# ---------------------------------------------------------------------- # Template for jmxremote.password # # o Copy this template to jmxremote.password # o Set the user/password entries in jmxremote.password # o Change the permission of jmxremote.password to be accessible # only by the owner. # o The jmxremote.passwords file will be re-written by the server to replace all plain text passwords with hashed passwords when the file is read by the server. # ############################################################## # Password File for Remote JMX Monitoring ############################################################## # # Password file for Remote JMX API access to monitoring. This # file defines the different roles and their passwords. The access # control file (jmxremote.access by default) defines the allowed # access for each role. To be functional, a role must have an entry # in both the password and the access files. # # Default location of this file is $JRE/conf/management/jmxremote.password # You can specify an alternate location by specifying a property in # the management config file $JRE/conf/management/management.properties # or by specifying a system property (See that file for details). ############################################################## # File format of the jmxremote.password file ############################################################## # # The file contains multiple lines where each line is blank, # a comment (like this one), or a password entry. # # password entry follows below syntax # role_name W [clearPassword|hashedPassword] # # role_name is any string that does not itself contain spaces or tabs. # W = spaces or tabs # # Passwords can be specified using clear text or via a hash. Clear text password # is any string that does not contain spaces or tabs. Hashed passwords must # follow the below format. # hashedPassword = base64_encoded_salt W base64_encoded_hash W hash_algorithm # where, # base64_encoded_hash = Hash_algorithm(password + salt) # W = spaces or tabs # hash_algorithm = Algorithm string specified using format below # https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest # MD5, SHA-1 and SHA-256 are supported algorithms. # This is an optional field. If not specified SHA-256 will be assumed. # # If passwords are in clear, they will be over-written by their hash if all of # the below criteria are met. # * com.sun.management.jmxremote.password.hashpasswords property is set to true in # management.properties file # * the password file is writable # * the system security policy allows writing into the password file, if a # security manager is configured # # In order to change password for a role, replace the hashed password entry # with the clear text password or the new hashed password. If the new password # is in clear, it will be replaced with its hash when a new login attempt is made. # # A given role should have at most one entry in this file. If a role # has no entry, it has no access. # If multiple entries are found for the same role name, then the last one # is used. # # A user generated hashed password file can also be used instead of clear-text # password file. If generated by user, hashed passwords must follow # format specified above. ############################################################## # File permissions of the jmxremote.password file ############################################################## # This file must be made accessible by ONLY the owner, # otherwise the program will exit with an error. # # In a typical installation, this file can be accessed by anybody on the # local machine, and possibly by people on other machines. # For security, you should either restrict the access to this file except for owner, # or specify another, less accessible file in the management config file # as described above. # ############################################################## # Sample of the jmxremote.password file ############################################################## # Following are two commented-out entries. The "measureRole" role has # password "QED". The "controlRole" role has password "R&D". This is example # of specifying passwords in clear # # monitorRole QED # controlRole R&D # # Once a login attempt is made, passwords will be hashed and the file will have # below entries with clear passwords overwritten by their respective # SHA-256 hash # # monitorRole 818kn2GKCT1IqMKnJhwtmow8v/9cv++8bJbhjO+ugX0= WqoaqEAVub/PenLY2wxLMLCdPRa+rFCWCWM0Zh/wR38= SHA-256 # controlRole ALO98BOPW9rqvvtzzn7Lx7Q2uNWZdUf9PtY0g9aQ5lk= yobRA/4ygyJQTE2gEe4xQdYu7IexBHl0SSP9mEHFFhA= SHA-256 #