diff --git a/data/common/cassandra.yaml b/data/common/cassandra.yaml
--- a/data/common/cassandra.yaml
+++ b/data/common/cassandra.yaml
@@ -48,6 +48,12 @@
   storage_port: 7000
   jmx_port: 7199
   jmx_exporter_port: 7070
+  jmx_remote: true
+  jmx_user: "%{lookup('cassandra::jmx::user')}"
+  jmx_password: "%{lookup('cassandra::jmx::password')}"
+
+cassandra::jmx::user: cassandra
+# cassandra::jmx::password in private data
 
 # Reflect the base of the cassandra.yaml content
 # These list is completed and/or overridden in cassandra::instance
diff --git a/site-modules/profile/manifests/cassandra.pp b/site-modules/profile/manifests/cassandra.pp
--- a/site-modules/profile/manifests/cassandra.pp
+++ b/site-modules/profile/manifests/cassandra.pp
@@ -35,6 +35,10 @@
   $default_instance_config = lookup('cassandra::default_instance_configuration')
   $clusters_config = lookup('cassandra::clusters')
 
+  $jmx_remote = $default_instance_config['jmx_remote']
+  $jmx_access_file = "${cassandra_config_directory}/jmxremote.access"
+  $jmx_password_file = "${cassandra_config_directory}/jmxremote.password"
+
   group {$cassandra_group:
     system => true,
   }
@@ -120,6 +124,33 @@
     require => [File[$cassandra_config_directory]],
   }
 
+  if $jmx_remote == true {
+    $jmx_user = $default_instance_config['jmx_user']
+    $jmx_password = $default_instance_config['jmx_password']
+
+    file {$jmx_access_file:
+      ensure  => present,
+      owner   => 'root',
+      group   => $cassandra_group,
+      mode    => '0540',
+      content => template('profile/cassandra/jmxremote.access.erb'),
+      require => [File[$cassandra_config_directory]]
+    }
+    file {$jmx_password_file:
+      ensure  => present,
+      owner   => 'root',
+      group   => $cassandra_group,
+      mode    => '0540',
+      content => template('profile/cassandra/jmxremote.password.erb'),
+      require => [File[$cassandra_config_directory]]
+    }
+  } else {
+    file {[ $jmx_access_file,
+            $jmx_password_file ]:
+      ensure => absent,
+    }
+  }
+
   $instances.each | $instance_name, $instance_config | {
     $merged_instance_config = $default_instance_config + $instance_config
     $cluster_config = $clusters_config[$merged_instance_config["cluster_name"]]
diff --git a/site-modules/profile/manifests/cassandra/instance.pp b/site-modules/profile/manifests/cassandra/instance.pp
--- a/site-modules/profile/manifests/cassandra/instance.pp
+++ b/site-modules/profile/manifests/cassandra/instance.pp
@@ -29,6 +29,8 @@
   $log_dir = "${cassandra_log_dir}/${instance_name}"
 
   $jmx_exporter_path = $::profile::prometheus::jmx::jar_path
+  $jmx_remote = $config['jmx_remote']
+  $jmx_port = $config['jmx_port']
 
   $base_configuration = lookup('cassandra::base_instance_configuration')
   $instance_configuration = {
@@ -45,6 +47,14 @@
 
   $computed_configuration = $base_configuration + $instance_configuration
 
+  # jmx port is hardcoded in the cassandra-env.sh file so it needs to be overriden in the
+  # service configuration
+  if $jmx_remote {
+    $extra_jmx_option = "-Dcassandra.jmx.remote.port=${jmx_port} -Dcom.sun.management.jmxremote.access.file=${cassandra_config_dir}/jmxremote.access"
+  } else {
+    $extra_jmx_option = "-Dcassandra.jmx.local.port=${jmx_port}"
+  }
+
   file {[
       $instance_base_data_dir,
       $base_data_dir,
diff --git a/site-modules/profile/templates/cassandra/instance-parameters.conf.erb b/site-modules/profile/templates/cassandra/instance-parameters.conf.erb
--- a/site-modules/profile/templates/cassandra/instance-parameters.conf.erb
+++ b/site-modules/profile/templates/cassandra/instance-parameters.conf.erb
@@ -5,9 +5,12 @@
 After=network.target
 
 [Service]
-Environment=JVM_EXTRA_OPTS="-javaagent:<%= @jmx_exporter_path %>=<%= @config["jmx_exporter_port"] %>:/etc/cassandra/jmx_exporter.yml -Dcassandra.jmx.local.port=<%= @config["jmx_port"] %> -Dcom.sun.management.jmxremote.authenticate=false"
+Environment=JVM_EXTRA_OPTS="-javaagent:<%= @jmx_exporter_path %>=<%= @config["jmx_exporter_port"] %>:/etc/cassandra/jmx_exporter.yml <%= @extra_jmx_option %>"
 Environment=CASSANDRA_CONF=<%= @config_dir %>
 Environment=CASSANDRA_LOG_DIR=<%= @log_dir %>
+<%- if @jmx_remote -%>
+Environment=LOCAL_JMX=no
+<%- end -%>
 
 [Install]
 WantedBy=multi-user.target
diff --git a/site-modules/profile/templates/cassandra/jmxremote.access.erb b/site-modules/profile/templates/cassandra/jmxremote.access.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/cassandra/jmxremote.access.erb
@@ -0,0 +1,5 @@
+monitorRole   readonly
+controlRole   readwrite \
+              create javax.management.monitor.*,javax.management.timer.* \
+              unregister
+<%= @jmx_user %>    readwrite
diff --git a/site-modules/profile/templates/cassandra/jmxremote.password.erb b/site-modules/profile/templates/cassandra/jmxremote.password.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/cassandra/jmxremote.password.erb
@@ -0,0 +1 @@
+<%= @jmx_user %>   <%= @jmx_password %>