/org.apache.activemq/activemq-web-console/pom.xml
中,应该是编译时的默认配置信息:
<!-- enable easy connection to JConsole -->
<systemProperty>
<name>com.sun.management.jmxremote</name>
<value />
</systemProperty>
<!-- Use the following configuration to connect to a remote broker using JMX -->
<systemProperty>
<name>webconsole.type</name>
<value>properties</value>
</systemProperty>
<systemProperty>
<name>webconsole.jms.url</name>
<value>tcp://localhost:61616</value>
</systemProperty>
<systemProperty>
<name>webconsole.jmx.url</name>
<value>service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi</value>
</systemProperty>
3、探索activemq中是如何使用jmx的
- 在activemq.xml中配置jmx
jmx在activemq5.13的版本中的配置
<managementContext>
<managementContext <span style="color:#FF0000;">createConnector="true" connectorPort="1099" connectorHost="192.168.157.128</span>"/>
</managementContext>
- jmx配置开启方式
在avtivemq.xml中有个配置,把useJmx改成false:
<broker brokerName="web-console" useJmx="false" xmlns="http://activemq.apache.org/schema/core">
...忽略具体配置,看broker中的配置即可
</broker>
4、设置关闭,重启服务
重启activemq-web-console后,查看1099端口已经被关闭了。但是,进入wen-console发现队列、消费者、生产者信息均不再可见了。原来,activemq-web-console的监控机制是基于jmx获取数据的。