Revision as of 05:53, August 31, 2016 by Sschlich (talk | contribs)
Jump to: navigation, search

Configuring Cassandra Security

[PRIYA] Lot of formatting needed here. WIP. <TBD> Description here You can follow this procedure to activate the JMX anonymous authentication and see your FS Cassandra nodes status in the FS UI.

[STEVE] When numbered lists get interrupted, better to use HTML notation]

  1. Edit the launcher.xml file and set the following parameter to true:
    -Dcom.sun.management.jmxremote.authenticate=true
  2. If missing, add the following parameter:
    -Dcom.sun.management.jmxremote.password.file=./etc/jmxremote.password
    [STEVE] See my note below (only in Edit mode)
  3. Copy: jmxremote.password.template
    from: /jdk_install_location/jre/lib/management/
    to: <FS Installation directory>/etc/
    then rename it: jmxremote.password
  4. Edit the <FS Installation directory>/etc/jmxremote.password file to add the following username:
    fsadmin yourpassword

[STEVE: Extend the above style to number the remaining steps]

  1. Change the ownership of jmxremote.password to the user you run FS with and change permission to read only

For Linux,
chown fsadmin:fsadmin <FS Installation directory>/etc/jmxremote.password
chmod 400 <FS Installation directory>/etc/jmxremote.password

For Windows,
FLAT file system,
cacls <FS Installation directory>/etc/jmxremote.password /P fsadmin:R or Follow https://docs.oracle.com/javase/8/docs/technotes/guides/management/security-windows.html

  1. Add the FS user with read and write permission to /jdk_install_location/lib/management/jmxremote.access

monitorRole readonly fsadmin readwrite controlRole readwrite \ create javax.management.monitor.,javax.management.timer. \ unregister

  1. Edit your FS configuration and create the following options in the Options tab:

Section jmx username=fsadmin password=yourpassword

<Insert Screenshot>

  1. Start FS. You can see the status of the Cassandra nodes in http://<FS_HOST>:<PORT>/fs/admin#system/cassandra

Cassandra JMX TLS

Cassandra monitoring and management can be done using a Java Management Extensions (JMX) tool. The JMX access must be protected in order to avoid any remote managing on the FS embedded Cassandra. To protect JMX access, edit the launcher.xml file and change the parameters as follows 


<parameter name="jmxport" displayName="jmxport" mandatory="true" hidden="true" readOnly="true">
    <description><![CDATA[JMX related]]></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
    <format type="string" default="-Dcom.sun.management.jmxremote.port=9192" />
    <validation></validation>
</parameter>
<parameter name="jmxssl" displayName="jmxssl" mandatory="true" hidden="true" readOnly="true">
    <description><<![CDATA[JMX related]]>></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
    <format type="string" default="-Dcom.sun.management.jmxremote.ssl=true" />
    <validation></validation>
</parameter>
<parameter name="jmxauthenticate" displayName="jmxauthenticate" mandatory="true" hidden="true" readOnly="true">
    <description><![CDATA[JMX related]]></description>
    <valid-description><![CDATA[]]></valid-description>
    <effective-description/>
    <format type="string" default="-Dcom.sun.management.jmxremote.authenticate=true" />
    <validation></validation>
</parameter>
<parameter name="jmxregistryssl" displayName="jmxregistryssl"  mandatory="true" hidden="true" readOnly="true">
     <description><![CDATA[JMX related]]></description>
     <valid-description><![CDATA[]]></valid-description>
     <effective-description/>
     <format type="string" default="-Dcom.sun.management.jmxremote.registry.ssl=true" />
     <validation></validation>   
 </parameter>


Set up Transport Layer Security (TLS) using the Genesys Security Deployment Guide. Create keystore in <FS Installation directory>/etc/ and upload the custom-generated server certificates to keystore. Refer http://docs.oracle.com/javase/7/docs/technotes/guides/management/toc.html.

Note: If FS HTTPS is enabled already with a server certificate, same keystore and certificate can be used to secure JMX port also.

Then edit and configure JVM options in launcher.xml as captured below. And restart the FS will enable secure JMX connection with embedded Cassandra.

<parameter name="cert_store_file" displayName="javax.net.ssl.trustStore" mandatory="false"> 

   <description><![CDATA[SIP Voicemail Server cert store file]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default="./etc/keystore" />
   <validation></validation>

</parameter> 

<parameter name="cert_store_pass" displayName="javax.net.ssl.trustStorePassword" mandatory="false">
   <description><![CDATA[SIP Voicemail Server cert store password]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default= <trust store password> />
   <validation></validation>   
</parameter>

<parameter name="key_store_file" displayName="javax.net.ssl.keyStore" hidden="true" mandatory="false"> 

   <description><![CDATA[]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default=" ./etc/keystore " />
   <validation></validation>   
</parameter>

<parameter name="key_store_pass" displayName="javax.net.ssl.keyStorePassword" hidden="true" mandatory="false"> 

   <description><![CDATA[]]></description>
   <valid-description><![CDATA[]]></valid-description>
   <effective-description/>
   <format type="string" default= <keystore password> />
   <validation></validation>   
 </parameter>
Comments or questions about this documentation? Contact us for support!