I am facing JMX connection issue on JBoss EAP
My runtime environment : (Linux OS) - SSL enabled JBoss EAP 7.4.10.GA running on Open JDK 11.0.19 (OpenLogic) & management console is secured with LDAPS server.
JMX Client: is working fine when using OpenJDK 12 which is running on the same Linux Machine. When upgrading the Java from 12 to 17 (OpenJDK Runtime Environment Temurin-17.0.8+70 , JMX connection is failure and getting the below exception.
Note : Jboss-cli-client.jar is added on the class path
How to resolve it ?
Oct 27, 2023 10:01:31 AM org.xnio.Xnio <clinit>
INFO: XNIO version 3.3.1.Final
Oct 27, 2023 10:01:31 AM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.3.1.Final
Oct 27, 2023 10:01:31 AM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 5.0.20.Final
Oct 27, 2023 10:01:31 AM org.jboss.remotingjmx.Util warnDeprecated
WARN: The protocol 'https-remoting-jmx' is deprecated, instead you should use 'remote+https'.
Oct 27, 2023 10:01:31 AM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:453)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:243)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:199)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:113)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:272)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:253)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:351)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:335)
at org.jboss.remotingjmx.RemotingConnector.internalRemotingConnect(RemotingConnector.java:239)
at org.jboss.remotingjmx.RemotingConnector.internalConnect(RemotingConnector.java:158)
at org.jboss.remotingjmx.RemotingConnector.connect(RemotingConnector.java:105)
at java.management/javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
at JavaInstrumentation$1.run(JavaInstrumentation.java:845)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
UPDATE
JBoss EAP Admin console is able to login without any issues when running both JDK 12 & 17. Only facing JMX client connectivity issue with 17
JVM OPTIONS used on the server
JAVA_OPTS: -server -Xlog:gc*:file="/opt/app/logs/eap/gc.log":time,uptimemillis:filecount=5,filesize=3M -Xms4096m -Xmx4096m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=2048m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/app/jboss/Dumps/HeapDumps/ --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.url.ldap=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.url.ldaps=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED
JVM OPTIONS used on the JMX Client
[-Xrs, -XX:+SuppressFatalErrorMessage, -Xss2m, -Djavax.xml.soap.SAAJMetaFactory=com.sun.xml.messaging.saaj.soap.SAAJMetaFactoryImpl, -XX:ErrorFile=/dev/null, -XX:HeapDumpPath=/dev/null, -XX:-CreateCoredumpOnCrash, --add-opens=java.management/sun.management=ALL-UNNAMED, --add-opens=java.base/java.lang=ALL-UNNAMED, -Xmx512m, -Dsun.net.inetaddr.ttl=900, -Dhttp.keepAlive=false, -Djdk.http.auth.tunneling.disabledSchemes=, -Doracle.jdbc.timezoneAsRegion=false]
Is anything need to add additionally on the client side. ?
Client and servers negotiate the cipher to use when they establish a TLS connection. Moving from Java 12 to 17 changed that list.
You can see what your client supports with Ciphers.java provided by Atlassian. Run the script with both JVMs.
Compare that list with the list of ciphers supported by the server with Openssl.
If you can, upgrading the server to modern ciphers is the way to go.