Related Tips & Info

Monitoring the IDM 3.6.1 JVM with JMX/jconsole

ffreitas
1 Likes

The purpose for this cool solution is to present a way of enabling JMX on IDM 3.6.1 JVM on SLES 11, allowing remote monitoring of the JVM itself. The remote monitoring will expose Java memory and Heap usage, Thread usage, loaded classes, CPU usage, among other options.

It will cover both how to monitor a system remotely without any level of security (useful only in Dev/QA environment) and also how to enable security on the JMX connections, both through authentication and SSL.

Pre-requisites:

  • IDM 3.6.1 running on SLES 11
  • JDK 1.6 Update 13 or later installed on the machine used to monitor IDM remotely

Contents:

Preparatory steps on the machine used to Monitor IDM

  1. Go to http://java.sun.com. Select Downloads > Java SE.


    Click to view.
  • Download the "Java SE Development Kit (JDK)" for JDK 6 Update 13 (or the current latest version). You will be asked for OS and Architecture before you can download it.


    Click to view.


    Click to view.


  • For this document the rpm.bin file was used.


    Click to view.


  • Open a command prompt, change the permissions of your downloaded file to executable using
    chmod x <filename>
    , then execute the file by typing
    ./<filename>


    Click to view.


  • After the installation finishes, create a symbolic link from
    /usr/bin/jconsole
    to
    /usr/java/<your jdk build name/number>/bin/jconsole
    as shown below


    Click to view.

Enabling basic IDM JVM monitoring (unsafe)

  1. Login to iManager
  • Click on the Identity Manager Administration icon.

    Click to view.


  • Click on Administration > Identity Manager Overview.


    Click to view.


  • Click on the Search button, then on the driverset name.


    Click to view.


  • Click on Driver Set > Edit Driver Set properties.



    Click to view.


  • Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn't fit the page size):
     

    -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

    Click to view.


  • Click the OK button
  • Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
  • From the machine where JDK6 was installed, open a command prompt and execute the command jconsole
  • On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. For example:
    192.168.30.71:9999


    Click to view.


  • Click Connect, the window below should open.


    Click to view.

Now, the steps above disable SSL and authentication for monitoring and control, so they should only be used on Dev/QA environments, never on a production environment. To enable SSL and Authentication we need to perform the following steps:

Enabling roles and authentication

  1. Go to the directory
    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/management
    (64 bit systems) or
    /opt/novell/eDirectory/lib/nds-modules/jre/lib/management
    (32 bit systems)
  • Copy the file jmxremote.password.template to jmxremote.password, then change the permissions of jmxremote.password so that only the owner can read and write to it. This is mandatory for the file to be used by the JVM.

    Click to view.


  • The file jmxremote.access defines your access roles, and by default it comes with two roles: monitorRole and controlRole. For this coolsolution (and to increase security) open that file and comment-out the controlRole line.

    Click to view.


  • Now edit the file jmxremote.password. Uncomment the line that contains the monitorRole and give it a password. For this example the password will be IDMmonitoring.


    Click to view.


  • At this point, we need to re-configure IDM in iManager with a different set of properties. To do so, login to iManager
  • Click on the Identity Manager Administration icon.

    Click to view.


  • Click on Administration > Identity Manager Overview.


    Click to view.


  • Click on the Search button, then on the driverset name.


    Click to view.


  • Click on Driver Set > Edit Driver Set properties.


    Click to view.

  • Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn't fit the page size):
     

    -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/management/jmxremote.password -Dcom.sun.management.jmxremote.ssl=false


    Click to view.


  • Click the OK button
  • Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
  • From the machine where JDK6 was installed, open a command prompt and execute the command jconsole
  • On the GUI that will open, enter the IP Address of the server were IDM is running and the port configured in iManager. Enter also the user monitorRole and password IDMmonitoring, just like configured in your password file.


    Click to view.


  • Click Connect, the window below should open.

    Click to view.

Enabling SSL communication on top of everything

  1. Create a symbolic link to the keytool utility. The command to do so is:
    ln -s /usr/java/jdk1.6.0_13/bin/keytool /usr/bin/keytool
  • Create a keystore file and generate a keypair. The command to do so is:

    keytool -genkey -alias <certificate name> -keyalg RSA -keysize 2048 -dname '<cn=server dns name>' -keypass <password> -keystore <filename> -storepass <password>

      For example:

    keytool -genkeypair -alias jmxssl -keyalg RSA -keysize 2048 -dname 'cn=sles11nts' -keypass changeit -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -storepass changeit


    Click to view.


  • At this point, we need to re-configure IDM in iManager with a different set of properties. To do so, login to iManager
  • Click on the Identity Manager Administration icon.

    Click to view.


  • Click on Administration > Identity Manager Overview.

    Click to view.


  • Click on the Search button, then on the driverset name.

    Click to view.


  • Click on Driver Set > Edit Driver Set properties.


    Click to view.


  • Click on the Misc link, the fill the JVM Options field with the following line (it is a single line with no line breaks, the wrapping happens because it doesn't fit the page size):
     

    -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/management/jmxremote.password -Djavax.net.ssl.keyStore=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -Djavax.net.ssl.keyStorePassword=changeit


    Click to view.


  • Click the OK button
  • Close iManager and restart ndsd with the command /etc/init.d/ndsd restart
  • Make sure to copy the keystore file to the machine where jconsole will run, then start jconsole using SSL. For jconsole to use SSL it needs the following parameters:

    jconsole -J-Djavax.net.ssl.trustStore=<keystore file path and location> -J-Djavax.net.ssl.trustStorePassword=<keystore password>

      For example:

    jconsole -J-Djavax.net.ssl.trustStore=/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/jmxkeystore -J-Djavax.net.ssl.trustStorePassword=changeit


    Click to view.



  • Click to view.


  • Click Connect, the window below should open


    Click to view.

There are further security configurations and considerations that can be taken to make the system even more secure, like using client certificates, configuring the firewall to allow connections to the JMX port only if they originate from a certain machine, and so forth. They are outside of the scope of this document.

Another interesting fact is that JMX is an standard for monitoring and managing JVMs. Due to that, it is possible to write your own monitoring program in java that gathers only the information you need, protects the keystore password, and so forth. A good resource for those wanting to thread this path is Sun's Java SE Monitoring and Management Guide, at http://java.sun.com/javase/6/docs/technotes/guides/management/toc.html.

Labels:

How To-Best Practice
Comment List
  • in reply to klasen

    And if you do break your eDir with an error in a config, you need to move the /opt/novell/eDirectory/lib64/nds-modules/libjvmload.so or somesuch file out of the current path so that when eDir loads, Java fails to load.  LDAP edit the parameter to be correct or at least remove it, then copy the .so back in, and restart ndsd.  It is a pain when you goof up, so don't.

  •  

    Instead of changing the DriverSet Java properties, one can also put the settings into the env file for your eDirectory instance ("/etc/opt/novell/eDirectory/conf/env_idm" for a default install). That makes it easier to recover if you mess up the settings and IDM causes an eDirectory shutdown.

    DHOST_JVM_OPTIONS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=2222 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"

    For monitoring, these tools are helpful:

    Norbert

Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.