chef-java-management icon indicating copy to clipboard operation
chef-java-management copied to clipboard

verified publisher icon bflad

Metadata

Chef Cookbook for Java Management

trafficstars

chef-java-management Build Status

Description

Cookbook for Java Management and Monitoring (JMX, trusted certificates, SNMP, etc.)

Requirements

Platforms

  • CentOS 6
  • RedHat 6

Cookbooks

Required Opscode Cookbooks

Attributes

These attributes are under the node['java-management'] namespace.

Attribute Description Type Default
enableThreadContentionMonitoring Enables thread contention monitoring Boolean false
group Group for file permissions String bin
owner Owner for file permissions String nobody

JMX Attributes

These attributes are under the node['java-management']['jmxremote'] namespace.

Attribute Description Type Default
access_file Custom JMX access file location String nil
authenticate Require authentication to access JMX Boolean true
local_only Allow local management agent to accept only local connection requests Boolean true
login_config Custom JMX login configuration String nil
password_file Custom JMX password configuration file location String nil
port Port for JMX, required for enabling JMX Fixnum nil
ssl RMI monitoring SSL Boolean true
ssl_config_file RMI monitoring SSL configuration file location String nil
ssl_enabled_cipher_suites Comma-separated list of SSL/TLS cipher suites to enable String nil
ssl_enabled_protocols Comma-separated list of SSL/TLS protocol versions to enable String nil
ssl_need_client_auth Require client authentication for SSL/TLS RMI Server Socket Factory Boolean false
registry_ssl SSL/TLS protected RMI registry Boolean false

SNMP Attributes

These attributes are under the node['java-management']['snmp'] namespace.

Attribute Description Type Default
acl Require ACL for SNMP access Boolean true
acl_file Custom SNMP ACL file location String nil
interface Interface where SNMP agent will bind String "localhost"
port Port for SNMP, required for enabling SNMP Fixnum nil
trap Port for SNMP traps Fixnum 162

Truststore Attributes

These attributes are under the node['java-management']['truststore'] namespace.

Attribute Description Type Default
certificate_files Trusted certificates files Array of Hashes []
data_bag Trusted certificate data bag name String "java_truststore"
storepass Java truststore password String "changeit"

Data Bags

JMX/SNMP Management Encrypted Data Bag

java/management encrypted data bag:

  • ['roles'] - required if you enable default JMX configuration
    • ['name'] - JMX role name
    • ['access'] - "readonly"/"readwrite"
    • ['password'] - password for role
  • ['acls'] - required if you enable default SNMP configuration
    • ['communities'] - array of SNMP community names
    • ['access'] - "read-only"/"read-write"
    • ['managers'] - array of hostnames/CIDR addresses with access
  • ['traps']
    • ['trap-community'] - SNMP trap community name
    • ['hosts'] - array of hostnames/CIDR addresses to send SNMP traps

Truststore Data Bag

node['java-management']['truststore']['data_bag'] data bag (defaults to java_truststore), with data bag items:

  • ['id'] - Trusted certificate alias
  • ['certificate'] - Trusted certificate contents
  • Other options as accepted by truststore_certificate LWRP

Recipes

  • recipe[java-management] Empty recipe for LWRPs
  • recipe[java-management::management] Configures Java JMX and SNMP
  • recipe[java-management::truststore] Configures Java truststore

LWRPs

java_management_truststore_certificate

Import trusted certificate into Java truststore

Attribute Description Type Default
file required Certificate path String N/A
keystore Keystore path String #{node['java']['java_home']}/jre/lib/security/cacerts
keytool keytool path String #{node['java']['java_home']}/jre/bin/keytool
storepass Keystore password String #{node['java-management']['truststore']['storepass']}

Example:

java_management_truststore_certificate "alias" do
  file "/path/to/certificate"
end

Usage

Add Trusted Certificates

If the certificate files are already on the filesystem:

  • Add {certalias => options} to node['java-management']['truststore']['certificate_files']
    • options (as a String) certificate file location
    • options (as a Hash)
      • file required certificate file location
      • Other options accepted by truststore_certificate LWRP

If you'd like to use data bag items (data bag defined by node['java-management']['truststore']['data_bag']):

  • knife data bag create java_truststore my_cert
  • Create at least certificate attribute with certificate contents and save

If you'd like to use the LWRP directly:

java_management_truststore_certificate "alias" do
  file "/path/to/certificate"
end

Password secured remote JMX setup without SSL

  • knife data bag create java
  • knife data bag edit java management --secret-file=path/to/secret
  • Set ['roles'] with at least one role in encrypted data bag
  • Set node['java-management']['local_only'] attribute to false
  • Set node['java-management']['port'] attribute
  • Set node['java-management']['ssl'] attribute to false
  • Add recipe[java-management::management] to run_list
  • Configure JAVA_OPTS to include one of the following:
    • recommended -Dcom.sun.management.config.file (example: =$JAVA_HOME/jre/lib/management/management.properties)
    • -Dcom.sun.management.jmxremote.port
  • Restart Java service and watch for configuration errors

ACL secured remote SNMP

  • knife data bag create java
  • knife data bag edit java management --secret-file=path/to/secret
  • Set ['acls'] with at least one ACL in encrypted data bag
  • Set node['java-management']['interface'] attribute to "0.0.0.0"
  • Set node['java-management']['port'] attribute
  • Add recipe[java-management::management] to run_list
  • Configure JAVA_OPTS to include one of the following:
    • recommended -Dcom.sun.management.config.file (example: =$JAVA_HOME/jre/lib/management/management.properties)
    • -Dcom.sun.management.snmp.port
  • Restart Java service and watch for configuration errors

Testing and Development

Here's how you can quickly get testing or developing against the cookbook thanks to Vagrant and Berkshelf.

vagrant plugin install vagrant-berkshelf
vagrant plugin install vagrant-cachier
vagrant plugin install vagrant-omnibus
git clone git://github.com/bflad/chef-java-management.git
cd chef-java-management
vagrant up BOX # BOX being centos5, centos6, debian7, fedora18, fedora19, fedora20, freebsd9, ubuntu1204, ubuntu1210, ubuntu1304, or ubuntu1310

You can then SSH into the running VM using the vagrant ssh BOX command.

The VM can easily be stopped and deleted with the vagrant destroy command. Please see the official Vagrant documentation for a more in depth explanation of available commands.

Contributing

Please use standard Github pull requests and if possible, in combination with testing on the Vagrant boxes.

License and Author

Author:: Brian Flad ([email protected])

Copyright:: 2012-2013

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Metadata

7
Stars
8
Forks
Watchers

Owner

verified publisher icon bflad

Metadata

Chef Cookbook for Java Management

Back