JMX with Listener

[Cédric Couralet <ce...@gmail.com>]

Hello,

In our tomcat, we use at the moment the JMXRemoteLifecycleListener
configured as :

<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
          rmiRegistryPortPlatform="10001"
rmiServerPortPlatform="10002" useLocalPorts="true" />

The configuration for the windows service is :

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=${CATALINA_BASE}/conf/jmxremote.access
-Dcom.sun.management.jmxremote.ssl=false

with jmxremote.access being a textfile with:

nagios readonly

and jmxremote.password :

nagios nagios

Version and OS information :
 - Tomcat 6.0.35
 - Windows server 2003 32bit
 - jdk 1.6.36

Now for my problems or questions:
 - Apparently, the Jmx listener listens on 0.0.0.0 (confirmed by a
netstat) on the two ports configured for the listener, is it normal ?
I thought that useLocalPorts would restrain the listening only to
127.0.0.1.
As i can't seem to connect on that ports with a remote host, I think
it is normal but I would like some clarifications if possible.

 - with jvisualvm i am able to connect through jmx with the url
service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
without entering the credentials (nagios:nagios).
I thought that by entering
com.sun.management.jmxremote.authenticate=true, even read access would
be restricted.

Thank you for any answers.

Cédric Couralet

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: JMX with Listener

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Christopher Schultz [mailto:chris@christopherschultz.net] 
> Subject: Re: JMX with Listener

> > Now for my problems or questions: - Apparently, the Jmx listener
> > listens on 0.0.0.0 (confirmed by a netstat) on the two ports
> > configured for the listener, is it normal ? I thought that
> > useLocalPorts would restrain the listening only to 127.0.0.1.

> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
> whatever that resolves to on your server).

Which brings up the point that the hosts file might have an incorrect entry for "localhost" - that needs to be checked as well.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Cédric Couralet <ce...@gmail.com>]

2012/12/17 André Warnier <aw...@ice-sa.com>:
> Cédric Couralet wrote:
>>>
>>> Where do you /set/ CATALINA_BASE?
>>
>>
>> Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I
>> would like to reference it in another.  As I say it, I don't think java
>> can
>> do it so i may be out of luck.
>>
>
[snip great explanation on tomcat as a windows service]
>
> Later if you want to change it, you can probably do this by running
> tomcat7.exe with the //US (update service) switch (see the doc).
>

Thank you for all this :)
I know I can probably do it by updating (or uninstall/install) the
service, but I was wondering if one could set a jvm option like
-Dtest=true and then reference it in another Java option like
-Dtest2=${test}, but it is far from being a question in topic.

My initial problem is resolved :
 - JMXRemoteLifecycleListener listens on all interface -> seems normal
as any connection from remote hosts seems to be rejected.
 - the authenticate=true was not taken into account by tomcat -> it
was due to a space after the "true" in the java_options for the
service. That space cause the line
authenticate=Boolean.parseBolean(authenticateValue) to return false.
It can't happen when running in command line, as the spaces will be
considered as one by the shell.

Thanks everyone for the big help.

Cédric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[André Warnier <aw...@ice-sa.com>]

Cédric Couralet wrote:
>> Where do you /set/ CATALINA_BASE?
> 
> Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I
> would like to reference it in another.  As I say it, I don't think java can
> do it so i may be out of luck.
> 

When you run Tomcat 7 as a Service, you run in fact the program tomcat7.exe.
This program is a "service wrapper".  It contains the necessary plumbing to behave like a 
Service for Windows, and itself then runs the Java VM which runs Tomcat.
When it starts the Java VM, it also provides it with run parameters, which it takes from 
the Windows Registry.
Tomcat7.exe is a renamed copy of the Apache "prunsrv" program, of which more info here : 
http://commons.apache.org/daemon/procrun.html

That's one part of it.

The second part is the tomcat7w.exe program. That is also a renamed version of the 
"prunmgr" program of the same Apache procrun project.
This program is a GUI Registry editor, which /sets/ the parameters in the Registry, that 
tomcat7.exe will later read and interpret to run the JVM.

