What is the JVM SNMP Agent?

In a future blog, I'll tell you more about managing Tiger or Mustang JVMs through SNMP. But for the time being, here are a very few words to clarify what is the Tiger and Mustang JVM SNMP Agent.

The JVM SNMP Agent is a built-in SNMPv2c agent that exposes the Management and Monitoring API of the JVM through SNMP. The JVM SNMP agent exposes a single MIB, which is the JVM-MANAGEMENT-MIB. It can be started through system properties when launching the JVM. It can be configured through Java properties as explained here.

The built-in SNMP agent of the JVM is not extensible. You will not be able to use it in order to expose your own MIB. If you want to expose your own MIB through SNMP, you will need to use a Java SNMP toolkit such as the Java Dynamic Management Kit. Examples of using the Java Dynamic Management Kit to implement SNMP MIBs can be found here.

Note: In a future blog - I will explain how you could use a toolkit such as the Java DMK to expose the JVM-MANAGEMENT-MIB, alongside with your own custom MIB, through SNMPv3. But this is a story for another day.

The JVM built-in SNMP agent is an SNMPv2c agent, which means that it only has basic SNMPv2 security - based on a host Access Control List (ACL) file. Since it is relatively easy to forge UDP packets, this means that if you enable the JVM SNMP agent, the only way to keep it secure is to make sure that it binds only to the loopback interface (which is the default - but you can make sure it does by setting com.sun.management.snmp.interface to 127.0.0.1).
When bound to the loopback interface, the SNMP agent can only receive packets that come from the loopback interface itself - and therefore can only answer to managing applications that both:

  1. run on the same machine
  2. send request from the loopback interface itself

See [SNMP Monitoring and Management Properties] and [ Access Control List File] for more info on the JVM SNMP agent configuration.

The main reason that pushed us to expose the SNMP agent only as a black-box agent is compatibility. As I have outlined in a previous blog, simple is not always easy and SNMP is a good example for this. Opening the JVM SNMP agent to expose custom SNMP MIBs would thus have required the addition of a significant amount of new APIs in one of the related JSR 163, or JSR 174 to which they did not precisely belong, or most likely would have required starting a new JSR for these APIs.

As you surely know, adding new APIs to the Java Platform is no small thing: compatibility with previous versions of the Java Platform is one of the main commitment we have. That's why a Java programm written 10 years ago under a different OS, and on a different hardware, can still be run today on Java SE 6 (Mustang)! And we do want to keep it that way. This means that we must be careful of what we put in the Java Platform, because we will be stuck with it forever!

I hope I've been able to answer some of the questions you had about the JVM SNMP Agent!

Cheers to all
-- daniel

Update: Dmitri Maximovitch has written an excellent article explaining how to use MRTG to monitor the JVM through the JVM SNMP Agent.

Comments:

Hi Daniel, Hope you are reading this post. I would like to know how much overhead (memory, CPU etc) will be added to a java process if JVM SNMP agent is enable? Does Sun have any data about this? Thx, CK

Posted by CK on May 14, 2006 at 06:44 AM CEST #

Hi,

I haven't performed any specific measurements with regards to memory & performence, but this is what I can tell you from the architecture of the agent itself:

The SNMP agent is essentially passive. This means that as long as it is not accessed by an SNMP manager, it will not consume any CPU.

The SNMP adaptor itself listen on an DatagramSocket - and uses an internal thread pool - so the cost of a passive agent in terms of resources is essentially that.

The MIB gets also registered by default in the agent - that is, as soon as the JVM starts, but it is an hollow shell - the actual data is computed 'on-demand' when SNMP requests are received. When it needs to be accessed, the data is pulled from the M&M API (java.lang.management MXBeans) and stored in weak caches (this data can therefore be garbaged collected at the next gc invokation). Hope this partly answers your questions.

Note: an experiment that you could do is start a JVM and connect with JConsole, without enabling the SNMP agent, and then start another JVM with the SNMP agent enabled. Switch between the two and look at the difference!

