Handshake failure when using jconsole with ssl

Question

I am trying to connect to an application remotely using jconsole. Without SSL my configuration works with no issues.

I have created a public key on the server I wish to access:

sudo keytool -keystore broker.ks -alias broker -genkey -keyalg RSA

I have then exported the certificate:

sudo keytool -export -alias broker -keystore broker.ks -file broker_cert.crt

Client side I create a trust store and import the certificate:

-import -alias broker -keystore broker.ts -file broker_cert.crt

I then launch my broker server side as follows:

java \
-Xms1024M \
-Xmx1024M \
-Dcom.sun.management.jmxremote.port=1099 \
-Dcom.sun.management.jmxremote.password.file=/etc/activemq/jmx.password \
-Dcom.sun.management.jmxremote.access.file=/etc/activemq/jmx.access \
-Dcom.sun.management.jmxremote \
-jar broker.jar \
-Djavax.net.ssl.keyStore=/etc/activemq/broker.ks \
-Djavax.net.ssl.keyStorePassword=password

As I mentioned, the password configuration works properly as I am able to connect when setting jmxremote.ssl to false.

Client side I then launch jconsole like so:

jconsole -J-Djavax.net.ssl.trustStore=/etc/activemq/broker.ts -J-Djavax.net.ssl.trustStorePassword=password -J-Djava.util.logging.config.file=/etc/activemq/logging.properties

When trying to connect to the server the logs give me the following error:

failed to connect: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

To elaborate on this, my certificates are definately set-up correctly. Server side I can do in /etc/activemq:

keytool -list -keystore broker.ks

And recieve:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

broker, 01-May-2012, PrivateKeyEntry, 
Certificate fingerprint (MD5): 30:55:60:4A:B5:85:D0:C5:2C:E9:DD:AD:1E:92:BE:6E

Client side in /etc/activemq I can type:

keytool -list -keystore broker.ks

And recieve:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

broker, May 3, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 30:55:60:4A:B5:85:D0:C5:2C:E9:DD:AD:1E:92:BE:6E

As you can see the certificate fingerprints match. What is even more frustrating is that when I start jconsole, I can put a completely bogus path in -J-Djavax.net.ssl.trustStore=<boguspathhere> yet I recieve exactly the same error as when I put the correct one which is /etc/activemq/broker.ts - I would expect the logs to at least tell me whether it has found the trust store or not! Instead of just giving

failed to connect: java.rmi.ConnectIOException: error during JRMP connection     establishment; nested exception is: 
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

grrrr

Answer 1

Well, the mystery has been solved and has been stupidity on my part:

java \
-Xms1024M \
-Xmx1024M \
-Dcom.sun.management.jmxremote.port=1099 \
-Dcom.sun.management.jmxremote.password.file=/etc/activemq/jmx.password \
-Dcom.sun.management.jmxremote.access.file=/etc/activemq/jmx.access \
-Dcom.sun.management.jmxremote \
-jar broker.jar \
-Djavax.net.ssl.keyStore=/etc/activemq/broker.ks \
-Djavax.net.ssl.keyStorePassword=password

The last two system property arguments get ignored because -jar broker.jar is run before them. In order to have fixed this all I needed to do was write:

java \
-Xms1024M \
-Xmx1024M \
-Dcom.sun.management.jmxremote.port=1099 \
-Dcom.sun.management.jmxremote.password.file=/etc/activemq/jmx.password \
-Dcom.sun.management.jmxremote.access.file=/etc/activemq/jmx.access \
-Dcom.sun.management.jmxremote \
-Djavax.net.ssl.keyStore=/etc/activemq/broker.ks \
-Djavax.net.ssl.keyStorePassword=password \
-jar broker.jar 

Doh!