Using JVisualVM Remotely with NetIQ Access Manager

Occasionally I've needed to troubleshoot memory or CPU utilization issues in Access Manager. This is most common when developing custom authentication classes. Fortunately, there are great tools for this included in the JDK. My favorite tool is JVisualVM. If you have a graphical console on the Identity Server ( or an Access Gateway Service) box then you can install a JDK and then just run the jvisualvm command. There will be a list of the Java processes currently running on the local host. Simply select the process ID of the Tomcat server and your in business.

The situation is not so simple when your using the Access Manager appliances which don't have a graphical console. I've also found that most production servers don't have a graphical console installed. But all is not lost! It's easy to configure the JVM for remote access. Here are the steps for setting it up on a NAM 4.x Identity Server:

  1. Identify a port that you can use. Make sure you can get to this port through any firewalls that may be between your workstation and the server. For this tutorial I'm going to use TCP port 9010.

  • Additionally, if your going through a firewall you will want to set the RMI service to a fixed TCP port. In this example I'm using port 9011.

  • Add the following lines to the bottom of the file /opt/novell/nam/idp/conf/tomcat7.conf

#jvm options for remote connection from jvisualVM

  • Create the file /opt/novell/nam/idp/conf/jmxremote.password with the content shown below:

monitorRole monitorPassword
adminRole adminPassword

  • Create the file /opt/novell/nam/idp/conf/jmxremote.access with the content shown below:

monitorRole readonly
adminRole readwrite

  • Change the owner of both files to novlwww and change the file permissions so that only novlwww has permission to read the files. This can be done by using the commands shown below:

chown novlwww jmxremote.*
chgrp novlwww jmxremote.*
chmod 400 jmxremote.*

  • Restart Tomcat using the command /etc/init.d/novell-idp restart

You can now launch JVisualVM on your workstation connect to the Identity Server JVM. Right click on "Remote" and select "Add Remote Host".


Enter a name for the host an click "OK".

Now right click on the host entry you just added and select "Add JMX Connection".

In the dialog box enter the IP address and the port selected in step one. Click on the "Use Security Credentials" checkbox. Then enter the user name "adminRole" and password "adminPassword" Click "OK". (we also created a read only user: "monitorRole" and "monitorPassword")

You will now get a warning that a connection could not be made using SSL. Since this configuration is primarily for development work, click the "Do not require SSL for this connection" checkbox and then click "OK". Setting up SSL is beyond the scope of this tutorial but the instructions for using SSL with JMX are available on the web.
Now right click on the new JMX connection and select "Open".
You now have full access to the power of JVisualVM!


How To-Best Practice
Comment List
  • If you need to use JVisualVM through a firewall and you only have access via SSH you do the following on Linux or OS X:

    First create a SOCKS proxy on your local machine over SSH using the command "ssh -v -D NamServerIP:9696 ” You may need to add “-l loginName” if your login is different on the NAM box. It will prompt for your password.

    Then run jvisualvm using the command line “jvisualvm -J-DsocksProxyHost= -J-DsocksProxyPort=9696"

    Then add a JMX connection to :9010 using the credentials “adminRole” "adminPassword"

    You will need to check the box that says don’t require SSL.