In this, I would like to go through the required configuration to enable an application form remote JMX monitoring. So that it can be monitored using profiling tools like jconsole, Visual VM etc..
To enable a JVM for remote JMX monitoring, we need to provide following JAVA_OPTIONS to while starting the JVM.
Simple Configuration - No authentication
-Dcom.sun.management.jmxremote.port=6969
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
The above parameters enable the JVM to accept the JMX connectivity at port 6969. You can use an unused port number for this.
If an application is using Java Wrapper Service to start the JVM, the JAVA OPTIONS should be added to wrapper.conf file as below,
wrapper.java.additional.XX=-Dcom.sun.management.jmxremote.port=6969
wrapper.java.additional.XX=-Dcom.sun.management.jmxremote.ssl=false
wrapper.java.additional.XX=-Dcom.sun.management.jmxremote.authenticate=false
where XX indicates the sequence of java options in wrapper.conf. They might vary, need to be adjusted.
Configuration with Authentication
Remote JMX connectivity can be configured to enforce the security credentials. Here the credential information is accessed from access and password files for authentication and authorization.
-Dcom.sun.management.jmxremote.authenticate=*true*
-Dcom.sun.management.jmxremote.access.file=jmxremote.access -Dcom.sun.management.jmxremote.password.file=jmxremote.password
The default location for these files is JRE_HOME/lib/management. You can keep the files based on your application configuration. I would prefer to under /conf directory.
*jmxremote.access contains*
########## jmxremote.access ######################
normalUser readonly
superUser readwrite
*jmxremote.password contains*
########## jmxremote.password ######################
# The "normalUser " role has password "passwOrd".
normalUser passwOrd
superUser passwOrd
Here the very important note is the jmxremote.password file should be owned and accessible by Owner only. Otherwise you would receive an error message File must be restricted to read access (wording may change).
Security authentication can be implemented using JAAS Callback mechanism, where we need to provide implementation for javax.security.auth.callback.NameCallback, javax.security.auth.callback.PasswordCallback
-Dcom.sun.management.jmxremote.login.config=login.config
Using this option, you can even authentication against a third party tool like LDAP etc..
Configuration with SSL encryption
Provide the following JAVA OPTIONS
-Dcom.sun.management.jmxremote.ssl=true
-Djavax.net.ssl.keyStore= <>
-Djavax.net.ssl.trustStore= <>
-Djavax.net.ssl.keyStoreType= <>
-Djavax.net.ssl.keyStorePassword= <>
-Djavax.net.ssl.trustStoreType= <>
-Djavax.net.ssl.trustStoreType= <
-Djavax.net.ssl.trustStorePassword= <>
It covers the quick and basic configuration required to enable a Java application for remote JMX monitoring. I hope it helps you as well..
