Re: Another confused person trying to get jconsole to monitor tomcat.
Dear Martin, http://www.jdocs.com/tomcat/6.0.14/org/apache/catalina/ServerFactory.html ServerFactory.getServer() will return org.apache.catalina.ServerFactory Thanks for the information. I changed the mbean server code to make use of all available mbean servers and now my code can always see Tomcat's mbeans as well as the platform ones. Excellent. -- Kees Jan http://java-monitor.com/forum/ [EMAIL PROTECTED] 06-51838192 Rule 1 for being in a hole: stop digging. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
Dear Mark, I got bitten by this recently. I am working on a LifecycleListener (that can be configured in server.xml) that fixes both ports that are used by jconsole. This makes it much easier to configure firewalls, tunnel through PuTTY etc. If I get it finished in time, it will be in 6.0.19+. If not, a later version. Keep an eye on the change log and/or the dev list. Since you are knowledgeable in the sources for Tomcat, are you aware of any programmatic way to register the Catalina mbeans? I'd like to do so from code, without specifying any command line options. For JBoss I found a special JMXserver class that I can load using reflection. Is there such a thing for Tomcat? -- Kees Jan http://java-monitor.com/forum/ [EMAIL PROTECTED] 06-51838192 The secret of success lies in the stability of the goal. -- Benjamin Disraeli - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Another confused person trying to get jconsole to monitor tomcat.
http://www.jdocs.com/tomcat/6.0.14/org/apache/catalina/ServerFactory.html ServerFactory.getServer() will return org.apache.catalina.ServerFactory concerning LifecycleListener take a look at http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/LifecycleListener.html the events that the LifecycleListener reponds to are listed at http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/Lifecycle.html a brief synopsis of the Lifecycle events described here would be static java.lang.String AFTER_START_EVENT The LifecycleEvent type for the component after start event. static java.lang.String AFTER_STOP_EVENT The LifecycleEvent type for the component after stop event. static java.lang.String BEFORE_START_EVENT The LifecycleEvent type for the component before start event. static java.lang.String BEFORE_STOP_EVENT The LifecycleEvent type for the component before stop event. static java.lang.String DESTROY_EVENT The LifecycleEvent type for the component destroy event. static java.lang.String INIT_EVENT The LifecycleEvent type for the component init event. static java.lang.String PERIODIC_EVENT The LifecycleEvent type for the periodic event. static java.lang.String START_EVENT The LifecycleEvent type for the component start event. static java.lang.String STOP_EVENT The LifecycleEvent type for the component stop event. for these derived components AccessLogValve, AuthenticatorBase, Connector, ContainerBase, DeltaManager, Embedded, ExtendedAccessLogValve, FastCommonAccessLogValve, JDBCAccessLogValve, JvmRouteBinderValve, PersistentManagerBase, RealmBase, SemaphoreValve, SimpleTcpCluster, SingleSignOn, StandardManager, StandardPipeline, StandardServer, StandardService, StoreBase, WebappClassLoader, WebappLoaderthe derived component StandardServer contains documentation located at http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/core/StandardServer.html and supports the following attributes protected java.lang.String domain protected javax.management.MBeanServer mserver protected javax.management.ObjectName oname protected java.lang.String suffix protected java.beans.PropertyChangeSupport support The property change support for this component. protected java.lang.String type which implements the interface you are interested in (javax.management.MBeanRegistration) JavaDoc listed at http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanRegistration.html and registers the MBeanServer located at http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanServer.html you will want to configure your security requirements to ensure accessing each attribute is permittable such as what is described in catalina.policy here grant codeBase file:${catalina.home}/- { ... permission java.util.PropertyPermission javax.management.MBeanServer, read,write; permission javax.management.MBeanServerPermission *; permission javax.management.MBeanPermission *, *; permission javax.management.MBeanTrustPermission register; ... }; Martin __ Disclaimer and confidentiality note Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. From: [EMAIL PROTECTED] To: users@tomcat.apache.org Subject: Re: Another confused person trying to get jconsole to monitor tomcat. Date: Thu, 2 Oct 2008 20:26:16 +0200 Dear Mark, I got bitten by this recently. I am working on a LifecycleListener (that can be configured in server.xml) that fixes both ports that are used by jconsole. This makes it much easier to configure firewalls, tunnel through PuTTY etc. If I get it finished in time, it will be in 6.0.19+. If not, a later version. Keep an eye on the change log and/or the dev list. Since you are knowledgeable in the sources for Tomcat, are you aware of any programmatic way to register the Catalina mbeans? I'd like to do so from code, without specifying any command line options. For JBoss I found a special JMXserver class that I can load using reflection. Is there such a thing for Tomcat? -- Kees Jan http://java-monitor.com/forum/ [EMAIL PROTECTED] 06-51838192 The secret of success lies in the stability of the goal. -- Benjamin Disraeli - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
Re: Another confused person trying to get jconsole to monitor tomcat.