More info here : http://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html

To remove/install the Tomcat7 service, you can run the "service.bat" command-file in 
(tomcat_dir)/bin.  Now /this/ command-file is a Windows command-file, and it looks in the 
Windows environment of the process in which you run it, for a value %CATALINA_BASE%.
And then it uses that value to set the appropriate parameters to run the tomcat7.exe 
program in "install service" mode (which initially sets the Registry parameters).

So if you open a command window, set the CATALINA_BASE variable, and then run the 
service.bat script to create the service, that would probably do what you want.

Later if you want to change it, you can probably do this by running tomcat7.exe with the 
//US (update service) switch (see the doc).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Cédric Couralet <ce...@gmail.com>]

>
> Where do you /set/ CATALINA_BASE?

Hum nowhere. Ok my mistake but i set catalina.base as a jvm options and I
would like to reference it in another.  As I say it, I don't think java can
do it so i may be out of luck.

Re: JMX with Listener

[André Warnier <aw...@ice-sa.com>]

Cédric Couralet wrote:
> 2012/12/11 André Warnier <aw...@ice-sa.com>:
>> Cédric Couralet wrote:
>> ...
>>
>>> One question, though, in the tomcat doc (for 6.0.x) for the
>>> JMXRemoteListener, the configuration is :
>>>
>>>
>>> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>>>
>>> -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
>>>
>>> while mine is
>>> -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
>>> (notice the {} ).
>>>
>>> is it my mistake?
>>>
>>>
>> No, it is not a mistake.  The above are lines extracted from a shell script,
>> I presume.
>> In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
>> The {} form helps to clarify things for the shell when the character which
>> *follows* the name of the variable, could be considered by the shell as part
>> of the variable name.
>> For example in :
>>
>> echo "something" > $my_file_conf
>>
>> it is not clear whether the name of the variable is "my" or "my_file" or
>> "my_file_conf".
>> (or anything in-between), and by default the shell will use the longer
>> possibility.
>>
>> Writing this as
>>
>> echo "something" > ${my_file}_conf
>>
>> leaves only one possible interpretation.
>>
>> In "$CATALINA_BASE/conf/jmxremote.password" there is really no ambiguity
>> (because "/" cannot be part of a variable name), but the form
>> "${CATALINA_BASE}/conf/jmxremote.password" is anyway clearer and less prone
>> to oversights.
>> (But it is slightly more work to type, and as programmers are a notoriously
>> lazy and hubristic bunch, they rarely go through the trouble).
>>
>> I suppose that - just to kid Christopher - I could on like this, talking
>> about interpolation and stuff, but I'll leave it at that because it's
>> already late here.
>>
> 
> I finally had some times to do some testing.
> First even with useLocalPorts=true, the JmxConnectorServer listen on
> all interfaces but won't accept connection from remote host. From the
> tomcat code, only the rmi client socket is forced to localhost at
> least on tomcat 6.0.x. A RMI server Socket could be created to force
> listening on a specified interface but I am not sure of any side
> effect.
> 
> Second, for my password problem, there was a problem with my
> configuration. In the tomcat service for JavaOptions, i had
> -Dcom.sun.management.jmxremote.authenticate=true (with a space after
> true), so when parsing the system properties in the Listener, the
> lines (in the init() method):
>    String authenticateValue = System.getProperty(
>                 "com.sun.management.jmxremote.authenticate", "true");
>    authenticate = Boolean.parseBoolean(authenticateValue);
> returned false.
> 
> This is only a problem with tomcat as a service (on windows), in
> command line i'm guessing the double space won't be taken into account
> by the shell.
> 
> 
> And now, another problem with this is that i can't reference
> catalina.base in those options. I tried :
> %CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values
> are expanded.
> Is it possible at all?
> It is not so much of a problem, i can write the path by hand, but it
> would be nice to have.
> 

Where do you /set/ CATALINA_BASE ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Cédric Couralet <ce...@gmail.com>]

