7.4.2. SSL and Administration Authentication

Tungsten Replicator uses JMX RMI to perform remote administration and obtain information from remote hosts within the dataservice. This communication can be encrypted and authenticated.

To configure this operation two files are required, one defines the authentication configuration, the other configures the username/password combinations used to authenticate. These files and configuration are used internally by the system to authenticate.

The authentication configuration defines the users and roles. The file should match the following:

monitorRole   readonly
controlRole   readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister
tungsten      readwrite \
              create javax.management.monitor.*,javax.management.timer.* \
              unregister

The contents or description of this file must not be changed. Create a file containing this information in your configuration, for example jmxremote.access

Now a corresponding password configuration must be created using the tpasswd tool. By default, plain-text passwords are generated:

shell> tpasswd -c tungsten password 
    -t rmi_jmx \
    -p ~/password.store \
    -ts truststore.ts -tsp password

To use encrypted passwords, the truststore and truststore password must be supplied so that the certificate can be loaded and used to encrypt the supplied password. The -e must be specified to encrypt the password:

shell> tpasswd -c tungsten password \
    -t rmi_jmx \
    -p ~/password.store \
    -e \
    -ts truststore.ts -tsp password

This creates a user, tungsten, with the password password in the file ~/password.store.

The password file, and the JMX security properties file will be needed during configuration. See Section 7.4.3, “Configuring the Secure Service through tpm.