JMX

Last modified by Sebastian Marsching on 2022/05/27 22:25

Enabling JMX

In recent versions of the JDK / JRE, JMX is enabled by default, but only for local connections. In older versions of the JDK, JMX can be enabled by setting the com.sun.management.jmxremote system property to true.

Remote access for JMX always has to be enabled explicitly. This can be done by setting the following system properties:

PropertyDescription
com.sun.management.jmxremote.authenticateset to false so that no authentication is needed (only in secure networks)
com.sun.management.jmxremote.portset to the port number on which the RMI registry is supposed to be started. Setting this property enabled remote access.
com.sun.management.jmxremote.sslset to false, so that SSL / TLS is not required (only in secure networks). This means that the connection will not be encrypted.

For example, the following command-line parameters may be used when starting the Java process:

-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.port=10098 -Dcom.sun.management.jmxremote.ssl=false

Accessing JMX over an SSH tunnel

Using JMX over an SSH tunnel is not straight-forward because the port specified by the com.sun.management.jmxremote.port system property is only the port of the RMI registry, not the port used for the actual service. A client connecting to the JMX service asks the RMI registry for the address and port to connect to. For obvious reasons, this will not work well in combination with an SSH tunnel.

The easiest solution for using JMX over SSH is using the SSH client as a SOCKS server. This can be done by using the "-D" parameter when starting the SSH client:

ssh -D 9999 user@example.com

In this example, the SOCKS proxy will listen on port 9999. Now, the JMX client has to use this proxy. How this can be configured depends on the client application.

When the SOCKS proxy has been configured, one can simply specify the actual IP address and port number of the JMX service in the target network.

Java Monitoring & Management Console (jconsole)

jconsole can be forced to use the SOCKS proxy by setting a number of system properties:

jconsole -J-DsocksProxyHost=localhost -J-DsocksProxyPort=9999 -J-DsocksNonProxyHosts=127.0.0.1,localhost

VisualVM (jvisualvm)

In VisualVM the SOCKS proxy can be configured in the preferences (Network / Proxy Settings).