22 # Default location of this file is $JRE/conf/management/jmxremote.password |
23 # Default location of this file is $JRE/conf/management/jmxremote.password |
23 # You can specify an alternate location by specifying a property in |
24 # You can specify an alternate location by specifying a property in |
24 # the management config file $JRE/conf/management/management.properties |
25 # the management config file $JRE/conf/management/management.properties |
25 # or by specifying a system property (See that file for details). |
26 # or by specifying a system property (See that file for details). |
26 |
27 |
27 |
|
28 ############################################################## |
28 ############################################################## |
29 # File permissions of the jmxremote.password file |
29 # File format of the jmxremote.password file |
30 ############################################################## |
30 ############################################################## |
31 # Since there are cleartext passwords stored in this file, |
|
32 # this file must be readable by ONLY the owner, |
|
33 # otherwise the program will exit with an error. |
|
34 # |
31 # |
35 # The file format for password and access files is syntactically the same |
32 # The file contains multiple lines where each line is blank, |
36 # as the Properties file format. The syntax is described in the Javadoc |
|
37 # for java.util.Properties.load. |
|
38 # Typical password file has multiple lines, where each line is blank, |
|
39 # a comment (like this one), or a password entry. |
33 # a comment (like this one), or a password entry. |
40 # |
34 # |
|
35 # password entry follows the below syntax |
|
36 # role_name W [clearPassword|hashedPassword] |
41 # |
37 # |
42 # A password entry consists of a role name and an associated |
38 # role_name is any string that does not itself contain spaces or tabs. |
43 # password. The role name is any string that does not itself contain |
39 # W = spaces or tabs |
44 # spaces or tabs. The password is again any string that does not |
40 # |
45 # contain spaces or tabs. Note that passwords appear in the clear in |
41 # Passwords can be specified via clear text or via a hash. Clear text password |
46 # this file, so it is a good idea not to use valuable passwords. |
42 # is any string that does not contain spaces or tabs. Hashed passwords must |
|
43 # follow the below format. |
|
44 # hashedPassword = base64_encoded_64_byte_salt W base64_encoded_hash W hash_algorithm |
|
45 # where, |
|
46 # base64_encoded_64_byte_salt = 64 byte random salt |
|
47 # base64_encoded_hash = Hash_algorithm(password + salt) |
|
48 # W = spaces or tabs |
|
49 # hash_algorithm = Algorithm string specified using the format below |
|
50 # https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html#messagedigest-algorithms |
|
51 # This is an optional field. If not specified, SHA3-512 will be assumed. |
|
52 # |
|
53 # If passwords are in clear, they will be overwritten by their hash if all of |
|
54 # the below criteria are met. |
|
55 # * com.sun.management.jmxremote.password.toHashes property is set to true in |
|
56 # management.properties file |
|
57 # * the password file is writable |
|
58 # * the system security policy allows writing into the password file, if a |
|
59 # security manager is configured |
|
60 # |
|
61 # In order to change the password for a role, replace the hashed password entry |
|
62 # with a new clear text password or a new hashed password. If the new password |
|
63 # is in clear, it will be replaced with its hash when a new login attempt is made. |
47 # |
64 # |
48 # A given role should have at most one entry in this file. If a role |
65 # A given role should have at most one entry in this file. If a role |
49 # has no entry, it has no access. |
66 # has no entry, it has no access. |
50 # If multiple entries are found for the same role name, then the last one |
67 # If multiple entries are found for the same role name, then the last one |
51 # is used. |
68 # is used. |
52 # |
69 # |
53 # In a typical installation, this file can be read by anybody on the |
70 # A user generated hashed password file can also be used instead of clear-text |
|
71 # password file. If generated by the user, hashed passwords must follow the |
|
72 # format specified above. |
|
73 # |
|
74 # Caution: It is recommended not to edit the password file while the |
|
75 # agent is running, as edits could be lost if a client connection triggers the |
|
76 # hashing of the password file at the same time that the file is externally modified. |
|
77 # The integrity of the file is guaranteed, but any external edits made to the |
|
78 # file during the short period between the time that the agent reads the file |
|
79 # and the time that it writes it back might get lost |
|
80 |
|
81 ############################################################## |
|
82 # File permissions of the jmxremote.password file |
|
83 ############################################################## |
|
84 # This file must be made accessible by ONLY the owner, |
|
85 # otherwise the program will exit with an error. |
|
86 # |
|
87 # In a typical installation, this file can be accessed by anybody on the |
54 # local machine, and possibly by people on other machines. |
88 # local machine, and possibly by people on other machines. |
55 # For # security, you should either restrict the access to this file, |
89 # For security, you should either restrict the access to this file except for owner, |
56 # or specify another, less accessible file in the management config file |
90 # or specify another, less accessible file in the management config file |
57 # as described above. |
91 # as described above. |
58 # |
92 # |
59 # Following are two commented-out entries. The "measureRole" role has |
93 # In order to prevent inadverent edits to the password file in the |
60 # password "QED". The "controlRole" role has password "R&D". |
94 # production environment, it is recommended to deploy a read-only |
|
95 # hashed password file. The hashed entries for clear passwords can be generated |
|
96 # in advance by running the JMX agent. |
61 # |
97 # |
62 # monitorRole QED |
|
63 # controlRole R&D |
|
64 |
98 |
|
99 ############################################################## |
|
100 # Sample of the jmxremote.password file |
|
101 ############################################################## |
|
102 # Following are two commented-out entries. The "monitorRole" role has |
|
103 # password "QED". The "controlRole" role has password "R&D". This is an example |
|
104 # of specifying passwords in the clear |
|
105 # |
|
106 # monitorRole QED |
|
107 # controlRole R&D |
|
108 # |
|
109 # Once a login attempt is made, passwords will be hashed and the file will have |
|
110 # below entries with clear passwords overwritten by their respective |
|
111 # SHA3-512 hash |
|
112 # |
|
113 # monitorRole trilby APzBTt34rV2l+OMbuvbnOQ4si8UZmfRCVbIY1+fAofV5CkQzXS/FDMGteQQk/R3q1wtt104qImzJEA7gCwl6dw== 4EeTdSJ7X6Imu0Mb+dWqIns7a7QPIBoM3NB/XlpMQSPSicE7PnlALVWn2pBY3Q3pGDHyAb32Hd8GUToQbUhAjA== SHA3-512 |
|
114 # controlRole roHEJSbRqSSTII4Z4+NOCV2OJaZVQ/dw153Fy2u4ILDP9XiZ426GwzCzc3RtpoqNMwqYIcfdd74xWXSMrWtGaA== w9qDsekgKn0WOVJycDyU0kLBa081zbStcCjUAVEqlfon5Sgx7XHtaodbmzpLegA1jT7Ag36T0zHaEWRHJe2fdA== SHA3-512 |
|
115 # |