(View Disclaimer)
The purpose for this cool solution is to present a way of enabling JMX on IDM 3.6.1 JVM on SLES 11, allowing remote monitoring of the JVM itself. The remote monitoring will expose Java memory and Heap usage, Thread usage, loaded classes, CPU usage, among other options.
It will cover both how to monitor a system remotely without any level of security (useful only in Dev/QA environment) and also how to enable security on the JMX connections, both through authentication and SSL.
Pre-requisites:
- IDM 3.6.1 running on SLES 11
- JDK 1.6 Update 13 or later installed on the machine used to monitor IDM remotely
Contents:
Preparatory steps on the machine used to Monitor IDM
- Go to http://java.sun.com. Select Downloads > Java SE.
Download the "Java SE Development Kit (JDK)" for JDK 6 Update 13 (or the current latest version). You will be asked for OS and Architecture before you can download it.
For this document the rpm.bin file was used.
Open a command prompt, change the permissions of your downloaded file to executable using
chmod +x <filename>
, then execute the file by typing
./<filename>
After the installation finishes, create a symbolic link from
/usr/bin/jconsole
to
/usr/java/<your jdk build name/number>/bin/jconsole
as shown below
Enabling basic IDM JVM monitoring (unsafe)
- Login to iManager
- Click on the Identity Manager Administration icon.
Click on Administration > Identity Manager Overview.
Click on the Search button, then on the driverset name.
Click on Driver Set > Edit Driver Set properties.
Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn't fit the page size):
-Dcom.sun.management.jmxremote.
port=9999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
192.168.30.71:9999
Click Connect, the window below should open.
Now, the steps above disable SSL and authentication for monitoring and control, so they should only be used on Dev/QA environments, never on a production environment. To enable SSL and Authentication we need to perform the following steps:
Enabling roles and authentication
- Go to the directory
/opt/novell/
eDirectory/lib64/nds-modules/jre/lib/management
(64 bit systems) or
/opt/novell/eDirectory/lib/nds-modules/jre/lib/management
(32 bit systems)
- Copy the file jmxremote.password.template to jmxremote.password, then change the permissions of jmxremote.password so that only the owner can read and write to it. This is mandatory for the file to be used by the JVM.
The file jmxremote.access defines your access roles, and by default it comes with two roles: monitorRole and controlRole. For this coolsolution (and to increase security) open that file and comment-out the controlRole line.
Now edit the file jmxremote.password. Uncomment the line that contains the monitorRole and give it a password. For this example the password will be IDMmonitoring.
At this point, we need to re-configure IDM in iManager with a different set of properties. To do so, login to iManager
Click on the Identity Manager Administration icon.
Click on Administration > Identity Manager Overview.
Click on the Search button, then on the driverset name.
Click on Driver Set > Edit Driver Set properties.
Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn't fit the page size):
-Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/management/jmxremote.password -Dcom.sun.management.jmxremote.ssl=false
Click the OK button
Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
From the machine where JDK6 was installed, open a command prompt and execute the command jconsole
On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. Enter also the user monitorRole and password IDMmonitoring, just like configured in your password file.
Click Connect, the window below should open.
Enabling SSL communication on top of everything
- Create a symbolic link to the keytool utility. The command to do so is:
ln -s /usr/java/jdk1.6.0_13/bin/keytool /usr/bin/keytool
- Create a keystore file and generate a keypair. The command to do so is:
keytool -genkey -alias <certificate name> -keyalg RSA -keysize 2048 -dname '<cn=server dns name>' -keypass <password> -keystore <filename> -storepass <password>
For example:
keytool -genkeypair -alias jmxssl -keyalg RSA -keysize 2048 -dname 'cn=sles11nts' -keypass changeit -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -storepass changeit
At this point, we need to re-configure IDM in iManager with a different set of properties. To do so, login to iManager
Click on the Identity Manager Administration icon.
Click on Administration > Identity Manager Overview.
Click on the Search button, then on the driverset name.
Click on Driver Set > Edit Driver Set properties.
Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn't fit the page size):
-Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/management/jmxremote.password -Djavax.net.ssl.keyStore=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -Djavax.net.ssl.keyStorePassword=changeit
Click the OK button
Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
Make sure to copy the keystore file to the machine where jconsole will run, then start jconsole using SSL. For jconsole to use SSL it needs the following parameters:
jconsole -J-Djavax.net.ssl.trustStore=<keystore file path and location> -J-Djavax.net.ssl.trustStorePassword=<keystore password>
For example:
jconsole -J-Djavax.net.ssl.trustStore=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -J-Djavax.net.ssl.trustStorePassword=changeit
On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. Enter also the user monitorRole and password IDMmonitoring, just like configured in your password file.
Click Connect, the window below should open
There are further security configurations and considerations that can be taken to make the system even more secure, like using client certificates, configuring the firewall to allow connections to the JMX port only if they originate from a certain machine, and so forth. They are outside of the scope of this document.
Another interesting fact is that JMX is an standard for monitoring and managing JVMs. Due to that, it is possible to write your own monitoring program in java that gathers only the information you need, protects the keystore password, and so forth. A good resource for those wanting to thread this path is Sun's Java SE Monitoring and Management Guide, at http://java.sun.com/javase/6/docs/technotes/guides/management/toc.html .
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
0