With Mustang it shows:

  • 1 more thread
  • memory consumption quasi identical
  • CPU consumption identical
  • ~100 additional loaded classes

These figures were obtained for a passive agent which did not receive any requests.

Maybe I should plan to blog about this :-)

Cheers,

Posted by dfuchs on May 15, 2006 at 04:33 AM CEST #

Thanks for your explanation. Look forward to your blog about the JVM SNMP agent measurement. Great to see JSE 5 and above have this nice feature. Rdgs, CK

Posted by CK on May 19, 2006 at 10:01 AM CEST #

Hi Daniel, I am new to SNMP :) definetly it is not simple. Here is my Q, I am having trouble to start SNMP agent with snmp.acl. So I disable acl and run simple java program with -Dcom.sun.management.snmp.port=8090 -verbose that indicates loading of SnmpStandardObjectServer. Well here is several Qs: 1. If acl is disabled could I still able to monitor/manage JVM using SNMP Manager. 2.In order to manage/monitor JVM I need SNMP Manager, what tools I can use to run SNMP Manager?

Posted by Irene Levina on February 22, 2007 at 11:31 AM CET #

Hi Irene,

I wrote a blog for you: JVM Monitoring: JMX or SNMP?
Concerning ACL, yes you can monitor the JVM through SNMP with ACL disabled - but then you really have no security at all. Do not do this unless you are inside a secure network (e.g, an intranet) - or protected by a firewall.
See the link about configuring the SNMP agent in my article.

Best regards,
-- daniel

Posted by daniel on February 23, 2007 at 08:59 AM CET #

Hi Friends I want 1 help, How to write a program of SNMP Manager, how to implement this, in my project. Plz give the response ASAP to my mail-id Advance Thanks

Posted by Murali on March 02, 2007 at 04:02 AM CET #

Hi Murali, please see this entry: JVM Monitoring: JMX or SNMP?

Posted by daniel on March 02, 2007 at 04:22 AM CET #

Hi Daniel, I need to develop model Mbeans to convert the JMX output to SNMP traps. The JDMK already has SNMP APIs. Please advice how to go about it :) Thanks!

Posted by pooja on April 24, 2007 at 06:15 AM CEST #

hi

When I tried to run JVM's snmp agent using the following command. I am getting error like this.

C:\\java>java -Dcom.sun.management.snmp.port=161 Listener
Error: Password file read access must be restricted: C:\\Program Files\\Java\\jre1.5.0_09\\lib\\management\\snmp.acl

What to do, to come out of this.
Thanks & regards
Shankar

Posted by shankar on December 11, 2007 at 10:32 AM CET #

Hi Shankar,

You have 2 possibilities:

1) If you are behind a firewall in a secure environment - you can disable ACL checking by passing:
-Dcom.sun.management.snmp.acl=true

2) If you want to run in a secure mode, you must arrange for your snmp.acl file to be readable by you and only you. If you're unsure on how to do that on Windows platform - see the instruction here: http://java.sun.com/javase/6/docs/technotes/guides/management/security-windows.html
Make sure to pick up the right set of instructions (XP Professional Edition versus XP Home Edition).
I believe the 2nd method (using cacls) works for both.

Hope this helps,
-- daniel

Posted by daniel on December 12, 2007 at 02:29 AM CET #

Hi Daniel,

I would like to expose the JVM-MANAGEMENT-MIB through SNMPv3 but I don't know how to proceed.

I first though about forwarding request to the jvm snmp port configured to accept requests from localhost only but I am sure you have a better solution for this problem...

Best regards

Mickael

Posted by Mickael on October 27, 2008 at 10:53 AM CET #

Hi Daniel,

I have a java appication, and i want to expose some of its data by snmp.. how do i start??

Do i need to write my own MIB?? if yes,then where should that MIB be kept?? and if i need to get and set OID's for that MIB by "snmp4j api",should that MIB be compiled by some compiler??

I also have something to ask u about MBean.. i somewhere read that,if i write my own MIB, i also need to write my own MBean specific to that MIB..what is it??

please give me some details..

thank you

Posted by guest on November 17, 2008 at 01:43 AM CET #

Hi Daniel,

I have a java appication, and i want to expose some of its data by snmp.. how do i start??

