October 20, 2008

Tomcat 5.5 – JMX managmenet

Filed under: java, jmx, snmp, tomcat — Tags: , , , — lancevermilion @ 9:40 am

I have had the need to monitor Java webapps. There are two ways of doing this. One is via SNMP into the JVM and the other is via JMX. Once you make the configuration changes you will need to restart tomcat. Once tomcat is restarted you will want to make sure those ports were opened and are currently being listened on by java. Run “sudo /usr/sbin/lsof | grep :” then look for your port numbers you chose to bind SNMP/JMX to. If they are not listed then they did not bind and you are going to want to simplify your JAVA_OPTS down to just the bare basics + the port commands. Keep in mind applying these configuration to JAVA_OPTS means it will try to do these are start/stop of the JVM which will result in an error in your logs saying something like “the port is already bound”

Add this to your “/etc/sysconfig/tomcat5”. Comment out any JAVA_OPTS (if they are redundant to what is below) you have uncommented and move them to this one if you have extra values. Exclude the all after the snmp line if you only want SNMP monitoring.


JAVA_OPTS="$JAVA_OPTS -Dcatalina.ext.dirs=$CATALINA_HOME/shared/lib:$CATALINA_HOME/common/lib -Djava.awt.headless=true$CATALINA_HOME/conf/jmxremote.password$CATALINA_HOME/conf/jmxremote.access -Djava.rmi.server.hostname=adminsvr"


JAVA_OPTS="$JAVA_OPTS -Dcatalina.ext.dirs=$CATALINA_HOME/shared/lib:$CATALINA_HOME/common/lib -Djava.awt.headless=true -Djava.rmi.server.hostname=adminsvr"

# Specify the RMI server name which is used when RMI connect comes inbound. This is sent to the client connecting to the RMI server.


# Disable use of authentication (options: true/false). True requires passwd file and access file.

# Specifies the location of the password file for JMX management access. (chmod 600, chown user/group )$CATALINA_HOME/conf/jmxremote.password

# Specifies the location of the access file for JMX management access. (chmod 600, chown user/group )$CATALINA_HOME/conf/jmxremote.access

# Disable SSL support (I have not played with getting it setup yet) (options: true/false)

# Specify the JMX management port

# Enable local jmx management from the localhost

# Suppose to enable headless connection where X is required…aka forward jconsole from the server to your X server.


# Used to enable SNMP access to the JVM interface. If you use this you will need to enable the snmp.acl as well to set the community/access control

# /usr/java/jdk1.6.0_03/jre/lib/management/snmp.acl (you should already have a smp.acl.template installed as a part of your JDK) (chmod 600, chown user/group ). IF YOU HAVE A DIFFERENT JDK AND/OR LOCATION KEEP THAT IN MIND!!!

acl = {
      communities = public
      access = read-only
      managers = localhost,

# $CATALINA_HOME/conf/jmxremote.access (chmod 600, chown user/group ).

opennms     readonly
monitorRole readonly
controlRole readwrite

# $CATALINA_HOME/conf/jmxremote.password (chmod 600, chown user/group ).

opennms     OpenNMS
monitorRole tomcat
controlRole tomcat

# Need to add a proxy line so snmp proxy will hit the JMX snmp port when we query the server for the SNMP info. Get system and JMX info in one query.
proxy -v 2c -c cotssnmp localhost:9004 .

# Trouble shooting
A good set of tools to have are same JMX server/client java tools that you can run outside your tomcat JVM containers to make sure your system is accessable.

JMX Java Tutorial for MXBeans

Not sure what connect string to put in jconsole/etc. This is the default.

The default container name is jmxrmi
The JMX Service URL is:

Create a free website or blog at