App Server and JConsole ...

App Server and JConsole

This text applies to Sun Java System Application Server (Platform and Enterprise Editions) for version 8.2 and 9.0. We refer to both these as app server unless specified otherwise.

The app server administration (management and monitoring) is based on JMX. This means that the managed components are represented as MBeans. In addition to this, beginning Java SE 5.0, the JVM itself is monitorable. This means that you can view the JVM MBeans to understand what's going on there. To expose this instrumentation, app server has a configuration of Standard JMX Connector Server called as "System JMX Connector Server". When app server starts up, an instance of this Connector Server starts up exposing the instrumentation to the trusted clients.

JConsole is a popular JMX Connector that can manage a JMX backend. JConsole is available as part of standard JDK distribution beginning Java SE 5.0.

Thus, app server is the JMX Connector's server end, by default. JConsole is the JMX Connector's preferred client end. This text now shows how to make this connection successful.

Before we deep-dive into  it, let's consider few things:

  • There are subtle differences in how to connect to app server, or any JMX Connector Server end based on the transport layer security of connection. If the server end is secure (i.e. guarantees transport layer security), there is a little more that the client has to do.
  • By default, Platform Edition of app server (any release after 8.1) has System JMX Connector Server end as insecure.
  • By default, Enterprise Edition of app server (any release after 8.1) has System JMX Connector Server end as secure.
  • The instructions are specific to the security characteristics of the System JMX Connector Server.
  • The protocol used in communication is RMI/JRMP over SSL. It is important to note that RMI over SSL does not provide additional facility to make sure that the client is talking to the intended server. Thus, there is always a possibility while using JConsole that you are sending the user name and password to a malicious host. It is completely up to the administrator to make sure that the security is not compromised in the given environment.

The setup has two ends:

  • A server end, where app server is installed and started. Let's imagine that app server domain of interest is installed on a machine named "badwater.sfbay.sun.com" which is a powerful Solaris server.
  • A client end, which also has app server installation. Let's imagine that this is a Windows machine with Java SE 5.0 and app server installed. The app server installation is needed only when your app server domain has security enabled on the remote machine (The Enterprise Edition default). If you just want to administer a Platform Edition domain on the Solaris Machine above, you don't need the app server installation on this client machine.
It is quite possible that the server and client ends are on the same machine. In which case, "localhost" could be used to specify the host.

The System JMX Connector Server Configuration

When you install a PE domain on a machine like "badwater.sfbay.sun.com", you'll see the following in the DAS's (Domain Administration Server, the admin server or simply the domain) domain.xml:

      <!-- The JSR 160 "system-jmx-connector" -->

     <jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="false"/>

     <!-- The JSR 160 "system-jmx-connector" -->

 When you install an EE domain on a machine like "badwater.sfbay.sun.com", you'll see the following in the DAS's (Domain Administration Server, the admin server or simply the domain) domain.xml:

 

 

    <!-- The JSR 160 "system-jmx-connector" -->

     <jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" enabled="true" name="system" port="8686" protocol="rmi_jrmp" security-enabled="true">

       ...

     </jmx-connector>

     <!-- The JSR 160 "system-jmx-connector" -->

Thus, the only difference is in terms of security-enabled flag.

 Instructions for Insecure System JMX Connector Server (Default PE Configuration)

This is straightforward. As said above, you just need JConsole and no app server installation is needed on client machine.

  1. Start the domain on badwater.sfbay.sun.com.
  2. Start the JConsole on client using JDK-HOME\\bin\\jconsole. 
  3. Populate the values of the port as 8686, the user name refers to admin user name and password refers to the admin password of the domain.
  4. Click on Connect.
  5. There you can see all your MBeans, VM information etc. in various tabs.

 Instructions for Secure System JMX Connector Server (Default EE Configuration)

  1. It is this case that needs the installation of app server on the client host.
  2. The only reason you need this you need to let the JConsole know where the server certificate of the Domain Admin Server that you trust is located. To obtain that certificate, you need to invoke at least one "remote" asadmin command and to do that you need the local installation.
  3. Start the EE domain on badwater.sfbay.sun.com. Note that this is the EE domain. So, System JMX Connector Server is secure.
  4. Run local-install-dir\\bin\\asadmin list --user admin  --secure=true --host badwater.sfbay.sun.com --port 4849 (the admin port) server. (list command is chosen for the sake of brevity, you could choose any remote command).This will prompt you for acceptance of the certificate sent by the Domain Admin Server on badwater.sfbay.sun.com. You trust this server. When you accept it pressing 'y', the server's certificate is stored in a file called .asadmintruststore in your home directory on client machine. This step is not required if your server machine and client machine is the same, e.g., you are starting JConsole also on badwater.sfbay.sun.com.
  5. Now you let the JConsole know the trust store location by using the JConsole command as follows:
    1. JDK-DIR\\bin\\jconsole.exe -J-Djavax.net.ssl.trustStore="C:\\Documents and Settings\\me\\.asadmintruststore"
  6. The remaining is the same as here.

That's it!

Comments:

Post a Comment:
Comments are closed for this entry.
About

Welcome to my blog where mostly my work related thoughts are expressed.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today