0.19.0 does it support SSL for between JMX Server and Prometheus Server

[Janardhan78]

i am trying to use 0.19.0 trying to setup SSL connection between prometheus server( scraping from JMX server) and JMX server , i tried to setup the configuration currently , but it seems that the below configuration doesnt setup SSL between prometheus server and JMX Server , is the below configuration applicable for SSL connection between JMX server and application exposing JMX metrics?

httpServer:
  ssl:
    certificate:
    alias: localhost
  keyStore:
    filename: localhost.pkcs12
    password: changeit

[dhoard]

Yes.

Configuration for Prometheus -> (via SSL + basic authentication) -> the JMX exporter:

httpServer:
  ssl:
    keyStore:
      filename: localhost.jks
      password: changeit
    certificate:
      alias: localhost
  authentication:
    basic:
      username: Prometheus
      password: secret

If are running the jmx_prometheus_httpserver jar as a standalone application (not recommended) and want that connection from the JMX exporter to your application to use SSL, you have to add additional configuration:

ssl: true

and add the following system properties:

-Djavax.net.ssl.keyStore=/home/user/.keystore
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=/home/user/.truststore
-Djavax.net.ssl.trustStorePassword=changeit

The integration test suite has a lot of examples of various configuration scenarios:

https://github.com/prometheus/jmx_exporter/tree/main/integration_test_suite/integration_tests/src/test/resources/io/prometheus/jmx/test

[Janardhan78]

Hi
I tried to configure with the below configuration for accessing metrics using SSL

httpServer:
  ssl:
    keyStore:
      filename: localhost.jks
      password: changeit
    certificate:
      alias: localhost

I was using curl to access the metrics from jmx server and i observed that the hostname provided in the curl request
should match the CN in the jmx server's server certificate else we get SSL_ERROR_BAD_CERT_DOMAIN error.

it would be helpful if we get the truststore support at the jmx server end so that we can have CA certificates stored in the jx server which could be used for validation. Please let me know your thoughts

[dhoard]

Can you provide the curl command you are using to access the JMX exporter?

[Janardhan78]

i have port forwarded to the portno and accessing from local host

curl -v --request GET --url https://localhost:/metrics --cert ./tls.crt --key ./tls.key --cacert ./clientcacertbundle.pem

[dhoard]

Adding support for trust store configuration will not solve this issue.

Curl is reporting that the certificate being presented (which comes from your keystore) isn't trusted or the CN doesn't match what was used.

You have 3 options:

1. have the client (curl in this example) ignore the certificate. (The Prometheus scrape target would have to be configured the same way.)

2. use a keystore with a valid certificate (not self-signed) and have your client use a fully qualified domain name that matches the certificate CN. You could also use a wildcard certificate, but the client would still need to use a fully qualified domain name.

3. user keystore with a self-signed fully qualified CN. Import the certificate into the client's trust store.

[dhoard]

Closing due to inactivity.