In some situations, where a JRockit JVM is running behind a firewall, remote monitoring could become a hard task to accomplish, specially if a SSH tunnel is required to reach the server running the JVM...
Read on for 2 scenarios where we can enable remote monitoring with JRockit Mission Control.
The problem happens due to the way JMX clients connects to the JMX server:
1 - When the JMX client makes a connection, it first connects to the RMI Registry on the server.
2 - The RMI Registry is listening on the port you define in the -Xmanagement:port=REGISTRY_PORT.
3 - After the client connects to the RMI Registry, they negociate another connection to expose the MBeans data, in the form of jmxhost:jmxport.
4 - This port is not known until the connection is made, making it difficult to set firewall rules to enable traffic between client and server.
Fotunately, JRockit R28 has added some changes that makes it easier to remotely monitor a JVM running behind a firewall.
Quoting the official documentation:
"To allow RMI communication between the JRockit JVM server and a client through a firewall, two ports (RMI Registry and RMI Server) are required to configure the firewall.
In previous releases, the RMI Server port number was generated randomly on the JRockit JVM server; so it was not possible to configure the firewall in advance.
In JRockit JVM R28.0, the JMX agent enables you to select the same port number for the RMI Registry and the RMI Server.
Therefore, you can use the default JMX agent for RMI communication through a firewall."
So, basically all you have to do is to add port and rmiserver_port to your Xmanagement JVM options, something like:
-Xmanagement:port=REGISTRY_PORT,rmiserver_port=RMI_SERVER_PORT
and have both ports open in the firewall rules, like the picture below:
Now, I have faced some situations where, for security reasons, the server where the JVM is running can only be accessed via SSH tunneling, because the Firewall rule can only be set to a known or trusted IP Address, like below scenario:
This breaks our first example, since the connection negotiated to expose the MBeans data uses a jmxhost:jmxport format, defined by the JMX Registry, leading the client to connect directly to jmxhost:jmxport in the machine where the JVM is running.
In such situations, we can make use of yet another -D option to trick the client to connect to the machine where the SSH Tunnel is running.
Just add -Djava.rmi.server.hostname=MachineA (using our example above) to force the client to connect to MachineA, where the SSH tunnel is running.
So, in our JVM startup options, we would have something like:
-Xmanagement:port=REGISTRY_PORT,rmiserver_port=RMI_SERVER_PORT -Djava.rmi.server.hostname=MachineA
and in Mission Control we would use a Custom JMX Service URL, like:
service:jmx:rmi://MachineA:RMI_SERVER_PORT/jndi/rmi://MachineA:REGISTRY_PORT/jmxrmi
References:
Changes in the JMX Agent
JMX Agent-Related –D Options
Mark Feeney Blog
Daniel Fuchs Blog
Happy monitoring!!!
0 comments:
Post a Comment