2012/12/11 André Warnier <aw...@ice-sa.com>:
> Cédric Couralet wrote:
> ...
>
>>
>> One question, though, in the tomcat doc (for 6.0.x) for the
>> JMXRemoteListener, the configuration is :
>>
>>
>> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>>
>> -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
>>
>> while mine is
>> -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
>> (notice the {} ).
>>
>> is it my mistake?
>>
>>
>
> No, it is not a mistake.  The above are lines extracted from a shell script,
> I presume.
> In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
> The {} form helps to clarify things for the shell when the character which
> *follows* the name of the variable, could be considered by the shell as part
> of the variable name.
> For example in :
>
> echo "something" > $my_file_conf
>
> it is not clear whether the name of the variable is "my" or "my_file" or
> "my_file_conf".
> (or anything in-between), and by default the shell will use the longer
> possibility.
>
> Writing this as
>
> echo "something" > ${my_file}_conf
>
> leaves only one possible interpretation.
>
> In "$CATALINA_BASE/conf/jmxremote.password" there is really no ambiguity
> (because "/" cannot be part of a variable name), but the form
> "${CATALINA_BASE}/conf/jmxremote.password" is anyway clearer and less prone
> to oversights.
> (But it is slightly more work to type, and as programmers are a notoriously
> lazy and hubristic bunch, they rarely go through the trouble).
>
> I suppose that - just to kid Christopher - I could on like this, talking
> about interpolation and stuff, but I'll leave it at that because it's
> already late here.
>

I finally had some times to do some testing.
First even with useLocalPorts=true, the JmxConnectorServer listen on
all interfaces but won't accept connection from remote host. From the
tomcat code, only the rmi client socket is forced to localhost at
least on tomcat 6.0.x. A RMI server Socket could be created to force
listening on a specified interface but I am not sure of any side
effect.

Second, for my password problem, there was a problem with my
configuration. In the tomcat service for JavaOptions, i had
-Dcom.sun.management.jmxremote.authenticate=true (with a space after
true), so when parsing the system properties in the Listener, the
lines (in the init() method):
   String authenticateValue = System.getProperty(
                "com.sun.management.jmxremote.authenticate", "true");
   authenticate = Boolean.parseBoolean(authenticateValue);
returned false.

This is only a problem with tomcat as a service (on windows), in
command line i'm guessing the double space won't be taken into account
by the shell.


And now, another problem with this is that i can't reference
catalina.base in those options. I tried :
%CATALINA_BASE%, $CATALINA_BASE , ${catalina.base} and neither values
are expanded.
Is it possible at all?
It is not so much of a problem, i can write the path by hand, but it
would be nice to have.

Cédric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[André Warnier <aw...@ice-sa.com>]

Cédric Couralet wrote:
...
> 
> One question, though, in the tomcat doc (for 6.0.x) for the
> JMXRemoteListener, the configuration is :
> 
> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
> -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
> 
> while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
> (notice the {} ).
> 
> is it my mistake?
> 
> 

No, it is not a mistake.  The above are lines extracted from a shell script, I presume.
In this particular case, $CATALINA_BASE and ${CATALINA_BASE} are equivalent.
The {} form helps to clarify things for the shell when the character which *follows* the 
name of the variable, could be considered by the shell as part of the variable name.
For example in :

echo "something" > $my_file_conf

it is not clear whether the name of the variable is "my" or "my_file" or "my_file_conf".
(or anything in-between), and by default the shell will use the longer possibility.

Writing this as

echo "something" > ${my_file}_conf

leaves only one possible interpretation.

In "$CATALINA_BASE/conf/jmxremote.password" there is really no ambiguity (because "/" 
cannot be part of a variable name), but the form 
"${CATALINA_BASE}/conf/jmxremote.password" is anyway clearer and less prone to oversights.
(But it is slightly more work to type, and as programmers are a notoriously lazy and 
hubristic bunch, they rarely go through the trouble).

I suppose that - just to kid Christopher - I could on like this, talking about 
interpolation and stuff, but I'll leave it at that because it's already late here.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Cédric Couralet <ce...@gmail.com>]

>>> Okay.
>>>> Now for my problems or questions: - Apparently, the Jmx
>>>> listener listens on 0.0.0.0 (confirmed by a netstat) on the two
>>>> ports configured for the listener, is it normal ? I thought
>>>> that useLocalPorts would restrain the listening only to
>>>> 127.0.0.1.
>>>
>>> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
>>> whatever that resolves to on your server). Can you confirm that
>>> you are editing the correct server.xml? If you edit it in one
>>> place and then deploy it, please make sure you have the latest
>>> version installed under CATALINA_BASE/conf.
>>>
>>
>> So it should force 127.0.0.1, ok !
>
> No, it forces the hostname "localhost". That might mean 10.0.0.1 on
> your system. Try "host localhost" and see what happens.

