Using JVisualVM Remotely with NetIQ Access Manager

Using JVisualVM Remotely with NetIQ Access Manager

Occasionally I've needed to troubleshoot memory or CPU utilization issues in Access Manager. This is most common when developing custom authentication classes. Fortunately, there are great tools for this included in the JDK. My favorite tool is JVisualVM. If you have a graphical console on the Identity Server ( or an Access Gateway Service) box then you can install a JDK and then just run the jvisualvm command. There will be a list of the Java processes currently running on the local host. Simply select the process ID of the Tomcat server and your in business.

The situation is not so simple when your using the Access Manager appliances which don't have a graphical console. I've also found that most production servers don't have a graphical console installed. But all is not lost! It's easy to configure the JVM for remote access. Here are the steps for setting it up on a NAM 4.x Identity Server:


  1. Identify a port that you can use. Make sure you can get to this port through any firewalls that may be between your workstation and the server. For this tutorial I'm going to use TCP port 9010.

  2. Additionally, if your going through a firewall you will want to set the RMI service to a fixed TCP port. In this example I'm using port 9011.

  3. Add the following lines to the bottom of the file /opt/novell/nam/idp/conf/tomcat7.conf


  4. #jvm options for remote connection from jvisualVM
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.port=9010"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.rmi.port=9011"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.local.only=false"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.authenticate=true"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.password.file=/opt/novell/nam/idp/conf/jmxremote.password"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.access.file=/opt/novell/nam/idp/conf/jmxremote.access"
    JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.management.jmxremote.ssl=false"


  5. Create the file /opt/novell/nam/idp/conf/jmxremote.password with the content shown below:

  6. monitorRole monitorPassword
    adminRole adminPassword

  7. Create the file /opt/novell/nam/idp/conf/jmxremote.access with the content shown below:

  8. monitorRole readonly
    adminRole readwrite

  9. Change the owner of both files to novlwww and change the file permissions so that only novlwww has permission to read the files. This can be done by using the commands shown below:

  10. chown novlwww jmxremote.*
    chgrp novlwww jmxremote.*
    chmod 400 jmxremote.*

  11. Restart Tomcat using the command /etc/init.d/novell-idp restart



You can now launch JVisualVM on your workstation connect to the Identity Server JVM. Right click on "Remote" and select "Add Remote Host".

VisualVMScreenSnapz002

Enter a name for the host an click "OK".
VisualVMScreenSnapz003

Now right click on the host entry you just added and select "Add JMX Connection".
VisualVMScreenSnapz004

In the dialog box enter the IP address and the port selected in step one. Click on the "Use Security Credentials" checkbox. Then enter the user name "adminRole" and password "adminPassword" Click "OK". (we also created a read only user: "monitorRole" and "monitorPassword")
VisualVMScreenSnapz005

You will now get a warning that a connection could not be made using SSL. Since this configuration is primarily for development work, click the "Do not require SSL for this connection" checkbox and then click "OK". Setting up SSL is beyond the scope of this tutorial but the instructions for using SSL with JMX are available on the web.
VisualVMScreenSnapz006
Now right click on the new JMX connection and select "Open".
VisualVMScreenSnapz007
You now have full access to the power of JVisualVM!
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
If you need to use JVisualVM through a firewall and you only have access via SSH you do the following on Linux or OS X:

First create a SOCKS proxy on your local machine over SSH using the command "ssh -v -D NamServerIP:9696 ” You may need to add “-l loginName” if your login is different on the NAM box. It will prompt for your password.

Then run jvisualvm using the command line “jvisualvm -J-DsocksProxyHost=127.0.0.1 -J-DsocksProxyPort=9696"

Then add a JMX connection to :9010 using the credentials “adminRole” "adminPassword"

You will need to check the box that says don’t require SSL.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:06
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.