Layer7 API Management

Enable JMX monitoring access to the API Gateway JVM 

Dec 14, 2018 12:13 AM

Just a quick article on how to enable JConsole and JVirtualVM access to the Gateway JVM - since I found some twists were needed to get it working.

 

 

1. Introduction 

As part of some load testing I was doing, I wanted some fairly basic stats on the Gateway java JVM.  Previously I've used JMX Console to  get a quick view of the JVM as it's responding to load.   Usually enabling JMX access is fairly simple, but I found a few twists, so here are the steps I followed.   

 

For my testing I wanted to allow JMX access from localhost, and to then use port forwarding from ssh login so I could run the client part jconsole/jvisualvm on my desktop machine.  There are other security models, UN/PW and certificate based ones to restrict access if restriction to access only from localhost is not applicable to your setup (see link at end). 

 

Note: The main take home message of this article, if you are already used to a JMX setup, is that for tunneled access the extra RMI parameter :  -Dcom.sun.management.jmxremote.rmi.port=9024"  is needed.  That is not generally documented in most of the links I searched through.

 

 

1. Setting up JMX Parameters to pass into Gateway JVM

 

1.1 How you "should" be able to set JVM properties - and probably does but I've missed something simple.  

 

On startup of gateway service it runs :

/opt/SecureSpan/Gateway/runtime/bin/gateway.sh   

And this runs shell file in the directory : 

/opt/SecureSpan/Gateway/runtime/etc/profile.d

 

So adding an extra one jmxprofile.sh, that sets these parameters should work : 

 

cd /opt/SecureSpan/Gateway/runtime/etc/profile.d

[root@odoma04-gw profile.d]# cat jmxprofile.sh

 

# Settings for JMX Profile

JMX_OPTS="-Dcom.sun.management.jmxremote"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.port=9024"

JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.rmi.port=9024"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.local.only=false"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
JMX_OPTS="${JMX_OPTS} -Djava.rmi.server.hostname=127.0.0.1"

SSG_JAVA_OPTS="${SSG_JAVA_OPTS} ${JMX_OPTS}"

export SSG_JAVA_OPTS

 

That "should" have worked, but for me I must have missed something, file permissions or something like that.  Anyway I had trouble and after an hour, gave up, and bypassed it, but it will be some simple misspelling or similar I am sure.  

 

1.2 How I set the JVM properties - my workaround for not getting step 1.1 to work.

 

Eventually I edited :

/opt/SecureSpan/Gateway/runtime/bin/gateway.sh

 

and added those parameter directly into the file : 


JMX_OPTS="-Dcom.sun.management.jmxremote"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.port=9024"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.rmi.port=9024"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.ssl=false"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.local.only=false"
JMX_OPTS="${JMX_OPTS} -Dcom.sun.management.jmxremote.authenticate=false"
JMX_OPTS="${JMX_OPTS} -Djava.rmi.server.hostname=127.0.0.1"
JAVA_OPTS="${JAVA_OPTS} ${JMX_OPTS}"

 

Noting the highlighted extra -Dcom.sun.management.jmxremote.rmi.port=9024" parameter. 

 

 

 

2. Restart the Gateway Service and verify the parameters are added

Then restart the gateway service : 

service ssg restart

And then check that the JMX parameters have been added to the running JVM: 

ps -ef | grep Gateway.jar 

 

 

3. Setup SSH access to forward port 9024 to the gateway

In putty or similar, we setup ssh to tunnel from the local machine on 9024 to forward to localhost:9024 on the gateway : 

 

 

Then start a putty session to the remote API Gateway machine.   Once you are connected it's best to get to the console access and run some command, such as "top" that keeps the connection active.  

 

 

4. Run JVisualVM on your desktop machine.

 

Clearly you need a roughly compatible version of JDK on your PC, but it is not too fussy.   From the java JDK, installed on your local machine you an use either JVisualVM, or JConsole : 

 Navigate to the bin directroy of the JDK install, and locate the JVisualVM.exe file, and double click that : 

 

For JVisualVM, to connect. we pick the "Add JMX Connection" and put in "localhost:9024" 

 

 

If you have your putty tunnel active then hopefully you see some stats from the remote JVM e.g: 

 

 

5. Run JConsole 

 

Again for jconsole, you need a roughly compatible version of JDK on your PC.   From the bin directroy on the java JDK, installed on your local machine locate the JConsole.exe file, and double click that : 

 

For JConsole, to connect. we pick the "Remote Process" and put in "localhost:9024" 

 

 

Then hopefully it too displays statistics from the remote Gateway JVM : 

 

 

5. Additional Links

 

Discussion of JMX access using various authentication schemes : 

java - Is a good idea to enable jmx (lambda probe) on a production server? - Stack Overflow 

 

StackOverflow basic howto link: 

java - How to activate JMX on my JVM for access with jconsole? - Stack Overflow 

 

Enabling JMX on CA Single-Sign-On Components:

Debugging Java via JMX Console in CA Single Sign On (CA Siteminder) 

Debugging Java via JMX Console in CA Access Gateway (CA Secure Proxy Server) 

 

 

Cheers - Mark

Statistics
0 Favorited
29 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.