tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: JMX with Listener
Date Tue, 11 Dec 2012 18:25:11 GMT
Hash: SHA256


On 12/11/12 1:08 PM, Cédric Couralet wrote:
>> Okay.
>>> Now for my problems or questions: - Apparently, the Jmx
>>> listener listens on (confirmed by a netstat) on the two
>>> ports configured for the listener, is it normal ? I thought
>>> that useLocalPorts would restrain the listening only to
>> useLocalePorts /should/ force (actually "localhost"... 
>> whatever that resolves to on your server). Can you confirm that
>> you are editing the correct server.xml? If you edit it in one
>> place and then deploy it, please make sure you have the latest
>> version installed under CATALINA_BASE/conf.
> So it should force, ok !

No, it forces the hostname "localhost". That might mean on
your system. Try "host localhost" and see what happens.

>>> - with jvisualvm i am able to connect through jmx with the url 
>>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
without entering the credentials (nagios:nagios).
>>> I thought that by entering 
>>>, even read
>>> access would be restricted.
>> I think you need to double-check that you are actually using the 
>> configuration you think you are.
> I think too now :) i'll double check it.
> Is there a way to dump the jmx configuration in the jvm? It happens
> on all the tomcat in use (a lot) and i'm quite sure I am not
> mistaken the server.xml for every one of them.

You can see which ports are which using netstat. I don't believe you
can ask for the port numbers for your JMX listeners via JMX: you just
check the ports actually in use. You can check all the system
properties, of course, using jvisualvm.

> One question, though, in the tomcat doc (for 6.0.x) for the 
> JMXRemoteListener, the configuration is :
> while mine is
(notice the {} ).
> is it my mistake?

As long as a bash-like shell is interpreting it, the {} will not
interfere: they are just an explicit notation to the shell where the
environment variable's name begins and ends.

>> Another note: using traditional JMX with Nagios is going to suck.
>> You are probably going to make, say, 5 connections to your server
>> every minute to check on things like heap size, request-time,
>> etc. Each of those connections requires a complete JMX connection
>> which is not cheap to make -- especially if the client is running
>> on the same server. That's 5 JVMs, 5 JMX connections, etc. every
>> minute (or 5 or whatever).
> We don't really use nagios as is. We use check_MK, an agent
> installed on the  host for which i developped a plug in to get only
> the informations I want, with one connection to JMX (thus my need
> to restrict to localhost).

Gotcha. check_MK looks interesting, especially because you get RRD
databases for free. Hooray graphs!

>> If you just want to make some quick checks, consider looking at
>> the JMXProxyServlet which is provided by the manager webapp. I
>> believe it will be a much lighter-weight solution (and does not
>> require all of this crazy setup to configure JMX authentication,
>> etc.).
> Some ancient rules force us to disactivate the manager webapp
> (those rules originated from some vulnerabilities with the manager
> webapp I believe), but i'm trying to get it back with the
> appropriate security, evebn if only to ease deployments :).

Note that you can enable access only to the JMXProxyServlet by simply
not allowing users to access other resources (like deploy/undeploy, etc.).

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message