fix(jmx): set java.rmi.server.hostname for SSL to prevent hostname verification issues on multi-homed hosts

jeanouii · jeanouii · commit 44e13ede075d · 2026-02-20T17:27:57.000+01:00
diff --git a/activemq-broker/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java b/activemq-broker/src/main/java/org/apache/activemq/broker/jmx/ManagementContext.java
@@ -170,7 +170,23 @@ public void run() {
                                 try {
                                     // need to remove MDC as we must not inherit MDC in child threads causing leaks
                                     MDC.remove("activemq.broker");
-                                    connectorServer.start();
+                                    // When SSL is enabled, temporarily set java.rmi.server.hostname
+                                    // to connectorHost so RMI stubs embed the configured host rather
+                                    // than the machine's auto-detected IP. Without this, SSL hostname
+                                    // verification fails on multi-homed hosts because the stub carries
+                                    // an IP that is not covered by the certificate's SAN entries.
+                                    // Pre-existing user-defined values are respected and not overwritten.
+                                    final String prevRmiHostname = System.getProperty("java.rmi.server.hostname");
+                                    if (sslContext != null && prevRmiHostname == null) {
+                                        System.setProperty("java.rmi.server.hostname", connectorHost);
+                                    }
+                                    try {
+                                        connectorServer.start();
+                                    } finally {
+                                        if (sslContext != null && prevRmiHostname == null) {
+                                            System.clearProperty("java.rmi.server.hostname");
+                                        }
+                                    }
                                     serverStub = server.toStub();
                                 } finally {
                                     if (brokerName != null) {
diff --git a/activemq-broker/src/test/java/org/apache/activemq/broker/jmx/ManagementContextSslTest.java b/activemq-broker/src/test/java/org/apache/activemq/broker/jmx/ManagementContextSslTest.java
@@ -61,7 +61,6 @@ public class ManagementContextSslTest {
     private SSLContext savedDefaultSslContext;
     private String savedTrustStore;
     private String savedTrustStorePassword;
-    private String savedRmiHostname;
 
     @BeforeClass
     public static void createKeyStore() throws Exception {
@@ -110,7 +109,6 @@ public void setUp() throws Exception {
         savedDefaultSslContext = SSLContext.getDefault();
         savedTrustStore = System.getProperty("javax.net.ssl.trustStore");
         savedTrustStorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
-        savedRmiHostname = System.getProperty("java.rmi.server.hostname");
     }
 
     @After
@@ -121,7 +119,6 @@ public void tearDown() throws Exception {
         SSLContext.setDefault(savedDefaultSslContext);
         restoreSystemProperty("javax.net.ssl.trustStore", savedTrustStore);
         restoreSystemProperty("javax.net.ssl.trustStorePassword", savedTrustStorePassword);
-        restoreSystemProperty("java.rmi.server.hostname", savedRmiHostname);
     }
 
     @Test
@@ -195,9 +192,6 @@ public void testConnectorStartsWithSsl() throws Exception {
         SSLContext.setDefault(testSslContext);
         System.setProperty("javax.net.ssl.trustStore", keystoreFile.toString());
         System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
-        // Force RMI stubs to advertise "localhost" so SSL hostname verification
-        // matches the certificate SAN (dns:localhost) instead of the machine's IP.
-        System.setProperty("java.rmi.server.hostname", "localhost");
 
         context = createSslManagementContext();
         context.start();
@@ -217,11 +211,6 @@ public void testSslJmxConnectionSucceeds() throws Exception {
         SSLContext.setDefault(testSslContext);
         System.setProperty("javax.net.ssl.trustStore", keystoreFile.toString());
         System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
-        // Force RMI stubs to advertise "localhost" so SSL hostname verification
-        // matches the certificate SAN (dns:localhost) instead of the machine's actual IP.
-        // RMI normally embeds InetAddress.getLocalHost() in stubs; on a multi-homed
-        // machine this can be an IP not covered by the test certificate.
-        System.setProperty("java.rmi.server.hostname", "localhost");
 
         context = createSslManagementContext();
         context.start();