Yes, i should have thought of that sooner, I saw a couple of times a
windows server without any localhost in its host file.

thanks for the help.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cédric,

On 12/11/12 1:08 PM, Cédric Couralet wrote:
>> Okay.
>>> Now for my problems or questions: - Apparently, the Jmx
>>> listener listens on 0.0.0.0 (confirmed by a netstat) on the two
>>> ports configured for the listener, is it normal ? I thought
>>> that useLocalPorts would restrain the listening only to
>>> 127.0.0.1.
>> 
>> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"... 
>> whatever that resolves to on your server). Can you confirm that
>> you are editing the correct server.xml? If you edit it in one
>> place and then deploy it, please make sure you have the latest
>> version installed under CATALINA_BASE/conf.
>> 
> 
> So it should force 127.0.0.1, ok !

No, it forces the hostname "localhost". That might mean 10.0.0.1 on
your system. Try "host localhost" and see what happens.

>>> - with jvisualvm i am able to connect through jmx with the url 
>>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>>>
>>>
>>
>>> 
without entering the credentials (nagios:nagios).
>>> I thought that by entering 
>>> com.sun.management.jmxremote.authenticate=true, even read
>>> access would be restricted.
>> 
>> I think you need to double-check that you are actually using the 
>> configuration you think you are.
>> 
> 
> I think too now :) i'll double check it.
> 
> Is there a way to dump the jmx configuration in the jvm? It happens
> on all the tomcat in use (a lot) and i'm quite sure I am not
> mistaken the server.xml for every one of them.

You can see which ports are which using netstat. I don't believe you
can ask for the port numbers for your JMX listeners via JMX: you just
check the ports actually in use. You can check all the system
properties, of course, using jvisualvm.

> One question, though, in the tomcat doc (for 6.0.x) for the 
> JMXRemoteListener, the configuration is :
> 
> -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
>
> 
-
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
> 
> while mine is
> -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
>
> 
(notice the {} ).
> 
> is it my mistake?

As long as a bash-like shell is interpreting it, the {} will not
interfere: they are just an explicit notation to the shell where the
environment variable's name begins and ends.

>> Another note: using traditional JMX with Nagios is going to suck.
>> You are probably going to make, say, 5 connections to your server
>> every minute to check on things like heap size, request-time,
>> etc. Each of those connections requires a complete JMX connection
>> which is not cheap to make -- especially if the client is running
>> on the same server. That's 5 JVMs, 5 JMX connections, etc. every
>> minute (or 5 or whatever).
> 
> We don't really use nagios as is. We use check_MK, an agent
> installed on the  host for which i developped a plug in to get only
> the informations I want, with one connection to JMX (thus my need
> to restrict to localhost).

Gotcha. check_MK looks interesting, especially because you get RRD
databases for free. Hooray graphs!

>> If you just want to make some quick checks, consider looking at
>> the JMXProxyServlet which is provided by the manager webapp. I
>> believe it will be a much lighter-weight solution (and does not
>> require all of this crazy setup to configure JMX authentication,
>> etc.).
> 
> Some ancient rules force us to disactivate the manager webapp
> (those rules originated from some vulnerabilities with the manager
> webapp I believe), but i'm trying to get it back with the
> appropriate security, evebn if only to ease deployments :).

Note that you can enable access only to the JMXProxyServlet by simply
not allowing users to access other resources (like deploy/undeploy, etc.).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDHeocACgkQ9CaO5/Lv0PDehgCfYgFICQgPH/NAhfWR2iorhCX0
s0oAniVmxG5lSUzPtNW5P9fSUYCZZiP0
=AdZM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Cédric Couralet <ce...@gmail.com>]

> Okay.
>> Now for my problems or questions: - Apparently, the Jmx listener
>> listens on 0.0.0.0 (confirmed by a netstat) on the two ports
>> configured for the listener, is it normal ? I thought that
>> useLocalPorts would restrain the listening only to 127.0.0.1.
>
> useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
> whatever that resolves to on your server). Can you confirm that you
> are editing the correct server.xml? If you edit it in one place and
> then deploy it, please make sure you have the latest version installed
> under CATALINA_BASE/conf.
>

So it should force 127.0.0.1, ok !

