Symantec Access Management

Debugging Java via JMX Console in CA Access Gateway (CA Secure Proxy Server) 

09-29-2014 03:08 AM

The Java JMX Console allows easy diagnosis of JVM problems such as out of memory, and stuck (java) threads.    The following is a discussion showing how to enable JMX monitoring of the JVM in the CA Secure Policy Server.  


This is a supplementary article and after being shown how to enable Java JMX for CA Secure Proxy Server, you are referred to the main article about using the JMX Console



1.1  Overview of JMX settings


To enable JMX monitoring, you need to pass the following parameters into the JRE runtime.  The options you need to add are :



The above options enable access to JMX for this JVM on host localhost and port 9004, access is enabled from anyone else that is logged onto the same machine.


Generally for our purposes that it is enough to secure access - but there are other more advanced access options, including using client X.509 certificates and using UN/ PW.  Which then allow access from remote machines.  Details of all the JMX parameters, including the authentication options can be found here :


Enabling JMX for SPS is different for the Windows OS, and for Unix based OS's, so your choice of platform will determine which one of the next two sections is applicable to you.


1.2  Enable JMX for Windows SPS Deployment


For Win2008 deployment of Secure Proxy Server, the JVM runtime settings are stored in the file.  The proxy-engine when run as a Windows Service loads it configuration from this file.  The file is located in the <SPSInstallRoot>/proxy-engine/conf directory.



The file looks a little like a DOS cmd file, and we add the settings by creating a new variable JMX_TRACE in the file with all of the properties we need (these are all on the one line) : -Djava.rmi.server.hostname=


We then modify the NETE_SPS_PROXYENGINE_CMD setting to include the new JMX_TRACE value :


NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxPermSize=256M %JMX_TRACE%  ...


Note:  On windows unfortunately the above substitution didn't work recently (the expansion should work, but I guess will need to come back to find out why) instead I now find you have to put all the paramerers physically on the line as per : 

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxPermSize=256M -Djava.rmi.server.hostname=  ...     

It is a bit messier, the variable would be cleaner, but it does work. 


For Win2008 the screenshots for editing with notepad++ are as follows, Adding the JMX_TRACE value :




Including it in the NETE_SPS_PROXYENGINE_CMD command.




When the Secure Proxy Engine is running, file will be locked, so you will need to stop the service, save the file and restart the service again for the changes to take effect.


1.3  Enable JMX for Unix SPS Deployment


For Unix deployments we need to add the JMX parameters to the file, this is the shell script that starts the proxy-engine.  It is located in the <SPSInstallRoot>/proxy-engine/ directory


Note : on Unix there is a deployed conf/ but it is not used by Unix, I mention this since more than a few times, people have incorrectly added values to the .properties file - causing no change - and some frustration before identifying the problem.




In the file, we want to add the JMX_TRACE local variable with the parameters we want to set :


JMX_TRACE=" -Djava.rmi.server.hostname="


Note, it is all on one line, and we need to be careful when expanded out , that there is a space before each "-D".


Then we want to set that in the




For Linux adding those changes via editor will look like this, Adding the JMX_TRACE local variable:



Using the JMX_TRACE local variable in the java run command :



You will need to restart the service for the new settings to take effect.




1.4  Back to the Main Article...


You can now pick up the story of using JMX in the following CA Communities post: 

Debugging Java via JMX Console in CA Single Sign On (CA Siteminder)


Starting from section "1.4 Testing if JMX is enabled" 


The main document will then continue describing how to test if JMX is now enabled, and then how to view your JRE stats via JConsole,


Cheers - Mark

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.