Introduction
The Java virtual machine (Java VM) has built-in instrumentation that enables you to monitor and manage it using the Java Management Extensions (JMX) technology. These built-in management utilities are often referred to as out-of-the-box management tools for the Java VM. You can also monitor any appropriately instrumented applications using the JMX API.
Enabling JMX agents
JMX agent configuration involves:
- Modifying the host entries.
- Enabling JMX monitoring.
Modifying host entries
The host entries are modified for proper hostname resolution.
- In the
/etc/hosts
file, comment the secondary loop back line with IP 127.0.1.1. - Modify the entry for the proper hostname resolution. For example: hostname is
hostname.domain.com.
- If connecting to JMX port (here 7199) using
127.0.0.1
IP, modify the entry with the line127.0.0.1
as127.0.0.1 hostname.domain.com hostname
. - If connecting to JMX port (here 7199) using Device IP, modify the entry as
{Device_IP} hostname.domain.com hostname
- If connecting to JMX port (here 7199) using
Enabling JMX monitoring without authentication
Start the Java program with the following parameters:
Dcom.sun.management.jmxremote
Dcom.sun.management.jmxremote.port=7199
Dcom.sun.management.jmxremote.local.only=false
Dcom.sun.management.jmxremote.authenticate=false
Dcom.sun.management.jmxremote.ssl=false
Enabling JMX monitoring with authentication
Password files
The password file defines the different roles and their passwords.
The access control file (jmxremote.access
by default) defines the permitted access for each role.
To be functional, a role must have an entry in both the password and the access files.
The JRE implementation contains a password file template named jmxremote.password.template
.
To add an entry to the password file:
- Copy this file to
JRE_HOME/lib/management/jmxremote.password
to your home directory. - Add the passwords for the roles defined in the access file.
- Be sure that only the owner has read and write permissions on this file, since it contains the passwords in clear text.
For security reasons, the system checks that the file is only readable by the owner and exits with an error if it is not. Thus in a multiple-user environment, the password file should be stored in a private location such as the home directory.
Property names are roles, and the associated value is the role’s password. For example, the following are sample entries in the password file.
Access files
By default, the access file is named jmxremote.access
.
Property names are identities from the same space as the password file.
The associated value must be either readonly or readwrite.
The access file defines roles and their access levels.
By default, the access file defines the following primary roles:
monitorRole
, which grants read-only access for monitoring.controlRole
, which grants read-write access for monitoring and management.
An access control entry consists of a role name and an associated access level. The role name cannot contain spaces or tabs and must correspond to an entry in the password file.
The access level can be one of the following.
readonly
, which grants access to read an MBean’s attributes. For monitoring, this means that a remote client in this role can read measurements but cannot perform any action that changes the environment of the running program. The remote client can also listen to MBean notifications.readwrite
, which grants access to read and write an MBean’s attributes, to invoke operations on them, and to create or remove them. This access should be granted to only trusted clients, since they can potentially interfere with the operation of an application.
A role should have only one entry in the access file. If a role has no entry, it has no access. If a role has multiple entries, then the last entry takes precedence.
Examples
Example 1A: Password file
In this example, a password file can specify the actual password.
monitorRole password
controlRole password
On Solaris and Linux systems, the file permissions for the password file can be set by running the following command:
chmod 600 jmxremote.password
Example 1B: Access file
Typical predefined roles in the access file resembles the following:
monitorRole
role hasreadonly
access.controlRole
role hasreadwrite
access.
We can use any name for the user role or agent monitoring purposes.
Example 2A: Password file
This example the vagent
role has a password assigned.
vagent <password>
Example 2B: Access files
In this example, the vagent
role has readonly access.
vagent readonly.
Use the following parameters to start the Java program:
Dcom.sun.management.jmxremote
Dcom.sun.management.jmxremote.port=7199
Dcom.sun.management.jmxremote.local.only=false
Dcom.sun.management.jmxremote.authenticate=true
Dcom.sun.management.jmxremote.ssl=false
Dcom.sun.management.jmxremote.password.file=${ABSOLUTE PATH}/jmx.password
Dcom.sun.management.jmxremote.access.file=${ABSOLUTE PATH}/jmx.access
Required variables for monitoring templates
- IPAddress - Address on which the JMX listens. Default
127.0.0.1
- Port - JMX listener port (port from the above example
7199
) - Username - User name if authentication enabled or default string NA (user from the vagent example)
- Password - Password if authentication is enabled or NA (password from the password example)
- Java Path - Path of the java binary. Default
java
.