Revision as of 22:33, August 30, 2016 by Sschlich (talk | contribs) (Configuring Cassandra Security)
Jump to: navigation, search

Configuring Cassandra Security

[PRIYA] Lot of formatting needed here. WIP. <TBD> Description here You can follow this procedure to activate the JMX anonymous authentication and see your FS Cassandra nodes status in the FS UI.

[STEVE] When numbered lists get interrupted, better to use HTML notation]

  1. Edit the launcher.xml file and set the following parameter to true:
    -Dcom.sun.management.jmxremote.authenticate=true
  2. If missing, add the following parameter:
    -Dcom.sun.management.jmxremote.password.file=./etc/jmxremote.password
  3. Copy the jmxremote.password.template
    from /jdk_install_location/jre/lib/management/
    to <FS Installation directory>/etc/
    and rename it jmxremote.password
  4. Edit the <FS Installation directory>/etc/jmxremote.password file to add the following username:
    fsadmin yourpassword

[STEVE: Extend the above style to number the remaining steps]

  1. Change the ownership of jmxremote.password to the user you run FS with and change permission to read only

For Linux,
chown fsadmin:fsadmin <FS Installation directory>/etc/jmxremote.password
chmod 400 <FS Installation directory>/etc/jmxremote.password

For Windows,
FLAT file system,
cacls <FS Installation directory>/etc/jmxremote.password /P fsadmin:R or Follow https://docs.oracle.com/javase/8/docs/technotes/guides/management/security-windows.html

  1. Add the FS user with read and write permission to /jdk_install_location/lib/management/jmxremote.access

monitorRole readonly fsadmin readwrite controlRole readwrite \ create javax.management.monitor.,javax.management.timer. \ unregister

  1. Edit your FS configuration and create the following options in the Options tab:

Section jmx username=fsadmin password=yourpassword

<Insert Screenshot>

  1. Start FS. You can see the status of the Cassandra nodes in http://<FS_HOST>:<PORT>/fs/admin#system/cassandra

Cassandra JMX TLS

Cassandra monitoring and management can be done using a Java Management Extensions (JMX) tool. The JMX access must be protected in order to avoid any remote managing on the FS embedded Cassandra. To protect JMX access, edit the launcher.xml file and change the parameters as follows 


<parameter name="jmxport" displayName="jmxport" mandatory="true" hidden="true" readOnly="true">
    <description><![CDATA[JMX related]]></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
    <format type="string" default="-Dcom.sun.management.jmxremote.port=9192" />
    <validation></validation>
</parameter>
<parameter name="jmxssl" displayName="jmxssl" mandatory="true" hidden="true" readOnly="true">
    <description><<![CDATA[JMX related]]>></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
    <format type="string" default="-Dcom.sun.management.jmxremote.ssl=true" />
    <validation></validation>
</parameter>
<parameter name="jmxauthenticate" displayName="jmxauthenticate" mandatory="true" hidden="true" readOnly="true">
    <description><![CDATA[JMX related]]></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
    <format type="string" default="-Dcom.sun.management.jmxremote.authenticate=true" />
    <validation></validation>
</parameter>
<parameter name="jmxregistryssl" displayName="jmxregistryssl"  mandatory="true" hidden="true" readOnly="true">
     <description><![CDATA[JMX related]]></description>
     <valid-description><![CDATA[]]></valid-description>
     <effective-description/>
     <format type="string" default="-Dcom.sun.management.jmxremote.registry.ssl=true" />
     <validation></validation>   
 </parameter>


Set up Transport Layer Security (TLS) using the Genesys Security Deployment Guide. Create keystore in <FS Installation directory>/etc/ and upload the custom-generated server certificates to keystore. Refer http://docs.oracle.com/javase/7/docs/technotes/guides/management/toc.html.

Note: If FS HTTPS is enabled already with a server certificate, same keystore and certificate can be used to secure JMX port also.

Then edit and configure JVM options in launcher.xml as captured below. And restart the FS will enable secure JMX connection with embedded Cassandra.

<parameter name="cert_store_file" displayName="javax.net.ssl.trustStore" mandatory="false"> 

   <description><![CDATA[SIP Voicemail Server cert store file]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default="./etc/keystore" />
   <validation></validation>

</parameter> 

<parameter name="cert_store_pass" displayName="javax.net.ssl.trustStorePassword" mandatory="false">
   <description><![CDATA[SIP Voicemail Server cert store password]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default= <trust store password> />
   <validation></validation>   
</parameter>

<parameter name="key_store_file" displayName="javax.net.ssl.keyStore" hidden="true" mandatory="false"> 

   <description><![CDATA[]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default=" ./etc/keystore " />
   <validation></validation>   
</parameter>

<parameter name="key_store_pass" displayName="javax.net.ssl.keyStorePassword" hidden="true" mandatory="false"> 

   <description><![CDATA[]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default= <keystore password> />
   <validation></validation>   
 </parameter>
Comments or questions about this documentation? Contact us for support!