Bug 39057 - Firewall access for JSR 160 JMX with Java 5
Summary: Firewall access for JSR 160 JMX with Java 5
Status: RESOLVED DUPLICATE of bug 39055
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.16
Hardware: Other other
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2006-03-21 23:06 UTC by George Lindholm
Modified: 2006-03-27 15:46 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description George Lindholm 2006-03-21 23:06:10 UTC
http://tomcat.apache.org/tomcat-5.5-doc/monitoring.html states:

  Note:The JSR 160 JMX-Adaptor opens a second data protocol port. That is a
problem when you have installed a local firewall.

This can be fixed by using a custom JMXConnectorServer to control both
ports thus allowing firewall access.

Eg. This is a GLP I threw together to try it out:

public class JMXPortServer extends HttpServlet {
  static JMXConnectorServer cs;
  static String jmxHost;
  static {
    try {
      final InetAddress host = InetAddress.getLocalHost();
      jmxHost = host.getHostName();
      final int jmxPort =
      final int jmxPort2 = jmxPort + 1;

      MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();

      HashMap env = new HashMap();
      final String sslProperty = "com.sun.management.jmxremote.ssl";
      String value = System.getProperty(sslProperty);
      if (Boolean.getBoolean(value)) {
        SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
        SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
        env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
        env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);

      final String passwordFileProperty =
      value = System.getProperty(passwordFileProperty);
      if (value != null) {
        env.put("jmx.remote.x.password.file", value);

      final String jmxUrl = "service:jmx:rmi://" + jmxHost + ":" + jmxPort2
+"/jndi/rmi://" + jmxHost + ":" + jmxPort + "/server";
      final JMXServiceURL url = new JMXServiceURL(jmxUrl);
      cs = JMXConnectorServerFactory.newJMXConnectorServer(
          url, env, mbs);

      try {
        LogService.log(LogService.INFO, "JMXPrtServer started on " + jmxUrl);
      } catch (IOException ex) {
        LogService.log(LogService.ERROR, ex);
    } catch (Exception ex) {

I tell tomcat to load the servlet through web.xml and start the
JVM with:

-Dcom.sun.management.jmxremote -Dorg.jasig.portal.jmxPort=7087

I then run jconsole on my desktop with:

  jconsole service:jmx:rmi://host:7088/jndi/rmi://host:7087/server

and, bingo, JMX access.

It would be be better if this was built into Tomcat as a configuration
option, rather than having to do it as part of every Tomcat instance.

I haven't tried out the ssl connection code (I got this code from
Comment 1 George Lindholm 2006-03-27 23:46:21 UTC
Not sure how I managed to create a second instance of this

*** This bug has been marked as a duplicate of 39055 ***