Do i need to write my own MIB?? if yes,then where should that MIB be kept?? and if i need to get and set OID's for that MIB by "snmp4j api",should that MIB be compiled by some compiler??

I also have something to ask u about MBean.. i somewhere read that,if i write my own MIB, i also need to write my own MBean specific to that MIB..what is it??

please give me some details..

thank you

Posted by raj on November 17, 2008 at 01:44 AM CET #

Hey Daniel,

This is in reference to the above qestion..

I also have IANA number assigned,

thank you

Posted by raj on November 17, 2008 at 01:55 AM CET #

Hi Mickael,

I believe forwarding requests to the SNMP v2c JVM agent bound to the local interface is the best way to go.

Cheers,

-- daniel

Posted by daniel on November 17, 2008 at 02:47 AM CET #

Hi Raj,

It works this way:

1) determine what information you want to expose
2) do some research to find out whether there's already a standard MIB defined to expose that kind of information.
3) If there isn't, then you will need to define your own MIB.
4) once you have your MIB, select an SNMP toolkit/library that will help you expose that information through SNMP. OpenDMK http://opendmk.dev.java.net/ contains such a toolkit. OpenDMK is the open source version of the Java Dynamic Management Kit (Java DMK). You can look at the doc/examples of the Java DMK evaluation version (they also work with OpenDMK).

To 'implement' an SNMP MIB with OpenDMK you will use the 'mibgen' code generator: 'mibgen' takes the textual MIB file as input and generates metadata and skeleton classes. You will have to fill-up/subclass the generated skeletons to retrieve the actual values that must be returned.

For instance if you defined an object called 'blah' in your MIB, mingen will generate a method called getBlah() for which you will have to provide a real implementation (I'm simplifying a bit, but that's the spirit).

Hope this helps,

-- daniel

Posted by daniel on November 17, 2008 at 02:59 AM CET #

Hi Daniel,

Thank you so so much for that answer, now i have a idea about where to start..

I was trying few things out with JavaDMK, is it not possible with JavaDMK, is OpenDMK the solution for this??

thank you so much for your post,i wil try those things out and get to you if i am stuck somewhere

thank you, thank a lot

Posted by raj on November 17, 2008 at 04:05 AM CET #

Hi,

No, there is nothing more in OpenDMK than in JavaDMK, it's the same code - the license is different.

-- daniel

Posted by daniel on November 17, 2008 at 04:16 AM CET #

Even though im starting the jvm SNMP agent, the SNMP server is not able to get the values from the agent (for ex: threadcount )

Is there a way to find out the agent is running properly.

Posted by Sanjay on May 12, 2009 at 06:38 AM CEST #

Even though im starting the jvm SNMP agent, the SNMP server is not able to get the values from the agent (for ex: threadcount )

Is there a way to find out the agent is running properly.

Posted by Sanjay on May 12, 2009 at 06:51 AM CEST #

@Sanjay

Sorry for the late reply. You can switch on the SNMP traces - and see what happens when you send your SNMP request.
http://blogs.sun.com/jmxetc/entry/traces_in_the_jvm_snmp

If the agent does not respond - it may be because it's using an ACL list in which your management console is not registered.
http://java.sun.com/javase/6/docs/technotes/guides/management/snmp.html

-- daniel

Posted by daniel on June 15, 2009 at 03:28 AM CEST #

Daniel,
my company wants to use nagiosX1 as the SNMP monitor for Websphere what's your thoughts on that? Do you have any suggestions?

Posted by Ellen Kies on March 31, 2010 at 03:16 PM CEST #

Daniel,
I used jconsole to monitor the application server question which app server is it monitoring? We have 4 application Servers processing on that system. Please help.
also the OID information to enter into Nagios where would I get that is that from SNMP? what do I bring up to see that information?

Posted by Ellen on April 01, 2010 at 10:15 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Daniel Fuchs blogs on Scene Builder, JMX, SNMP, Java, etc...

The views expressed on this blog are those of the author and do not necessarily reflect the views of Oracle.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today