Monitoring JBoss EAP 5 / 4 using JConsole / JMX

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)

    • 4.x
    • 5.x

  • JVM version

    • 1.6
    • 1.5
    • 1.7

Issue

  • What configuration is required to enable monitoring of JBoss EAP instances using JConsole ?
  • How does user monitor JBoss EAP 5 with JConsole ?
  • Memory and Threads monitoring in EAP 5 ?
  • How to monitor the remote servers?
  • How to configure JMX on EAP 5 and allow remote connection to monitor JVM statistics ?
  • How to enable SSL for remote JMX connection to JBoss EAP ?
  • We are attempting to connect to the JBoss application server to get JMX data. What is the syntax for the correct JMX Url?
  • Remote JMX Connection. I am trying to access the JMX console via Jconsole, however I am always getting connection refused. I have added the config files, I am not sure if I something is wrong.
  • Java Mission Control (JMC) for JMX connectivity. Is it possible to connect to our EAP 5 servers with JMC-JMX?

Resolution

Basic Configuration

Add the following config parameters to run.conf:

JAVA_OPTS="$JAVA_OPTS -Djboss.platform.mbeanserver"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.ssl=false"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.port=3001"
JAVA_OPTS="$JAVA_OPTS -Djavax.management.builder.initial=org.jboss.system.server.jmx.MBeanServerBuilderImpl"

The Windows equivalent:

set "JAVA_OPTS=%JAVA_OPTS% -Djboss.platform.mbeanserver"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl=false"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=false"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.port=3001"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.management.builder.initial=org.jboss.system.server.jmx.MBeanServerBuilderImpl"

If JConsole still does not show JBoss as an available local process to monitor after adding the above properties, try to reach jboss as a remote process. For remote access, specify hostname:port or a JMX URL service:jmx:rmi:///jndi/rmi://hostname:port/jmxrmi, where port is the value of -Dcom.sun.management.jmxremote.port.

Interface Binding

The Sun/Oracle JDK Content from bugs.sun.com is not included.always binds to all interfaces. A workaround for this would be to define a rule in the firewall that only allows access to the RMI port number if the origin IP is part of a well defined range

User Authentication

The above example has authentication set to false. For production systems, enabling authentication is recommended to prevent unauthorized access.
See the Oracle Content from docs.oracle.com is not included.online documentation for more details.
Take Single-User setup on Windows for example, need to define jmxremote.password and jmxremote.access files, then update run.conf.bat:

......
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=true"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.password.file=C:\Path-To-File\jmxremote.password"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.access.file=C:\Path-To-File\jmxremote.access"
......

jmxremote.password can be copied from JRE_HOME/lib/management/jmxremote.password.template and updated / renamed.
jmxremote.access can be copied from JRE_HOME/lib/management/jmxremote.access and updated with the user defined in jmxremote.password.
With those parameters above enabled, username/password defined in jmxremote.password file is required when connecting to remote JMX URL.

Enabling SSL


See the Oracle [online documentation](http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html#gdemv) for more details. Below is a simple example from Windows environment:
First need to generate keystore on JBoss EAP server side machine using following command: 
 keytool -genkey -alias jboss -keyalg RSA -keystore eap5console.jks -storepass changeMe

Then configure SSL connection JAVA Options, take Windows for example, update run.conf.bat with lines:

......
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl=true"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStore=C:\Path-To-File\eap5console.jks"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeMe"
......

On jconsole client side, additional SSL configuration is required to launch jconsole:

jconsole  -J-Djavax.net.ssl.trustStorePassword=changeMe -J-Djavax.net.ssl.trustStore=/PATH-TO-FILE/eap5console.jks

To verify SSL connection further, you can try to add -J-Djavax.net.debug=ssl parameter to command above.

Logging

The Sun JMX server is known to modify the behavior of java.util.logging, preventing all JUL messages from being logged to server.log. One possible solution is to add the system property java.util.logging.logmanager=org.jboss.logmanager.LogManager and add jbossas/lib/jboss-logmanager.jar to the JBOSS_CLASSPATH.

Hostname Resolution Issue

If there are hostname resolution issues, try adding:

JAVA_OPTS="$JAVA_OPTS -Djava.rmi.server.hostname=<host ip>"

And for Windows:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.rmi.server.hostname=<host ip>"

Additional Notes

[1] Content from docs.oracle.com is not included.Content from docs.oracle.com is not included.http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.