Enabling remote JMX with password authentication only

Some JVMs include built-in support for JMX password authentication.

For example, with the Oracle Java Development Kit (JDK), authentication is enabled by default, and it is possible to specify a properties file that contains usernames and passwords. The properties file syntax is the same as for other Java properties files.

Note: When authentication is enabled and a Java Security Manager is installed, additional permissions may need to be granted to users in the security policy used. See Fine-grained authorization using a security policy for details.

For example, you could create a password file called jmxremote.password:

## Defining two "roles", each with its own password
monitorRole  derbym
controlRole  derby

The security of the password file relies on your file system's access control mechanisms. The file must be readable by the owner only. Also, you may need to change the permissions on the password file to be readable only by the user who starts the server. To do this on Windows (NTFS), use a command like the following:

cacls jmxremote.password /P username:R

Note: FAT file systems do not support this feature.

The following example starts the Network Server on the command line with built-in JMX password authentication enabled. SSL is disabled, meaning that JMX information, including user names and passwords most likely will be transferred unprotected on the computer network. The command line appears on multiple lines to improve readability, but you would enter it as a single java command.

Important: It is not recommended to disable SSL in production environments.

java -Dcom.sun.management.jmxremote.port=9999
-Dcom.sun.management.jmxremote.ssl=false 
-Dcom.sun.management.jmxremote.password.file=jmxremote.password
-jar lib/derbyrun.jar server start