Failed to Connect to a Payara JVM via Jconsole

[Benjamin E.Ndugga]

I am trying to cross from glassfish to Payara but I am required to implement monitoring as we seem to be blind on the number of threads we are running at a time, therefore I am trying to use JMX to allow me expose this data and from the forums online I have set these properties in the start-up JVM and tried to access via Jconsole but it has failed

-Dcom.sun.management.jmxremote.port=<host_port>
-Dcom.sun.management.jmxremote.authenticate=false 
-Dcom.sun.management.jmxremote.ssl=false 
-Djava.rmi.server.hostname=<host_ip>

[Mike Croft]

What was the actual problem? You shouldn't need to specify anything, Payara Server will automatically expose JMX over port 8686 by default. Here's a guide on JMX monitoring:
https://docs.payara.fish/documentation/user-guides/monitoring/enable-jmx-monitoring.html

[Ondrej Mihályi]

Mike,

I think that the problem was that accessing JMX over the network requires secure connection, similar to accessing Admin Console over the network. Benjamin confirmed that he can access JMX locally using a terminal.

--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/e7d88828-a2ce-43ca-87af-1755ee7a4d7a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Ondrej Mihályi]

Just now I realized that I forgot to keep the mailing list in the loop.

Posting history of our communication with Benjamin which I accidentally turned into a private one.

Ondro

2017-09-08 8:10 GMT+02:00 Benjamin E.Ndugga <bjnd...@gmail.com>:

Hi Ondrej,

Thank you soo much, I actually used MobaXterm client tool that allowed me to access console based programs like JConsole. I can now access the JMX instance locally.

I will try to access the JMX remotely with the steps shared in previous mail and see how it goes.

Regards,

Benjamin E Ndugga

On 6 September 2017 at 17:47, Ondrej Mihályi <ondrej....@gmail.com> wrote:

You don't need to use any system property. In fact, you should avoid using the com.sun.management and java.rmi.server properties, which will most probably start a separate JMX server in parallel to the server started by Payara Server itself.

You can configure the JMX server in Payara Server in Admin console, int the server-config -> Admin Service page.

If you try to connect to JMX locally, it always works. You just need to supply admin user and password - the same you use to access the admin console.

But if you access JMX remotely, it has to be secured by a SSL certificate. You can do this by turning on Security in the JMX Connector tab in the Admin console, and then in the SSL tab you have to select the certificate by its nickname (the default certificate is s1as). However, you have to use the same certificate on the client, which is a bit tricky. Have a look at Oracle docs: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html#gdevo

In short, you have to pass the Payara Server keystore file, which is by default in domain/config/keystore.jks,to the JConsole on command line, like this:

jconsole -J-Djavax.net.ssl.trustStore=domain/config/keystore.jks -J-Djavax.net.ssl.trustStorePassword=changeit

The second argument the password used to open the keystore, which is Payara Server master password, by default "changeit". Fr more info about securing Payara Server with certificates, look at this blog post: http://blog.payara.fish/securing-payara-server-with-custom-ssl-certificate

Ondro

2017-09-06 12:05 GMT+02:00 Benjamin E.Ndugga <bjnd...@gmail.com>:

Hi Ondrej,

Do you know which parameters I can use to specify the username and password?

Regards,

Benjamin E Ndugga

On 6 September 2017 at 13:01, Ondrej Mihályi <ondrej....@gmail.com> wrote:

Hi Benjamin,

If I'm not mistaken, JMX works remotely only if secured via authentication. If no authentication is required, then it's available only locally for security reasons.

Ondro

--
You received this message because you are subscribed to the Google Groups "Payara Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to payara-forum+unsubscribe@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/payara-forum/e3c2a5ae-afd4-4816-aad5-4595a2069290%40googlegroups.com.

[Pluto]

How do you get this to work remotely or on an instance from the command line (not the das)? I have been trying locally on one of our instances with jmxterm (jmxterm-1.0.0-uber.jar) as well as with jconsole and VisualVM applications remotely. I always get this error. (when connecting remotely I used the servers ip address, not 0.0.0.0, that is not the problem)

'Cannot connect to instance service:jmx:rmi://0.0.0.0:28686/jndi/rmi://0.0.0.0:28686/jmxrmi. java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: non-JRMP server at remote endpoint]

[Pluto]

I have created a new Payara 174 DAS to test connecting to see jmx info. How do I connect with jconsole locally or VisualVM remotely. Still can't connect. Anyone?

[Pluto]

Answering my own question in case it helps anyone. You need to add these to the JVM Settings -> JVM Options in the config that your instance is using.

1 2 3 4 5

-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=<jmx_remote_port, in my case I used 38686> -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

[Ondro Mihályi]

I would say this is an alternative answer but it's not the best in production because it's insecure. The options instruct the JVM to open a new JMX interface which isn't secured and is open to anybody. Therefore use this solution only in a private network or in development.

Ondro

[David Andrade]

Hi See this blog have a nice solution for you

https://ayudasdesarrollo.blogspot.com/2018/10/visualvm-payara5-remote-connection-rmi.html