Fixes SSL failure to connect using proxy or .war

[jc-roman]

Adds SSL-RMI support when the javax.net.ssl.trustStore system property is defined and fixes error "java.rmi.ConnectIOException: non-JRMP server at remote endpoint. Tested with tomcat 9 by mounting build .war file.

Resolves #109 - Add SSL support for the JSR-160 proxy

[rhuss]

Thanks for the PR ! I don't know about the concrete issue but it looks reasonable to me (i.e. to switch to SSL communication when a trust store is set). Is the presence of a trustStore the only indicator to use SSL for RMI communication or is there a more direct property ?

PR looks good with some minor cosmetic suggestion.

[jc-roman]

@rhuss,

Thanks for the PR ! I don't know about the concrete issue but it looks reasonable to me (i.e. to switch to SSL communication when a trust store is set). Is the presence of a trustStore the only indicator to use SSL for RMI communication or is there a more direct property ?

For my specific use case with Cassandra's default JMX configs, here's the server side settings:

    -Dcom.sun.management.jmxremote.ssl=true
    -Dcom.sun.management.jmxremote.ssl.need.client.auth=true
    -Dcom.sun.management.jmxremote.registry.ssl=true
    -Djavax.net.ssl.keyStore=/etc/cassandra/certstore/client_certstore/keystore.jks
    -Djavax.net.ssl.keyStorePassword=cassandra
    -Djavax.net.ssl.trustStore=/etc/cassandra/certstore/client_certstore/truststore.jks
    -Djavax.net.ssl.trustStorePassword=cassandra

Using Jolokia in Proxy mode with tomcat, this is the minimal required system properties to make it work (notice jmxremote.ssl is disabled, as this only applies to tomcat's JMX):

-Dcom.sun.management.jmxremote.ssl=false
-Djavax.net.ssl.keyStore=/etc/cassandra/certstore/client_certstore/keystore.jks
-Djavax.net.ssl.keyStorePassword=cassandra
-Djavax.net.ssl.trustStore=/etc/cassandra/certstore/client_certstore/truststore.jks
-Djavax.net.ssl.trustStorePassword=cassandra

If one were to disable ssl.need.client.auth, only the truststore path and password are required. The truststore is then the minimal property required to enable SSL, (although in practice, disabling client auth is a really bad idea because it cancels out the security benefits of SSL)

PR looks good with some minor cosmetic suggestion.

I commited your suggestion. Thanks for the improvement!

[jc-roman]

For reference:
My setup to create a tomcat + jolokia in Proxy Mode Dockerfile:
https://github.com/TheWeatherCompany/jolokia/blob/docker-proxy/Dockerfile
https://github.com/TheWeatherCompany/jolokia/blob/docker-proxy/setenv.sh

diff (a bit outdated) that includes building the docker image with Github actions: master...TheWeatherCompany:docker-proxy

truststore and keystore volumes mounted at runtime. Truststore and keystore System properties are set in CATALINA_OPTS.

[rhuss]

Thanks, that makes sense to me.