tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat JMX connection - Authentication failed.
Date Thu, 13 Jan 2011 13:31:44 GMT
Ok, what I was trying to say is this :

By using the jmxremote.password.file etc.. on the JVM which runs Tomcat, you let this JVM

know which remote user-id's can connect, and what password they should use.

Now, from the client side, when you connect, you have to provide such a valid user-id and

password, to "login" to the server.

If you try the jconsole utility as a client, you will see this on the connection box.

I have no idea how you supply these credentials programmatically from /your/ client, but 
that is what you have to find out.





Ziggy wrote:
> Ok i am stuck now - here is the full configuration
> 
> $CATALINA_BASE/setenv.sh
> ---------------------------
>         CATALINA_OPTS="-Dcom.sun.management.jmxremote.port=18070
> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.authenticate=true
> -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access"
>         export CATALINA_OPTS
> 
> $CATALINA_BASE/conf/jmxremote.password
> ---------------------------------------
>         monitorRole monitorpass
>         controlRole controlpass
> 
> $CATALINA_BASE/conf/jmxremote.access
> ---------------------------------------
>         monitorRole readonly
>         controlRole readwrite
> 
> The client tool i am using to access the Tomcat JMX server is running on the
> same machine as the Tomcat instance. when i start tomcat i can see that
> there is something listening at port 18070 but when i try to connect i get
> the following error
> 
>         Exception in thread "main" java.lang.SecurityException:
> Authentication failed! Credentials required
>                 at
> com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(JMXPluggableAuthenticator.java:193)
>                 at
> com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(JMXPluggableAuthenticator.java:145)
>                 at
> sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(ConnectorBootstrap.java:185)
>                 at
> javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:213)
> 
> 
> I connect using the following bit of code
> 
> 
>                 try {
>                     url = new
> JMXServiceURL("service:jmx:rmi:///jndi/rmi://localhost:18070/jmxrmi");
>                     jmxc = JMXConnectorFactory.connect(url,null);
>                     mbsc = jmxc.getMBeanServerConnection();
>                 } catch (MalformedURLException e) {
>                     throw new Exception(methodName + ":" + e);
>                 } catch (IOException e) {
>                     throw new Exception(methodName + ":" + "Failed to
> connect to the Tomcat Server " + e);
>                 }
> 
> It works fine if i set com.sun.management.jmxremote.authenticate=true to
> false. Other than that it just fails. The client tool is running on the same
> machine as the tomcat instance so there should not be any issues with the
> firewall. Any clues
> 
> On Thu, Jan 13, 2011 at 1:20 PM, André Warnier <aw@ice-sa.com> wrote:
> 
>> Ziggy wrote:
>>
>>> Tomcat JMX connection - Authentication failed.
>>>
>>> I am having some problems setting up Tomcat for JMX. I added the following
>>> properties to CATALINA_OPTS
>>>
>>> CATALINA_OPTS="-Dcom.sun.management.jmxremote.port=18070
>>>
>>> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>>> -Dcom.sun
>>> .management.jmxremote.ssl=false"
>>>
>>> And have added the jmxremote.password file in to the conf directory. I
>>> wrote
>>> a client tool that connects to the JMX server running on port 18070. When
>>> i
>>> run the client program i get the following error.
>>>
>>> Exception in thread "main" java.lang.SecurityException: Authentication
>>> failed! Credentials required
>>>        at
>>>
>> ...
>>
>> Ok, so how does your client provide a username and password to the server's
>> JMX interface, when it connects ?
>>
>>
>>
>>> If i change the CATALINA_OPTS properties to
>>>
>>> CATALINA_OPTS="-Dcom.sun.management.jmxremote.port=18070
>>>
>>> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>>> -Dcom.sun
>>> .management.jmxremote.ssl=false
>>> -Dcom.sun.management.jmxremote.authenticate=false"
>>>
>>> Then it works fine.
>>>
>> Of course, since then there is no authentication required.
>>
>>
>>
>>  I think what i am confused of is what is classed as
>>
>>> remote access. I am running the client program away from the Tomcat
>>> instance
>>> but both Tomcat and the client tool are on the same machine (i.e.
>>> different
>>> virtual machines but same environemnt). I thought i had to configure the
>>> remote authentication if i access the JMX server remotely from a different
>>> machine.
>>>
>>> By remote access do they mean accessing the JMX server from any VM either
>>> locally on the same machine or remotely from a different machine?
>>>
>>>  I believe that in this context, "remote" just means "via a TCP/IP
>> connection".
>> It does not matter if your client is on the same host or not.  If it
>> accesses the "server" via TCP/IP, then it counts as remote.
>>
>> There is another way to connect, limited to local processes running on the
>> same host, but I forget how it is called or how it works.
>> You can see the distinction pretty clearly by using the "jconsole"
>> application, which is included in the JDK.
>>
>> Note : for the "remote" kind of access, there is another (second) TCP
>> connection used, separate from the port which you indicate with the
>> jmxremote.port parameter.
>> If you are on the same host, it does not matter, but if you really need to
>> connect from another host through a firewall or so, it may.
>> You may want to have a look here for more info :
>>
>> http://download.oracle.com/javase/6/docs/technotes/guides/management/agent.html#gdevo
>> (see the section :  Monitoring Applications through a Firewall)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message