Using JVisualVM Remotely with NetIQ Access Manager

0 Likes
over 6 years ago
Occasionally I've needed to troubleshoot memory or CPU utilization issues in Access Manager. This is most common when developing custom authentication classes. Fortunately, there are great tools for this included in the JDK. My favorite tool is JVisualVM. If you have a graphical console on the Identity Server ( or an Access Gateway Service) box then you can install a JDK and then just run the jvisualvm command. There will be a list of the Java processes currently running on the local host. Simply select the process ID of the Tomcat server and your in business.

The situation is not so simple when your using the Access Manager appliances which don't have a graphical console. I've also found that most production servers don't have a graphical console installed. But all is not lost! It's easy to configure the JVM for remote access. Here are the steps for setting it up on a NAM 4.x Identity Server:


  1. Identify a port that you can use. Make sure you can get to this port through any firewalls that may be between your workstation and the server. For this tutorial I'm going to use TCP port 9010.

  • Additionally, if your going through a firewall you will want to set the RMI service to a fixed TCP port. In this example I'm using port 9011.

  • Add the following lines to the bottom of the file /opt/novell/nam/idp/conf/tomcat7.conf


#jvm options for remote connection from jvisualVM
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.port=9010"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.rmi.port=9011"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.local.only=false"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=true"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file=/opt/novell/nam/idp/conf/jmxremote.password"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.access.file=/opt/novell/nam/idp/conf/jmxremote.access"
JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"


  • Create the file /opt/novell/nam/idp/conf/jmxremote.password with the content shown below:

monitorRole monitorPassword
adminRole adminPassword

  • Create the file /opt/novell/nam/idp/conf/jmxremote.access with the content shown below:

monitorRole readonly
adminRole readwrite

  • Change the owner of both files to novlwww and change the file permissions so that only novlwww has permission to read the files. This can be done by using the commands shown below:

chown novlwww jmxremote.*
chgrp novlwww jmxremote.*
chmod 400 jmxremote.*

  • Restart Tomcat using the command /etc/init.d/novell-idp restart



You can now launch JVisualVM on your workstation connect to the Identity Server JVM. Right click on "Remote" and select "Add Remote Host".

VisualVMScreenSnapz002

Enter a name for the host an click "OK".
VisualVMScreenSnapz003

Now right click on the host entry you just added and select "Add JMX Connection".
VisualVMScreenSnapz004

In the dialog box enter the IP address and the port selected in step one. Click on the "Use Security Credentials" checkbox. Then enter the user name "adminRole" and password "adminPassword" Click "OK". (we also created a read only user: "monitorRole" and "monitorPassword")
VisualVMScreenSnapz005

You will now get a warning that a connection could not be made using SSL. Since this configuration is primarily for development work, click the "Do not require SSL for this connection" checkbox and then click "OK". Setting up SSL is beyond the scope of this tutorial but the instructions for using SSL with JMX are available on the web.
VisualVMScreenSnapz006
Now right click on the new JMX connection and select "Open".
VisualVMScreenSnapz007
You now have full access to the power of JVisualVM!
Comment List
Anonymous
  • If you need to use JVisualVM through a firewall and you only have access via SSH you do the following on Linux or OS X:

    First create a SOCKS proxy on your local machine over SSH using the command "ssh -v -D NamServerIP:9696 ” You may need to add “-l loginName” if your login is different on the NAM box. It will prompt for your password.

    Then run jvisualvm using the command line “jvisualvm -J-DsocksProxyHost=127.0.0.1 -J-DsocksProxyPort=9696"

    Then add a JMX connection to :9010 using the credentials “adminRole” "adminPassword"

    You will need to check the box that says don’t require SSL.
Related Discussions
Recommended