Using JMX Monitoring

Provides information on enabling and configuring the JMX agent.

Leave Feedback

Introduction

The Java virtual machine (Java VM) has built-in instrumentation that enables you to monitor and manage it using the Java Management Extensions (JMX) technology. These built-in management utilities are often referred to as out-of-the-box management tools for the Java VM. You can also monitor any appropriately instrumented applications using the JMX API.

Enabling JMX agents

JMX agent configuration involves:

  1. Modifying the host entries.
  2. Enabling JMX monitoring.

Modifying host entries

The host entries are modified for proper hostname resolution.

  1. In the /etc/hosts file, comment the secondary loop back line with IP 127.0.1.1.
  2. Modify the entry for the proper hostname resolution. For example: hostname is hostname.domain.com.
    • If connecting to JMX port (here 7199) using 127.0.0.1 IP, modify the entry with the line 127.0.0.1 as 127.0.0.1 hostname.domain.com hostname.
    • If connecting to JMX port (here 7199) using Device IP, modify the entry as{Device_IP} hostname.domain.com hostname

Enabling JMX monitoring without authentication

Start the Java program with the following parameters:

Dcom.sun.management.jmxremote
Dcom.sun.management.jmxremote.port=7199
Dcom.sun.management.jmxremote.local.only=false
Dcom.sun.management.jmxremote.authenticate=false
Dcom.sun.management.jmxremote.ssl=false

Enabling JMX monitoring with authentication

Password files

The password file defines the different roles and their passwords. The access control file (jmxremote.access by default) defines the permitted access for each role. To be functional, a role must have an entry in both the password and the access files.

The JRE implementation contains a password file template named jmxremote.password.template.

To add an entry to the password file:

  1. Copy this file to JRE_HOME/lib/management/jmxremote.password to your home directory.
  2. Add the passwords for the roles defined in the access file.
  3. Be sure that only the owner has read and write permissions on this file, since it contains the passwords in clear text.

For security reasons, the system checks that the file is only readable by the owner and exits with an error if it is not. Thus in a multiple-user environment, the password file should be stored in a private location such as the home directory.

Property names are roles, and the associated value is the role’s password. For example, the following are sample entries in the password file.

Access files

By default, the access file is named jmxremote.access. Property names are identities from the same space as the password file. The associated value must be either readonly or readwrite. The access file defines roles and their access levels.

By default, the access file defines the following primary roles:

  • monitorRole, which grants read-only access for monitoring.
  • controlRole, which grants read-write access for monitoring and management.

An access control entry consists of a role name and an associated access level. The role name cannot contain spaces or tabs and must correspond to an entry in the password file.

The access level can be one of the following.

  • readonly, which grants access to read an MBean’s attributes. For monitoring, this means that a remote client in this role can read measurements but cannot perform any action that changes the environment of the running program. The remote client can also listen to MBean notifications.
  • readwrite, which grants access to read and write an MBean’s attributes, to invoke operations on them, and to create or remove them. This access should be granted to only trusted clients, since they can potentially interfere with the operation of an application.

A role should have only one entry in the access file. If a role has no entry, it has no access. If a role has multiple entries, then the last entry takes precedence.

Examples

Example 1A: Password file

In this example, a password file can specify the actual password.

monitorRole password
controlRole password

On Solaris and Linux systems, the file permissions for the password file can be set by running the following command:

chmod 600 jmxremote.password

Example 1B: Access file

Typical predefined roles in the access file resembles the following:

  • monitorRole role has readonly access.
  • controlRole role has readwrite access.

We can use any name for the user role or agent monitoring purposes.

Example 2A: Password file

This example the vagent role has a password assigned.

vagent <password>

Example 2B: Access files

In this example, the vagent role has readonly access. vagent readonly.

Use the following parameters to start the Java program:

Dcom.sun.management.jmxremote
Dcom.sun.management.jmxremote.port=7199
Dcom.sun.management.jmxremote.local.only=false
Dcom.sun.management.jmxremote.authenticate=true
Dcom.sun.management.jmxremote.ssl=false
Dcom.sun.management.jmxremote.password.file=${ABSOLUTE PATH}/jmx.password
Dcom.sun.management.jmxremote.access.file=${ABSOLUTE PATH}/jmx.access

Required variables for monitoring templates

  • IPAddress - Address on which the JMX listens. Default 127.0.0.1
  • Port - JMX listener port (port from the above example 7199)
  • Username - User name if authentication enabled or default string NA (user from the vagent example)
  • Password - Password if authentication is enabled or NA (password from the password example)
  • Java Path - Path of the java binary. Default java.