I'd like to take advantage of JConsole as my primary JMX client because it is provided out-of-the-box and covers the basic functionality that I need. I have some concerns about getting a firewall port opened to use RMI, so I am wondering what other options I may have for using JConsole to monitor and manage my JMX-decorated applications through a firewall. I'll list some of the options that I have already considered along with seeming advantages and disadvantages and ask for any additional advantages or disadvantages I should consider when selecting among these options. I'd also be interested in hearing any other available options. If an option involves a lot of new coding (such as writing my own client and server connectors), it is not likely that I'll select that option because some of these listed options, even with their disadvantages, will probably win over such an approach.

<h3>Use JMX-Required RMI</h3>
<h6>Advantages</h6>
Support is required by JMX Specification.
Nearly all examples of remote JMX use are RMI-based.
<h6>Disadvantages</h6>
Firewall Issues
<h6>References</h6>
JMX Accelerated Howto recommends not using RMI (http://www.admc.com/blaine/howtos/jmx/jmx.html#distributed-chapter).

<h3>Use JMX-Specified (Optional) JMXMP</h3>
<h6>Advantages</h6>
Specified in JMX Specification
SASL support.
<h6>Disadvantages</h6>
Not required and not delivered with platform server/reference implementation.
<h6>References</h6>
OpenDMK provides JMXMP Connector (http://docs.sun.com/app/docs/doc/816-7609/6mdjrf861?a=view#connectors-116)
JMXMP and JConsole (http://forum.java.sun.com/thread.jspa?threadID=5266512&tstart=0)
Can JConsole Connect to a Remote JMX Agent Using JMXMP and TLS? (http://forum.java.sun.com/thread.jspa?forumID=537&threadID=5137348)

<h3>RMI Tunneling</h3>
<h6>Advantages</h6>
Still get to use the widely supported RMI
No new port necessarily need be opened in firewall
<h6>Disadvantages</h6>
Still may not be allowed by firewall administrator
Security issues
More complicated than using RMI directly.
<h6>References</h6>
Monitoring Your Applications with JConsole - Part 3 (http://www.componative2.com/content/controller/developer/insights/jconsole3)
* Connecting JConsole through ssh Tunnel (http://forum.java.sun.com/thread.jspa?threadID=5267091&tstart=0)


<h3>HTTP/HTML Adaptor/Adapter</h3>
It is my assumption that the OpenDMK-provided HTML/HTTP Adaptor cannot be used with JConsole because the Adaptor provides its own HTML-based view and as an adapter it does not implement the common JMX Connector API that JConsole works with.

---

If you wanted to use JConsole to manage and monitor your applications and could not use RMI directly through the firewall, what would be your first choice and why? Are there other easily approachable connectors or methods for doing this not listed above?

Thanks for your insight.

 

 

Hi,

I have written a detailed post explaining how to configure an RMI Connector Server
to use a single well known port - and this over SSL.
With such a configuration you only need to open this one port in your firewall.

The code shown in the post uses a java agent to start the connector server, which
might be a bit of an overkill for your need. If so you can simply put the same code
in your application main:

JMX: Connecting Through Firewalls Using RMI Over SSL And a Single Port (Part III)
http://blogs.sun.com/jmxetc/entry/jmx_connecting_through_firewalls_using

The code as shown in the post uses Java 6, but the same thing can be achieved
with Java 5, with a bit of additional work consisting in manually registering the RMIServer
stub in the RMI registry instead of letting the connector server do it through JNDI.

Hope this helps,

-- daniel
http://blogs.sun.com/jmxetc/

 

 

Hello,
JSR 262 (Web Services Connector for JMX Agents) offers an HTTP based Connector that is compliant with JConsole.
The standard is not yet final but is already in public review and we don't expect major changes.

The latest Reference Implementation (early access 3) can be downloaded from http://ws-jmx-connector.dev.java.net

Reusing your Connector presentation I would say :
Use of JMX WS Connector
Advantages
Standard
Firewall friendly
Disadvantages
Standalone. You need to add jars (quite a bunch actually) to JConsole classpath.
Less efficient than RMI or JMXMP.
References
Project web site : http://ws-jmx-connector.dev.java.net
Article that cover the EA3 announcement : http://blogs.sun.com/jmxnetbeans/entry/web_services_connector_for_jmx#comments
Article that details the Connector architecture :
http://blogs.sun.com/jmxnetbeans/entry/up_the_metro_stack_to


Thanks.

Jean-Francois

 

 

Thanks Daniel and Jean-Francois for your input. I'll definitely pursue both of these alternatives as part of my decision on how to approach monitoring and managing remote applications via JConsole through a firewall.