Symantec Access Management

 View Only

Debugging Java via JMX Console in CA Access Gateway (CA Secure Proxy Server) 

Sep 29, 2014 03:08 AM

The Java JMX Console allows easy diagnosis of JVM problems such as out of memory, and stuck (java) threads.    The following is a discussion showing how to enable JMX monitoring of the JVM in the CA Secure Policy Server.  

 

This is a supplementary article and after being shown how to enable Java JMX for CA Secure Proxy Server, you are referred to the main article about using the JMX Console  https://communities.ca.com/docs/DOC-231150312

 

 

1.1  Overview of JMX settings

 

To enable JMX monitoring, you need to pass the following parameters into the JRE runtime.  The options you need to add are :

 

-Dcom.sun.management.jmxremote

-Dcom.sun.management.jmxremote.port=9004

-Dcom.sun.management.jmxremote.ssl=false

-Dcom.sun.management.jmxremote.authenticate=false

-Djava.rmi.server.hostname=127.0.0.1

 

The above options enable access to JMX for this JVM on host localhost and port 9004, access is enabled from anyone else that is logged onto the same machine.

 

Generally for our purposes that it is enough to secure access - but there are other more advanced access options, including using client X.509 certificates and using UN/ PW.  Which then allow access from remote machines.  Details of all the JMX parameters, including the authentication options can be found here : http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html

 

Enabling JMX for SPS is different for the Windows OS, and for Unix based OS's, so your choice of platform will determine which one of the next two sections is applicable to you.

 

1.2  Enable JMX for Windows SPS Deployment

 

For Win2008 deployment of Secure Proxy Server, the JVM runtime settings are stored in the SmSpsProxyEngine.properties file.  The proxy-engine when run as a Windows Service loads it configuration from this file.  The SmSpsProxyEngine.properties file is located in the <SPSInstallRoot>/proxy-engine/conf directory.

02a1-Location.png

 

The file looks a little like a DOS cmd file, and we add the settings by creating a new variable JMX_TRACE in the file with all of the properties we need (these are all on the one line) :

 

JMX_TRACE=-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9004 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=127.0.0.1

 

We then modify the NETE_SPS_PROXYENGINE_CMD setting to include the new JMX_TRACE value :

 

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxPermSize=256M %JMX_TRACE%  ...

        

Note:  On windows unfortunately the above substitution didn't work recently (the expansion should work, but I guess will need to come back to find out why) instead I now find you have to put all the paramerers physically on the line as per : 

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m -Xmx1024m -XX:MaxPermSize=256M -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9004 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=127.0.0.1  ...     

It is a bit messier, the variable would be cleaner, but it does work. 

 

For Win2008 the screenshots for editing with notepad++ are as follows, Adding the JMX_TRACE value :

 

02a-Properties.png

 

Including it in the NETE_SPS_PROXYENGINE_CMD command.

 

02b-Properties.png

 

When the Secure Proxy Engine is running, theSmSpsProxyEngine.properties file will be locked, so you will need to stop the service, save the file and restart the service again for the changes to take effect.

 

1.3  Enable JMX for Unix SPS Deployment

 

For Unix deployments we need to add the JMX parameters to the proxyserver.sh file, this is the shell script that starts the proxy-engine.  It is located in the <SPSInstallRoot>/proxy-engine/ directory

 

Note : on Unix there is a deployed conf/SmSpsProxyEngine.properties but it is not used by Unix, I mention this since more than a few times, people have incorrectly added values to the .properties file - causing no change - and some frustration before identifying the problem.

 

03aa-filelocation.png

 


In the proxyserver.sh file, we want to add the JMX_TRACE local variable with the parameters we want to set :

 

JMX_TRACE="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9004 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=127.0.0.1"

 

Note, it is all on one line, and we need to be careful when expanded out , that there is a space before each "-D".

 

Then we want to set that in the

 

$NOHUP_JAVACMD $JVM_MEM_OPTS $JMX_TRACE  $JVM_PERF_OPTS $SPS_TOMCAT_OPTS ...

 

For Linux adding those changes via editor will look like this, Adding the JMX_TRACE local variable:

03a-proxyserver-sh.png

 

Using the JMX_TRACE local variable in the java run command :

 

03b-proxyserver-sh.png


You will need to restart the service for the new settings to take effect.

 

 

 

1.4  Back to the Main Article...

 

You can now pick up the story of using JMX in the following CA Communities post: 

Debugging Java via JMX Console in CA Single Sign On (CA Siteminder)

at: https://communities.ca.com/docs/DOC-231150312


Starting from section "1.4 Testing if JMX is enabled" 

 

The main document will then continue describing how to test if JMX is now enabled, and then how to view your JRE stats via JConsole,

 

Cheers - Mark

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.