Wednesday 24 February 2010

Connecting to MBeans via JConsole


Update from last blog...it looks like you can invoke custom MBean methods using the Java JDK's JConsole GUI. Instructions as follows... In order to connect to the server via the jconsole GUI, you must configure both your application server and the jconsole client.


WebLogic Server configuration

The following command-line options should be added to the WebLogic startup script. As an example they can be added to the JAVA_OPTIONS variable within the setDomainEnv script:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8888
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.authenticate=false

Additionally the following two options should be added – these refer to the keystore which is used by the server – usually located within the JDK shipped with WebLogic:
-Djavax.net.ssl.keyStore=C:\bea_9_2_3\jdk150_12\jre\lib\security\cacerts
-Djavax.net.ssl.keyStorePassword=changeit

Key Generation

Using the keystore above, a certificate key should be generated as follows (apply parameters appropriate for the environment):

keytool -genkey -alias jconsole -keyalg RSA -validity 7 -keystore C:\bea_9_2_3\jdk150_12\jre\lib\security\cacerts 
 
 Enter keystore password:  changeit
 What is your first and last name?
 [Unknown]:  jconsole
 What is the name of your organizational unit?
 [Unknown]:  Unit
 What is the name of your organization?
 [Unknown]:  Org
 What is the name of your City or Locality?
 [Unknown]:  Newcastle

 What is the name of your State or Province?
 [Unknown]:  Tyneside
 What is the two-letter country code for this unit?
 [Unknown]:  UK

 Is CN=jconosle, OU=Unit, O=Org,

 L=Newcastle, ST=Tyneside, C=UK correct?

 [no]:  yes
 
 Enter key password for 
  (RETURN if same as keystore password):

Confirm that the entry has been created successfully:

keytool -list -v -keystore keystore
Enter keystore password:  password
 
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: jconsole
Creation date: Dec 20, 2001
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=jconsole, OU=Unit, O=Org,L=Newcastle, ST=Tyneside, C=UK
Issuer: CN=jconsole, OU=Unit, O=Org,L=Newcastle, ST=Tyneside, C=UK Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
    MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
    SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74

Key import

The certificate generated above should now be exported from the keystore and imported to the keystore where the jconsole GUI is running. Export as follows:

keytool -export -alias jconsole -keystore C:\bea_9_2_3\jdk150_12\jre\lib\security\cacerts –rfc -file jconsole.cer

Then import as follows:

keytool -import -alias jconsole -file jconsole.cer -keystore truststore
Enter keystore password:  changeit
Owner: CN=jconsole, OU=Unit, O=Org,L=Newcastle, ST=Tyneside, C=UK
Issuer: CN=jconsole, OU=Unit, O=Org,L=Newcastle, ST=Tyneside, C=UK
Serial number: 3c22adc1
Valid from: Thu Dec 20 19:34:25 PST 2001 until: Thu Dec 27 19:34:25 PST 2001
Certificate fingerprints:
    MD5: F1:5B:9B:A1:F7:16:CF:25:CF:F4:FF:35:3F:4C:9C:F0
    SHA1: B2:00:50:DD:B6:CC:35:66:21:45:0F:96:AA:AF:6A:3D:E4:03:7C:74
Trust this certificate? [no]:  yes
Certificate was added to keystore

There is now a SSL trust established between the WebLogic server and the jconsole client. The jconsole client can now connect to the server to monitor JMX MBeans securely.

Running jconsole

The jconsole GUI should be run with the following parameters:

jconsole -J-Djavax.net.ssl.trustStore=\jdk150_12\jre\lib\security\cacerts -J-Djavax.net.ssl.trustStorePassword=changeit




Once both server and client have been configured, connect to the server via the jconsole GUI with a URL as follows (replacing with the correct IP Address of the server):

Navigate to the WFEngineMBean within the server hierarchy as follows:

Invoke the forceEngineInitialisation() method. A dialog box will appear confirming that the process was completed successfully.


Posted by at
Labels: , , ,

2 comments:

Unknown said...

I have weblogic 9.
I have created new domain.
I have made changes in setDomainEnv.cmd
post that I passed parameter IP:PORT to jconsole...but still it is not able to connect.

I know this info is very limited.But I really don't know how to debug further.
I went through few more links it says we need to enable iiop option..I did that then i was able to get console but it gives error ....

16 June 2013 at 07:34
Anonymous said...

Glad to read that! Good luck with the paper.
alarm monitoring newcastle

20 September 2016 at 08:56

Post a Comment

Subscribe to: Post Comments (Atom)