Tim Funk wrote: vnc might have acceptable performance. Not sure if you'd run into issue by installing vncserver. -Tim Bill Davidson wrote: Tim Funk wrote: An easy kludge is to run jconsole locally on the server and send the display to yourself. ssh -Y yourserver (or ssh -X server YMMV) $JAVA_HOME/bin/jconsole pid No iptables tricks needed. I'm running the client on a Windows machine. I did try Cygwin/X and an ssh tunnel with Putty. The performance was bad enough to be effectively unusable. I got bitten by this recently. I am working on a LifecycleListener (that can be configured in server.xml) that fixes both ports that are used by jconsole. This makes it much easier to configure firewalls, tunnel through PuTTY etc. If I get it finished in time, it will be in 6.0.19+. If not, a later version. Keep an eye on the change log and/or the dev list. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
Bill Davidson wrote: I've been through the docs. I've been through Google. I can't seem to figure this out. Server: Tomcat 6.0.18, JDK: 1.6.0_07, Redhat Server 5.2 Client: jconsole from JDK 1.6.0_07 on Windows XP I've got all of these in $CATALINA_OPTS and they do show up in the java command line when I run ps: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=12345 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false The Redhat server is running iptables and disallows most things that aren't 80/443. Any other ports that are needed are generally opened up only to specific IP's. I've opened up the JMX port specified above on the Linux firewall: iptables -A INPUT -s myClientsIp -p tcp -m tcp --dport 12345 -j ACCEPT I run jconsole: C:\PathToJava\binjconsole myServer.myDomain.com:12345 It can't make the connection. I've got a feeling it's something to do with the firewall. I've seen some stuff that suggests that there's another unspecified port opened up but it didn't really make sense to me. Note that the server and the client are at different facilities connected over the internet which is why I eventually want to get it going with authentication and SSL but I can't even get this simple insecure version of the connection to work. Add some logging to your firewall configuration to see what is being dropped. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
On 21 Aug 2008, at 09:25, Mark Thomas wrote: Bill Davidson wrote: I've been through the docs. I've been through Google. I can't seem to figure this out. Server: Tomcat 6.0.18, JDK: 1.6.0_07, Redhat Server 5.2 Client: jconsole from JDK 1.6.0_07 on Windows XP I've got all of these in $CATALINA_OPTS and they do show up in the java command line when I run ps: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=12345 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false The Redhat server is running iptables and disallows most things that aren't 80/443. Any other ports that are needed are generally opened up only to specific IP's. I've opened up the JMX port specified above on the Linux firewall: iptables -A INPUT -s myClientsIp -p tcp -m tcp --dport 12345 -j ACCEPT I run jconsole: C:\PathToJava\binjconsole myServer.myDomain.com:12345 It can't make the connection. I've got a feeling it's something to do with the firewall. I've seen some stuff that suggests that there's another unspecified port opened up but it didn't really make sense to me. Note that the server and the client are at different facilities connected over the internet which is why I eventually want to get it going with authentication and SSL but I can't even get this simple insecure version of the connection to work. Add some logging to your firewall configuration to see what is being dropped. That should help, but it's likely to be a different port in use each time. Because JMX uses RMI by default, and RMI uses two ports: a fixed port to initiate the connection and then a secondary (random) port for data transfer. This is a real pain to get working. -Dom - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
Dominic Mitchell wrote: On 21 Aug 2008, at 09:25, Mark Thomas wrote: Bill Davidson wrote: I've been through the docs. I've been through Google. I can't seem to figure this out. Server: Tomcat 6.0.18, JDK: 1.6.0_07, Redhat Server 5.2 Client: jconsole from JDK 1.6.0_07 on Windows XP I've got all of these in $CATALINA_OPTS and they do show up in the java command line when I run ps: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=12345 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false The Redhat server is running iptables and disallows most things that aren't 80/443. Any other ports that are needed are generally opened up only to specific IP's. I've opened up the JMX port specified above on the Linux firewall: iptables -A INPUT -s myClientsIp -p tcp -m tcp --dport 12345 -j ACCEPT I run jconsole: C:\PathToJava\binjconsole myServer.myDomain.com:12345 It can't make the connection. I've got a feeling it's something to do with the firewall. I've seen some stuff that suggests that there's another unspecified port opened up but it didn't really make sense to me. Note that the server and the client are at different facilities connected over the internet which is why I eventually want to get it going with authentication and SSL but I can't even get this simple insecure version of the connection to work. Add some logging to your firewall configuration to see what is being dropped. That should help, but it's likely to be a different port in use each time. Because JMX uses RMI by default, and RMI uses two ports: a fixed port to initiate the connection and then a secondary (random) port for data transfer. This is a real pain to get working. There are tricks you can play with iptables to allow that. The down-side is that it isn't as secure. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
