users@glassfish.java.net

RE: GF 2.1 - JMX through firewall

From: Martin Gainty <mgainty_at_hotmail.com>
Date: Fri, 18 Oct 2013 13:31:48 -0400

you should have a JSR-160 JMX Listener pre-configured here is why

 

  <admin-service system-jmx-connector-name="system" type="server">
    <!-- JSR 160 "system-jmx-connector" for ALL ips -->
    <jmx-connector accept-all="false" address="0.0.0.0" auth-realm-name="admin-realm" name="system" port="${JMX_SYSTEM_CONNECTOR_PORT}" protocol="rmi_jrmp" security-enabled="true">
    </jmx-connector>
    <!-- JSR 160 "system-jmx-connector" -->
    <das-config dynamic-reload-enabled="true" dynamic-reload-poll-interval-in-seconds="2" autodeploy-enabled="true" autodeploy-polling-interval-in-seconds="2" autodeploy-dir="${com.sun.aas.instanceRoot}/autodeploy" autodeploy-verifier-enabled="false" autodeploy-jsp-precompilation-enabled="false" deploy-xml-validation="full"/>
  </admin-service>


JMX_SYSTEM_CONNECTOR_PORT is assigned by create-instance command

if you dont specify JMX_SYSTEM_CONNECTOR_PORT i believe the default is 9686 (but dont quote me)

e.g.

asadmin>create-instance --node localhost-domain1
--systemproperties HTTP_LISTENER_PORT=58294:
HTTP_SSL_LISTENER_PORT=58297:
IIOP_LISTENER_PORT=58300:
IIOP_SSL_LISTENER_PORT=58303:
IIOP_SSL_MUTUALAUTH_PORT=58306:
JMX_SYSTEM_CONNECTOR_PORT=58309 pmdcpinst


domain\config\server.policy would contain those perms to grant codebase the connect capability to any IP on any port e.g.

 

grant {

permission java.net.SocketPermission "*", "connect";

...

}

 

processLauncher.xml should contain the JMX.invoke.getters entry as true


    <!-- Default process for AS9.x -->
    <process name="as9-server">
        <sysproperty key="jmx.invoke.getters" value="true"/>


observe the jmxremote_optional.jar is in sharedChainJars for same process


        <!-- sysproperties for the new classloader hierarchy. used in PELaunch -->
        <sysproperty key="com.sun.aas.classloader.sharedChainJars"
        value="javaee.jar,${com.sun.aas.javaRoot}/lib/tools.jar,install/applications/jmsra/imqjmsra.jar,com-sun-commons-launcher.jar,com-sun-commons-logging.jar,${com.sun.aas.imqLib}/jaxm-api.jar,${com.sun.aas.imqLib}/fscontext.jar,${com.sun.aas.imqLib}/imqbroker.jar,${com.sun.aas.imqLib}/imqjmx.jar,${com.sun.aas.imqLib}/imqxm.jar,webservices-rt.jar,webservices-tools.jar,mail.jar,appserv-jstl.jar,jmxremote_optional.jar,${com.sun.aas.jdmkHome}/lib/jdmkrt.jar,activation.jar,appserv-rt.jar,appserv-admin.jar,appserv-cmp.jar,${com.sun.aas.installRoot}/updatecenter/lib/updatecenter.jar,${com.sun.aas.installRoot}/jbi/lib/jbi.jar,${com.sun.aas.imqLib}/imqjmx.jar,${com.sun.aas.antLib}/ant.jar,dbschema.jar"/>

Once you create and start the instance the JMX listener should be casting to JMX agents

asadmin>create-instance

asadmin>start-instance

 

you should see JMX entries popping in the server.log with these params

-Djavax.management.builder.initial=com.sun.enterprise.admin.server.core.jmx.AppServerMBeanServerBuilder
-Djmx.invoke.getters=true


servicC:jmx:rmi:///jndi/rmi://localhost:9686/jmxrmi;|ADM1504: Here is the JMXServiceURL for the Standard JMXConnectorServer: [servicC:jmx:rmi:///jndi/rmi://localhost:9686/jmxrmi]. This is where the remote administrative clients should connect using the standard JMX connectors|#]

 

you should now be able to use remote RMI clients to connect to JMX Service via port <9686>

MG>confirm with netstat -a | grep 9686

 

using jndi that would be jndi/rmi://localhost:9686/jmxrmi

 

let us know you are able to get that far

Martin
______________________________________________


  







> To: users_at_glassfish.java.net
> From: satadru.roy_at_bchydro.com
> Subject: GF 2.1 - JMX through firewall
> Date: Thu, 17 Oct 2013 23:47:43 +0000
>
> This one is about Glassfish 2.1.x and JMX connectivity through
> firewall. Basically, we’re struggling with the random port allocation
> for the RMIServer and a client like VisualVM fails to connect through a
> firewall, even after setting
> -Dcom.sun.aas.jconsole.<instancename>.cbport = <port>, as documented
> here :
> https://blogs.oracle.com/tronds/entry/glassfish_and_jmx_through_a
>
> I was looking around in the codebase and found that in the JSR 160
> connector, the JmxConnectorServerDriver expects the JMX service url to
> be of the form "service:jmx:rmi://localhost:" +
> port1 + "/jndi/rmi://localhost:" + port2 + "/jmxrmi" where port1
> is the RMIserver port and port2 is the JMXConnector RMIRegistry port?
>
> Does this mean VisualVM has to pass in a JMX service URL of this form?

This email and its attachments are intended solely for the personal use of the individual or entity named above. Any use of this communication by an unintended recipient is strictly prohibited. If you have received this email in error, any publication, use, reproduction, disclosure or dissemination of its contents is strictly prohibited. Please immediately delete this message and its attachments from your computer and servers. We would also appreciate if you would contact us by a collect call or return email to notify us of this error. Thank you for your cooperation.
-BCHydroDisclaimerID5.2.8.1541