Option 2: Setting up JMX with client authentication without SSL

In this option, you activate JMX on Apache Tomcat with client authentication based on a user ID and password, without SSL.

About this task

The property that controls the authentication is com.sun.management.jmxremote.authenticate which must be set to true. The authentication is managed by the following two additional properties and configuration files:

You can use two sample files called jmxremote.access and jmxremote.password.template for users roles and passwords. These sample files are provided in the JazzInstallDir/server/jre/lib/management directory. The jmxremote.access file defines the allowed access for different roles and the jmxremote.password file defines the roles and their passwords. To be functional, a role must have an entry in both the password and the access files.

Note: The default location for these files is the JazzInstallDir/server/jre/lib/management directory. You can choose an alternate location by specifying a property in the management configuration file: JazzInstallDir/server/jre/lib/management/management.properties .

Procedure

  1. Go to JazzInstallDir/server/jre/lib/management and back up the jmxremote.access and jmxremote.password.template files.
  2. Rename jmxremote.password.template to jmxremote.password.
  3. Change the permission of jmxremote.password to read-only by the owner.
    Important: Because there are cleartext passwords stored in the jmxremote.password file, this file must be readable only by the owner; otherwise, the program closes with an error.
    Example of the jmxremote.access file:
    monitorRoleUser   readonly
    controlRoleUser   readwrite \
                  create javax.management.monitor.*,javax.management.timer.* \
                  unregister
    Example of the jmxremote.password file:
    monitorRoleUser  pass1
    controlRoleUser  pass2
  4. Go to the JazzInstallDir/server directory and open server.startup for editing.
  5. Add the following JAVA_OPTS lines to the file:
    Linux:
    
    # for JMX monitoring
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote=true"
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.port=1099"
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.ssl=false"
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.access.file=Path_to_access_file/jmxremote.access"
    JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.password.file=Path_to_password_file/jmxremote.password"
    
    Microsoft Windows:
    
    rem for JMX monitoring
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote=true
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.port=1099
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl=false
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=true
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.access.file=Path_to_access_file\jmxremote.access
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.password.file=Path_to_password_file\jmxremote.password
    Note: In this option, the com.sun.management.jmxremote.authenticate property is set to true for user authentication connections.

Results

With this configuration, connecting to JConsole by using JMX requires you to specify one of the monitorRoleUser or controlRoleUser users and password in JConsole.
  1. To start a new JConsole connection, go to the JAVA_HOME/jdk/bin directory and start JConsole.
  2. In the Remote Process field enter service:jmx:rmi:///jndi/rmi://host:1099/jmxrmi.
  3. Enter the user name and password and then click Connect.

video icon Watch videos

CLM playlist
Jazz.net channel
User Education channel

learn icon Learn more

CLM learning circle
Agile learning circle
Learning circles

ask icon Ask questions

Jazz.net forum
developerWorks forums

support icon Get support

Support Portal
Deployment wiki
Support blog