| # ---------------------------------------------------------------------- |
| # Template for jmxremote.password |
| # |
| # o Copy this template to jmxremote.password |
| # o Set the user/password entries in jmxremote.password |
| # o Change the permission of jmxremote.password to be accessible |
| # only by the owner. |
| # o The jmxremote.passwords file will be re-written by the server |
| # to replace all plain text passwords with hashed passwords when |
| # the file is read by the server. |
| # |
| |
| ############################################################## |
| # Password File for Remote JMX Monitoring |
| ############################################################## |
| # |
| # Password file for Remote JMX API access to monitoring. This |
| # file defines the different roles and their passwords. The access |
| # control file (jmxremote.access by default) defines the allowed |
| # access for each role. To be functional, a role must have an entry |
| # in both the password and the access files. |
| # |
| # Default location of this file is $JRE/conf/management/jmxremote.password |
| # You can specify an alternate location by specifying a property in |
| # the management config file $JRE/conf/management/management.properties |
| # or by specifying a system property (See that file for details). |
| |
| ############################################################## |
| # File format of the jmxremote.password file |
| ############################################################## |
| # |
| # The file contains multiple lines where each line is blank, |
| # a comment (like this one), or a password entry. |
| # |
| # password entry follows the below syntax |
| # role_name W [clearPassword|hashedPassword] |
| # |
| # role_name is any string that does not itself contain spaces or tabs. |
| # W = spaces or tabs |
| # |
| # Passwords can be specified via clear text or via a hash. Clear text password |
| # is any string that does not contain spaces or tabs. Hashed passwords must |
| # follow the below format. |
| # hashedPassword = base64_encoded_64_byte_salt W base64_encoded_hash W hash_algorithm |
| # where, |
| # base64_encoded_64_byte_salt = 64 byte random salt |
| # base64_encoded_hash = Hash_algorithm(password + salt) |
| # W = spaces or tabs |
| # hash_algorithm = Algorithm string specified using the format below |
| # https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html#messagedigest-algorithms |
| # This is an optional field. If not specified, SHA3-512 will be assumed. |
| # |
| # If passwords are in clear, they will be overwritten by their hash if all of |
| # the below criteria are met. |
| # * com.sun.management.jmxremote.password.toHashes property is set to true in |
| # management.properties file |
| # * the password file is writable |
| # * the system security policy allows writing into the password file, if a |
| # security manager is configured |
| # |
| # In order to change the password for a role, replace the hashed password entry |
| # with a new clear text password or a new hashed password. If the new password |
| # is in clear, it will be replaced with its hash when a new login attempt is made. |
| # |
| # A given role should have at most one entry in this file. If a role |
| # has no entry, it has no access. |
| # If multiple entries are found for the same role name, then the last one |
| # is used. |
| # |
| # A user generated hashed password file can also be used instead of clear-text |
| # password file. If generated by the user, hashed passwords must follow the |
| # format specified above. |
| # |
| # Caution: It is recommended not to edit the password file while the |
| # agent is running, as edits could be lost if a client connection triggers the |
| # hashing of the password file at the same time that the file is externally modified. |
| # The integrity of the file is guaranteed, but any external edits made to the |
| # file during the short period between the time that the agent reads the file |
| # and the time that it writes it back might get lost |
| |
| ############################################################## |
| # File permissions of the jmxremote.password file |
| ############################################################## |
| # This file must be made accessible by ONLY the owner, |
| # otherwise the program will exit with an error. |
| # |
| # In a typical installation, this file can be accessed by anybody on the |
| # local machine, and possibly by people on other machines. |
| # For security, you should either restrict the access to this file except for owner, |
| # or specify another, less accessible file in the management config file |
| # as described above. |
| # |
| # In order to prevent inadverent edits to the password file in the |
| # production environment, it is recommended to deploy a read-only |
| # hashed password file. The hashed entries for clear passwords can be generated |
| # in advance by running the JMX agent. |
| # |
| |
| ############################################################## |
| # Sample of the jmxremote.password file |
| ############################################################## |
| # Following are two commented-out entries. The "monitorRole" role has |
| # password "QED". The "controlRole" role has password "R&D". This is an example |
| # of specifying passwords in the clear |
| # |
| # monitorRole QED |
| # controlRole R&D |
| # |
| # Once a login attempt is made, passwords will be hashed and the file will have |
| # below entries with clear passwords overwritten by their respective |
| # SHA3-512 hash |
| # |
| # monitorRole trilby APzBTt34rV2l+OMbuvbnOQ4si8UZmfRCVbIY1+fAofV5CkQzXS/FDMGteQQk/R3q1wtt104qImzJEA7gCwl6dw== 4EeTdSJ7X6Imu0Mb+dWqIns7a7QPIBoM3NB/XlpMQSPSicE7PnlALVWn2pBY3Q3pGDHyAb32Hd8GUToQbUhAjA== SHA3-512 |
| # controlRole roHEJSbRqSSTII4Z4+NOCV2OJaZVQ/dw153Fy2u4ILDP9XiZ426GwzCzc3RtpoqNMwqYIcfdd74xWXSMrWtGaA== w9qDsekgKn0WOVJycDyU0kLBa081zbStcCjUAVEqlfon5Sgx7XHtaodbmzpLegA1jT7Ag36T0zHaEWRHJe2fdA== SHA3-512 |
| # |