Be careful wit these options on production systems
-Dcom.sun.management.jmxremote.port=8999
-Dcom.sun.management.jmxremote.ssl=false
Keep in mind that according to the Java documentation this can enable the execution of arbitrary source code as can read here:
Disabling Security
To disable both password authentication and SSL (namely to disable all
security), you should set the following system properties when you
start the Java VM.
com.sun.management.jmxremote.authenticate=false
com.sun.management.jmxremote.ssl=false
Caution - This configuration is insecure: any remote user who knows (or guesses)
your port number and host name will be able to monitor and control
your Java applications and platform. Furthermore, possible harm is not
limited to the operations you define in your MBeans. A remote client
could create ajavax.management.loading.MLet MBean and use it to create
new MBeans from arbitrary URLs, at least if there is no security
manager. In other words, a rogue remote client could make your Java
application execute arbitrary code. Consequently, while disabling
security might be acceptable for development, it is strongly
recommended that you do not disable security for production systems.
Source: https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html
I believe the best way to use it in a secure way is using 2-way SSL as is exposed in this document:
https://www.ibm.com/support/knowledgecenter/en/SSJJ9R_5.0.1/com.ibm.jazz.repository.web.admin.doc/topics/t_server_mon_tomcat_option3.html
Set up client SSL authentication
From this point, a full SSL-secured solution requires that you also activate client-level SSL authentication.
About this task
You can configure client authentication for JMX to be SSL-certificate based. The following example shows how to configure JConsole to be SSL-certificate based. You can use similar steps to configure any other client. As a guideline, the general steps for this configuration are as follows:
Create SSL key stores and trust stores for the client and server.
Export certificates on each side.
Exchange and import the certificates at the server level and client level.
The Apache Tomcat server that is bundled with CLM has a keystore, and the previous instructions showed how to export the certificate and import it in the client. The following steps show the rest of configuration for implementing client authentication for JConsole. Sample values and self-signed certificates are used in the examples for clarity; you should adjust them for your environment policies.
Procedure
To create a keystore for JConsole, open a command prompt, and go to JazzInstallDir/server/jre/bin and enter the following command:
keytool -genkey -alias jconsole -keyalg RSA -validity 365 -keystore jconsole.keystore -storepass password -keypass password
Enter the following command to export the certificate from JConsole:
keytool -export -alias jconsole -keystore jconsole.keystore -file client.cer -storepass password
Enter the following command to import into the Apache Tomcat trust store. The command generates a new trust store:
keytool -import -alias jconsole-ibm-team -file client.cer -keystore ibm-team-ssl.truststore -storepass ibm-team -noprompt
To configure the server with the truststore, add the relevant properties to the server.startupfile, in addition to the properties for previous SSL configurations:
Linux:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=path_to_the_trust_store/ibm-team-ssl.truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=ibm-team"
Microsoft Windows:
JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=path_to_the_trust_store/ibm-team-ssl.truststore
JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=ibm-team
Copy
To connect to JConsole, the following sample call uses these new assets. The authentication is based on certificate exchange.
jconsole -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=ibm-team -J-Djavax.net.ssl.keyStore=jconsole.keystore -J-Djavax.net.ssl.keyStorePassword=password service:jmx:rmi:///jndi/rmi://host:1099/jmxrmi