Setting Up JMX Authentication for GemFire Management and Monitoring

To force JMX clients such as gfsh and GemFire Pulse to authenticate into the GemFire management system, you must configure the JMX Manager node.

By default, the JMX manager allows clients without credentials to connect. To set up JMX authentication for the management system:
  1. Verify that the have the jmx-manager GemFire property is set to true on any node that you want to be able to become a JMX Manager and authenticate clients. If this property is set to false or not specified, then all other jmx-manager-* properties are ignored.
  2. Create a password file that contains entries for the user names and passwords you want to grant access to GemFire's management and monitoring system. For example:
    #the gemfiremonitor user has password Abc!@#
    #the gemfiremanager user has password 123Gh2!
    gemfiremonitor Abc!@#
    gemfiremanager 123Gh2!
  3. On each of your JMX Manager-enabled nodes, set the GemFire property jmx-manager-password-file to the name of the file you created in step 2. This will require clients to authenticate when connecting to a JMX Manager node in GemFire.
  4. If you wish to further restrict access to system operations, you can also set up an access file for the JMX Manager. The access file indicates whether the users listed in the password file have the ability to read system MBeans (monitor the system) or whether they can additionally modify MBeans (perform operations). For example, you can define the following:
    #the gemfiremonitor user has readonly access
    #the gemfiremanager user has readwrite access
    gemfiremonitor readonly
    gemfiremanager readwrite
  5. On each of your JMX Manager-enabled nodes, set the GemFire property jmx-manager-access-file to the name of the file you created in step 4. This will associate MBean permissions to the users who authenticate to the JMX Manager node in GemFire.
  6. If desired, enable SSL for your JMX Manager connections. To enable SSL, make sure the jmx-manager-port property is set to a non-zero value and set the jmx-manager-ssl property to true. Then configure all other SSL-related GemFire properties as described in Implementing SSL.
    Note: The GemFire property ssl-enabled does not apply to the JMX Manager. Use the jmx-manager-ssl property instead.

For more information on the format of the password and access file, see