Setting up the server side is well documented in the Oracle Monitoring and Management Using JMX Technology documentation. Using it from a client is not so well documented.
Server set up
The Liberty jvm.options file needs parameters. Note the port=9010 is used by clients accessing the data.
To provide insecure access from only the local machine
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9010 -Dcom.sun.management.jmxremote.local.only=true -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.ssl.need.client.auth=false
To provide securer access using TLS
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9010 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=true # the following statements point to the same key store as # used by mqweb server. This could be different. -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStore=/home/colinpaice/ssl/ssl2/mqweb.p12 -Djavax.net.ssl.keyStorePassword=password # the following statements point to the same trust store as # used by mqweb server. This could be different. # if you used self signed certificates you could have a keystore # just for the JMX users -Djavax.net.ssl.trustStore=/home/colinpaice/ssl/ssl2/trust.jks -Djavax.net.ssl.trustStorePassword=zpassword -Djavax.net.ssl.trustStoreType=JKS # The following defines the userid and password file # Only the owner can have access to it -Dcom.sun.management.jmxremote.password.file=/home/colinpaice/ssl/ssl2/jmxremote.password # The following defines the access a userid can have # Only the owner can have access to it -Dcom.sun.management.jmxremote.access.file=/home/colinpaice/ssl/ssl2/jmxremote.access
jmxremote.password has
# specify actual password instead of the text password monitorRole password controlRole password
jmxremote.access has
# The "monitorRole" role has readonly access. # The "controlRole" role has readwrite access. monitorRole readonly controlRole readwrite
Client set up
jconsole
You cannot pass a userid and password when the jconsole command, so you have to disable authentication in the jvm.options file
-Dcom.sun.management.jmxremote.authenticate=false
The parameters for jconsole have -J on them, as in -J-D…. . jconsole removes the -J and uses the rest of the parameters when invoking the JVM.
I could not get jconsole to recognize a config file using the -J-Dcom.sun.management.config.file = /path/to/jmxremote.properties , so I wrote a bash script to make it easier to change parameters.
ssl1="-Djavax.net.ssl.keyStore=/home/colinpaice/ssl/ssl2/colinpaice.p12" ssl2="-Djavax.net.ssl.keyStorePassword=password" ssl3="-Djavax.net.ssl.keyStoreType=pkcs12" ssl4="-Djava.util.logging.config.file=/home/colinpaice/JMXQuery/java/logging.file" ssl5="-Djavax.net.ssl.trustStore=/home/colinpaice/ssl/ssl2/trust.jks" ssl6="-Djavax.net.ssl.trustStorePassword=zpassword" ssl7="-Djavax.net.ssl.trustStoreType=jks" ssl8="-J-Djavax.net.debug=ssl:handshake" jconsole -J$ssl1 -J$ssl2 -J$ssl3 -J$ssl4 -J$ssl5 -J$ssl6 -J$ssl7 $ssl8 127.0.0.1:9010
The option “-J-Djavax.net.debug=ssl:handshake” gives a verb verbose trace of the ssl flows for the handshake.
The option -J-Djava.util.logging.config.file=/home/colinpaice/JMXQuery/java/logging.file enables the jconsole logging. I did not find the output very useful.
There is information the logger in general here, and on the file logger, here.
The logging.file had
Logging.properties handlers= java.util.logging.FileHandler // , java.util.logging.ConsoleHandler2 java.util.logging.FileHandler.pattern=/home/colinpaice/JMXQuery/java/log.%g.file java.util.logging.FileHandler.limit=50000 java.util.logging.FileHandler.count=2 java.util.logging.FileHandler.level=ALL java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter // .level = INFO // logger.level = FINEST .level = FINEST // Use FINER or FINEST for javax.management.remote.level - FINEST is // very verbose... javax.level= FINER javax.management.level = FINER javax.management.remote.* = FINER javax.management.remote.level = FINER javax.management.remote.misc.level = FINER javax.management.remote.rmi.level= FINER
Using jmxquery
I used a bash shell script to run the command, as it was easier to manage, and I could not find a way of having the java system properties in a file.
ssl1="-Djavax.net.ssl.keyStore=/home/colinpaice/ssl/ssl2/ibmsys1.p12" ssl2="-Djavax.net.ssl.keyStorePassword=password" ssl3="-Djavax.net.ssl.keyStoreType=pkcs12"les ssl4="-Djava.util.logging.config.file=/home/colinpaice/JMXQuery/java/logging.file" ssl5="-Djavax.net.ssl.trustStore=/home/colinpaice/ssl/ssl2/trust.jks" ssl6="-Djavax.net.ssl.trustStorePassword=zpassword" ssl7="-Djavax.net.ssl.trustStoreType=jks" ssl8="-Djavax.net.debug=ssl:handshake" jar="-jar JMXQuery.jar" user="-username monitorRole -password password" url="-url service:jmx:rmi:///jndi/rmi://127.0.0.1:9010/jmxrmi" parms=" -q WebSphere:* -count 2 -every 2" java $ssl1 $ssl2 $ssl3 $ssl4 $ssl5 $ssl6 $ssl7 $ssl8 $jar $url $user $parms
4 thoughts on “Setting up Liberty(as used in mqweb) to use native JMX”