> Okay.
>> Now for my problems or questions: - Apparently, the Jmx listener
>> listens on 0.0.0.0 (confirmed by a netstat) on the two ports
>> configured for the listener, is it normal ? I thought that
>> useLocalPorts would restrain the listening only to 127.0.0.1.
>
> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
> whatever that resolves to on your server). Can you confirm that you
> are editing the correct server.xml? If you edit it in one place and
> then deploy it, please make sure you have the latest version installed
> under CATALINA_BASE/conf.
>
So it should force 127.0.0.1, ok !
>> - with jvisualvm i am able to connect through jmx with the url
>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>>
>>
> without entering the credentials (nagios:nagios).
>> I thought that by entering
>> com.sun.management.jmxremote.authenticate=true, even read access
>> would be restricted.
>
> I think you need to double-check that you are actually using the
> configuration you think you are.
>
I think too now :) i'll double check it.
Is there a way to dump the jmx configuration in the jvm?
It happens on all the tomcat in use (a lot) and i'm quite sure I am
not mistaken the server.xml for every one of them.
One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
while mine is
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).
is it my mistake?
> Another note: using traditional JMX with Nagios is going to suck. You
> are probably going to make, say, 5 connections to your server every
> minute to check on things like heap size, request-time, etc. Each of
> those connections requires a complete JMX connection which is not
> cheap to make -- especially if the client is running on the same
> server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or
> whatever).
We don't really use nagios as is. We use check_MK, an agent installed
on the host for which i developped a plug in to get only the
informations I want, with one connection to JMX (thus my need to
restrict to localhost).
> If you just want to make some quick checks, consider looking at the
> JMXProxyServlet which is provided by the manager webapp. I believe it
> will be a much lighter-weight solution (and does not require all of
> this crazy setup to configure JMX authentication, etc.).
Some ancient rules force us to disactivate the manager webapp (those
rules originated from some vulnerabilities with the manager webapp I
believe), but i'm trying to get it back with the appropriate security,
evebn if only to ease deployments :).
Thanks for the help !
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8
> pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u
> =BzhT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