On 21 Aug 2008, at 09:25, Mark Thomas wrote: Add some logging to your firewall configuration to see what is being dropped. Dominic Mitchell wrote: That should help, but it's likely to be a different port in use each time. Because JMX uses RMI by default, and RMI uses two ports: a fixed port to initiate the connection and then a secondary (random) port for data transfer. This is a real pain to get working. Mark Thomas wrote: There are tricks you can play with iptables to allow that. The down-side is that it isn't as secure. Thanks everyone. Is this random port opened by the server side (Tomcat) or the client side (jconsole) or is there some other program running in there to make my life difficult? Is there a way to configure Tomcat or jconsole, as applicable, to use the same specified second port every time? What are the tricks that can be played with iptables? I'm guessing they involve opening up a range of ports? I'll still be limiting it to one or at most 2-3 IP addresses. Once I get SSL and authentication going, that may be secure enough. BTW, I'm not real good at iptables and this is the first time I've tried to play with JMX. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
An easy kludge is to run jconsole locally on the server and send the display to yourself. ssh -Y yourserver (or ssh -X server YMMV) $JAVA_HOME/bin/jconsole pid No iptables tricks needed. -Tim Bill Davidson wrote: Is this random port opened by the server side (Tomcat) or the client side (jconsole) or is there some other program running in there to make my life difficult? Is there a way to configure Tomcat or jconsole, as applicable, to use the same specified second port every time? What are the tricks that can be played with iptables? I'm guessing they involve opening up a range of ports? I'll still be limiting it to one or at most 2-3 IP addresses. Once I get SSL and authentication going, that may be secure enough. BTW, I'm not real good at iptables and this is the first time I've tried to play with JMX. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
Dear Bill, I've been through the docs. I've been through Google. I can't seem to figure this out. Server: Tomcat 6.0.18, JDK: 1.6.0_07, Redhat Server 5.2 Client: jconsole from JDK 1.6.0_07 on Windows XP I've got all of these in $CATALINA_OPTS and they do show up in the java command line when I run ps: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=12345 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false The Redhat server is running iptables and disallows most things that aren't 80/443. Any other ports that are needed are generally opened up only to specific IP's. I've opened up the JMX port specified above on the Linux firewall: iptables -A INPUT -s myClientsIp -p tcp -m tcp --dport 12345 -j ACCEPT I run jconsole: C:\PathToJava\binjconsole myServer.myDomain.com:12345 It can't make the connection. I've got a feeling it's something to do with the firewall. I've seen some stuff that suggests that there's another unspecified port opened up but it didn't really make sense to me. Note that the server and the client are at different facilities connected over the internet which is why I eventually want to get it going with authentication and SSL but I can't even get this simple insecure version of the connection to work. I just spent a few hours trying to figure this out myself. The problem you are facing is that RMI uses dynamic port allocation. The port you are specifying is that of the RMI registry, which only acts as a naming service. The actual JMX port is dynamically chosen by the RMI registry, so opening a single port on the firewall does not actually help. The simple case will never work for your environment. You have to go SSL for this to even work. Here is a blog post by Daniel Fuchs with a step-by-step for ssl and single port RMI http://blogs.sun.com/jmxetc/entry/jmx_connecting_through_firewalls_using In the end I just gave up and I now open the firewall between my dev machine's IP and the test machine's IP when I need jconsole. I have better things to do with my time than fight RMI. :-/ -- Kees Jan http://java-monitor.com/forum/ [EMAIL PROTECTED] 06-51838192 Human beings make life so interesting. Do you know that in a universe so full of wonders, they have managed to invent boredom. Quite astonishing... -- Terry Partchett - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
Tim Funk wrote: An easy kludge is to run jconsole locally on the server and send the display to yourself. ssh -Y yourserver (or ssh -X server YMMV) $JAVA_HOME/bin/jconsole pid No iptables tricks needed. I'm running the client on a Windows machine. I did try Cygwin/X and an ssh tunnel with Putty. The performance was bad enough to be effectively unusable. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Another confused person trying to get jconsole to monitor tomcat.
vnc might have acceptable performance. Not sure if you'd run into issue by installing vncserver. -Tim Bill Davidson wrote: Tim Funk wrote: An easy kludge is to run jconsole locally on the server and send the display to yourself. ssh -Y yourserver (or ssh -X server YMMV) $JAVA_HOME/bin/jconsole pid No iptables tricks needed. I'm running the client on a Windows machine. I did try Cygwin/X and an ssh tunnel with Putty. The performance was bad enough to be effectively unusable. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]