Monitoring the IDM 3.6.1 JVM with JMX/jconsole



By: ffreitas

May 28, 2009 3:18 pm

Reads: 277

Comments:0

Rating:0

The purpose for this cool solution is to present a way of enabling JMX on IDM 3.6.1 JVM on SLES 11, allowing remote monitoring of the JVM itself. The remote monitoring will expose Java memory and Heap usage, Thread usage, loaded classes, CPU usage, among other options.

It will cover both how to monitor a system remotely without any level of security (useful only in Dev/QA environment) and also how to enable security on the JMX connections, both through authentication and SSL.

Pre-requisites:

  • IDM 3.6.1 running on SLES 11
  • JDK 1.6 Update 13 or later installed on the machine used to monitor IDM remotely

Contents:

Preparatory steps on the machine used to Monitor IDM

  1. Go to http://java.sun.com. Select Downloads > Java SE.

  2. Download the “Java SE Development Kit (JDK)” for JDK 6 Update 13 (or the current latest version). You will be asked for OS and Architecture before you can download it.

  3. For this document the rpm.bin file was used.

  4. Open a command prompt, change the permissions of your downloaded file to executable using
    chmod +x <filename>

    , then execute the file by typing

    ./<filename>

  5. After the installation finishes, create a symbolic link from
    /usr/bin/jconsole

    to

    /usr/java/<your jdk build name/number>/bin/jconsole

    as shown below

Enabling basic IDM JVM monitoring (unsafe)

  1. Login to iManager
  2. Click on the Identity Manager Administration icon.

  3. Click on Administration > Identity Manager Overview.

  4. Click on the Search button, then on the driverset name.

  5. Click on Driver Set > Edit Driver Set properties.

  6. Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn’t fit the page size):
     
    -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

  7. Click the OK button
  8. Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
  9. From the machine where JDK6 was installed, open a command prompt and execute the command jconsole
  10. On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. For example:
    192.168.30.71:9999

  11. Click Connect, the window below should open.

Now, the steps above disable SSL and authentication for monitoring and control, so they should only be used on Dev/QA environments, never on a production environment. To enable SSL and Authentication we need to perform the following steps:

Enabling roles and authentication

  1. Go to the directory
    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/management

    (64 bit systems) or

    /opt/novell/eDirectory/lib/nds-modules/jre/lib/management

    (32 bit systems)

  2. Copy the file jmxremote.password.template to jmxremote.password, then change the permissions of jmxremote.password so that only the owner can read and write to it. This is mandatory for the file to be used by the JVM.

  3. The file jmxremote.access defines your access roles, and by default it comes with two roles: monitorRole and controlRole. For this coolsolution (and to increase security) open that file and comment-out the controlRole line.

  4. Now edit the file jmxremote.password. Uncomment the line that contains the monitorRole and give it a password. For this example the password will be IDMmonitoring.

  5. At this point, we need to re-configure IDM in iManager with a different set of properties. To do so, login to iManager
  6. Click on the Identity Manager Administration icon.

  7. Click on Administration > Identity Manager Overview.

  8. Click on the Search button, then on the driverset name.

  9. Click on Driver Set > Edit Driver Set properties.

  10. Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn’t fit the page size):
     
    -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/management/jmxremote.password -Dcom.sun.management.jmxremote.ssl=false

  11. Click the OK button
  12. Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
  13. From the machine where JDK6 was installed, open a command prompt and execute the command jconsole
  14. On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. Enter also the user monitorRole and password IDMmonitoring, just like configured in your password file.

  15. Click Connect, the window below should open.

Enabling SSL communication on top of everything

  1. Create a symbolic link to the keytool utility. The command to do so is:
    ln -s /usr/java/jdk1.6.0_13/bin/keytool /usr/bin/keytool
  2. Create a keystore file and generate a keypair. The command to do so is:
    keytool -genkey -alias <certificate name> -keyalg RSA -keysize 2048 -dname ‘<cn=server dns name>’ -keypass <password> -keystore <filename> -storepass <password>

      For example:

    keytool -genkeypair -alias jmxssl -keyalg RSA -keysize 2048 -dname ‘cn=sles11nts’ -keypass changeit -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -storepass changeit

  3. At this point, we need to re-configure IDM in iManager with a different set of properties. To do so, login to iManager
  4. Click on the Identity Manager Administration icon.

  5. Click on Administration > Identity Manager Overview.

  6. Click on the Search button, then on the driverset name.

  7. Click on Driver Set > Edit Driver Set properties.

  8. Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn’t fit the page size):
     
    -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/management/jmxremote.password -Djavax.net.ssl.keyStore=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -Djavax.net.ssl.keyStorePassword=changeit

  9. Click the OK button
  10. Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
  11. Make sure to copy the keystore file to the machine where jconsole will run, then start jconsole using SSL. For jconsole to use SSL it needs the following parameters:
    jconsole -J-Djavax.net.ssl.trustStore=<keystore file path and location> -J-Djavax.net.ssl.trustStorePassword=<keystore password>

      For example:

    jconsole -J-Djavax.net.ssl.trustStore=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -J-Djavax.net.ssl.trustStorePassword=changeit

  12. On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. Enter also the user monitorRole and password IDMmonitoring, just like configured in your password file.

  13. Click Connect, the window below should open

There are further security configurations and considerations that can be taken to make the system even more secure, like using client certificates, configuring the firewall to allow connections to the JMX port only if they originate from a certain machine, and so forth. They are outside of the scope of this document.

Another interesting fact is that JMX is an standard for monitoring and managing JVMs. Due to that, it is possible to write your own monitoring program in java that gathers only the information you need, protects the keystore password, and so forth. A good resource for those wanting to thread this path is Sun’s Java SE Monitoring and Management Guide, at http://java.sun.com/javase/6/docs/technotes/guides/management/toc.html .

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment