Tuesday, October 16, 2012

How to access remote JVM with JMX console

JMX console allows monitor and partially adjust properties or running JVM. Accessed JVM could be at localhost where is JMX console started or could be remote. When you start JMX console by command jconsole following screen will appear:
When remote JVM should be accessed than remote JVM have to be ready for this.

Let's configure JVM to provide JMX remote access and protect access by name and password. JVM have to be started with following parameters:
JAVA_OPTS=${JAVA_OPTS}" -Dcom.sun.management.jmxremote=true"
JAVA_OPTS=${JAVA_OPTS}" -Dcom.sun.management.jmxremote.port=9999"
JAVA_OPTS=${JAVA_OPTS}" -Dcom.sun.management.jmxremote.ssl=false"
JAVA_OPTS=${JAVA_OPTS}" -Dcom.sun.management.jmxremote.password.file=/home/.../jmxremote.password"
JAVA_OPTS=${JAVA_OPTS}" -Dcom.sun.management.jmxremote.access.file=/home/../jmxremote.access"
JAVA_OPTS=${JAVA_OPTS}" "
export JAVA_OPTS

At remote machine, where will be JVM started have to be accessible file jmxremote.password:
#content of file jmxremote.password

honza somePassword
And file jmxremote.access
# content of file jmxremote.access

honza readwrite

When this files are created and accessible by JVM running with previously listed parameters than remote JVM should be accessible from console.


Possible problems

When following error occurs:
jmx error: Password file read access must be restricted

You have to adjust access rights for both files in this way:
chmod 600 jmxremote.access
chmod 600 jmxremote.password

Additional info

Nice description could be found in file password.properties which is part of JDK 1.5.
# password.properties

# Password file for Remote JMX API authentication. This file defines
# the different roles and their passwords.

# The file format for the password file is syntactically the same as
# the Properties file format. The syntax is described in the Javadoc
# for java.util.Properties.load.

# A typical password file has multiple lines, where each line is blank,
# a comment (like this one), or a password entry.

# A password entry consists of a role name and an associated password.
# The role name is any string that does not itself contain spaces or
# tabs. The password is again any string that does not contain spaces
# or tabs. Note that passwords appear in the clear in this file, so it
# is a good idea not to use valuable passwords.

# A given role should have at most one entry in this file. If a role
# has no entry, it has no access.
# If multiple entries are found for the same role name, then the last
# one is used.

# In a typical installation, this file can be read by anybody on the
# local machine, and possibly by people on other machines.
# For security, you should either restrict the access to this file,
# or specify another, less accessible file in the management config
# file as described above.

# Role and password used for authentication by the RMI connector in
# this example.
#
username password