java - JMX SSL connection without setting javax.net.ssl.trustStore as a system property

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I'm trying to protect my JMX connection with SSL, for being able to do that I'm specifying java trust store and key store by setting java system properties, here's the code snippet:

    HashMap<String,Object> env = new HashMap<String,Object>();
    // check if jmx ssl config file exists
    if(checkIfFileExists(JMX_SSL_CONFIG)) {
        String keyStore = null;
        String keyStorePassword = null;
        String trustStore = null;
        String trustStorePassword = null;
        Properties prop = new Properties();
        InputStream input = null;
        input = new FileInputStream(JMX_SSL_CONFIG);
        prop.load(input);
        keyStore = prop.getProperty("javax.net.ssl.keyStore");
        keyStorePassword = prop.getProperty("javax.net.ssl.keyStorePassword");
        trustStore = prop.getProperty("javax.net.ssl.trustStore");
        trustStorePassword = prop.getProperty("javax.net.ssl.trustStorePassword");
        System.setProperty("javax.net.ssl.trustStore", trustStore);
        System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
        System.setProperty("javax.net.ssl.keyStore", keyStore);
        System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
        env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
   JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
The problem is that I don't want to set trust store/key store by setting system properties, as it breaks some other thing in my system. I want to somehow pass them via SslRMIClientSocketFactory or maybe SslRMIServerSocketFactory. I know that JMX connection works via RMI call which means that client socket implementation is actually provided by the server, so I have to somehow pass the trust store and key store to server object but cannot find a way do to it.
                You don't need a truststore at all unless the server has a self-signed certificate, or one signed by an unknownCA. Having the server determine the client's truststore doesn't begin to make sense from the security point of view.
– user207421
                Mar 30, 2017 at 15:21
                Well, as they say, self-signed certificates aren't worth the paper they're printed on, especially now that CA-signed certificates are free.
– user207421
                Mar 31, 2017 at 0:34
                Anyway I need it :D I just need to ignore the SslRMIClientSocketFactory provided by the server and use mine
– mdavid
                Mar 31, 2017 at 8:02
                blogger.ziesemer.com/2010/02/… In this article there's described a way to achieve it, but in my case I don't own server implementation I must do the trick only from client side.
– mdavid
                Mar 31, 2017 at 8:14
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.