>> - with jvisualvm i am able to connect through jmx with the url
>> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>>
>>
> without entering the credentials (nagios:nagios).
>> I thought that by entering
>> com.sun.management.jmxremote.authenticate=true, even read access
>> would be restricted.
>
> I think you need to double-check that you are actually using the
> configuration you think you are.
>

I think too now :) i'll double check it.

Is there a way to dump the jmx configuration in the jvm?
It happens on all the tomcat in use (a lot) and i'm quite sure I am
not mistaken the server.xml for every one of them.

One question, though, in the tomcat doc (for 6.0.x) for the
JMXRemoteListener, the configuration is :

-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access

while mine is -Dcom.sun.management.jmxremote.password.file=${CATALINA_BASE}/conf/jmxremote.password
(notice the {} ).

is it my mistake?


> Another note: using traditional JMX with Nagios is going to suck. You
> are probably going to make, say, 5 connections to your server every
> minute to check on things like heap size, request-time, etc. Each of
> those connections requires a complete JMX connection which is not
> cheap to make -- especially if the client is running on the same
> server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or
> whatever).

We don't really use nagios as is. We use check_MK, an agent installed
on the  host for which i developped a plug in to get only the
informations I want, with one connection to JMX (thus my need to
restrict to localhost).


> If you just want to make some quick checks, consider looking at the
> JMXProxyServlet which is provided by the manager webapp. I believe it
> will be a much lighter-weight solution (and does not require all of
> this crazy setup to configure JMX authentication, etc.).

Some ancient rules force us to disactivate the manager webapp (those
rules originated from some vulnerabilities with the manager webapp I
believe), but i'm trying to get it back with the appropriate security,
evebn if only to ease deployments :).

Thanks for the help !

> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8
> pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u
> =BzhT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JMX with Listener

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cédric,

On 12/11/12 7:50 AM, Cédric Couralet wrote:
> In our tomcat, we use at the moment the JMXRemoteLifecycleListener 
> configured as :
> 
> <Listener
> className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" 
> rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002"
> useLocalPorts="true" />

Okay.
> Now for my problems or questions: - Apparently, the Jmx listener
> listens on 0.0.0.0 (confirmed by a netstat) on the two ports
> configured for the listener, is it normal ? I thought that
> useLocalPorts would restrain the listening only to 127.0.0.1.

useLocalePorts /should/ force 127.0.0.1 (actually "localhost"...
whatever that resolves to on your server). Can you confirm that you
are editing the correct server.xml? If you edit it in one place and
then deploy it, please make sure you have the latest version installed
under CATALINA_BASE/conf.

> - with jvisualvm i am able to connect through jmx with the url 
> service:jmx:rmi://localhost:10002/jndi/rmi://localhost:10001/jmxrmi
>
> 
without entering the credentials (nagios:nagios).
> I thought that by entering 
> com.sun.management.jmxremote.authenticate=true, even read access
> would be restricted.

I think you need to double-check that you are actually using the
configuration you think you are.

Another note: using traditional JMX with Nagios is going to suck. You
are probably going to make, say, 5 connections to your server every
minute to check on things like heap size, request-time, etc. Each of
those connections requires a complete JMX connection which is not
cheap to make -- especially if the client is running on the same
server. That's 5 JVMs, 5 JMX connections, etc. every minute (or 5 or
whatever).

If you just want to make some quick checks, consider looking at the
JMXProxyServlet which is provided by the manager webapp. I believe it
will be a much lighter-weight solution (and does not require all of
this crazy setup to configure JMX authentication, etc.).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDHUKcACgkQ9CaO5/Lv0PCYVgCfdhcR80DY4nO1QTHCnohhBul8
pmMAn0J1tFmswgyMAd4AXQBKyfNTMb1u
=BzhT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org