How to monitor WebLogic using Java Mission Control?

StackOverflow https://stackoverflow.com/questions/22643737

  •  21-06-2023
  •  | 
  •  

Question

I'd like to monitor performance on a web app we have hosted on WebLogic 10.3.6 using Java Mission Control. I am closely following the procedure discussed in a Java One 2013 talk on Java Mission Control.

When I try to Start Flight Recording, I get an error message:

enter image description here

As far as I can tell, I've set up the right Java command line arguments, etc. My Java is:

java version "1.7.0_40"
Java(TM) SE Runtime Environment (build 1.7.0_40-b43)
Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode)

I start up WebLogic as follows:

C:\dev\dev-tools\Glassfish\jdk7\bin\java
-client
-Xms512m
-Xmx1024m
-XX:CompileThreshold=8000
-XX:PermSize=512m
-XX:MaxPermSize=512m
-Dweblogic.Name=AdminServer
-Djava.security.policy=C:\dev\servers\Oracle\WLS_10~1.6\WLSERV~1.3\server\lib\weblogic.policy
-Djava.net.preferIPv4Stack=true
-Xms2048m
-Xmx4096m
-XX:CompileThreshold=8000
-XX:PermSize=1024m
-XX:MaxPermSize=1536m
-verbose:gc
-XX:+PrintGCTimeStamps
-XX:+PrintGCDetails
-Xloggc:C:/Temp/gcsVBMS.txt
-XX:+PrintTenuringDistribution
-XX:-HeapDumpOnOutOfMemoryError
-XX:HeapDumpPath=c:\Temp\dump.hprof
    -XX:+UnlockCommercialFeatures
    -XX:+FlightRecorder
    -Dcom.sun.management.jmxremote.authenticate=false
    -Dcom.sun.management.jmxremote.ssl=false
-Xverify:none
-da
-Djavax.net.ssl.keyStore=XXX
-Djavax.net.ssl.keyStorePassword=jvmpassword
-Djavax.net.ssl.trustStore=XXX
-Djavax.net.ssl.keyStore=XXX
-Djavax.net.ssl.keyStorePassword=jvmpassword
-Djavax.net.ssl.trustStore=XXX
-Dplatform.home=C:\dev\servers\Oracle\WLS_10~1.6\WLSERV~1.3
-Dwls.home=C:\dev\servers\Oracle\WLS_10~1.6\WLSERV~1.3\server
-Dweblogic.home=C:\dev\servers\Oracle\WLS_10~1.6\WLSERV~1.3\server
-Dweblogic.management.discover=true
-Dwlw.iterativeDev=
-Dwlw.testConsole=
-Dwlw.logErrorsToConsole=
-Dweblogic.ext.dirs=C:\dev\servers\Oracle\WLS_10~1.6\patch_wls1036\profiles\default\sysext_manifest_classpath;C:\dev\servers\Oracle\WLS_10~1.6\patch_ocp371\profiles\default\sysext_manifest_classpath
weblogic.Server

I thought that jmc should be able to auto-connect to the discovered JVM, given that I've provided the recommended Java arguments (indented above). What do I need to do to get this to work?

Was it helpful?

Solution

Hopefully you have already got an answer for this somewhere else, but if not:

If I would guess, the issue is related somehow to the network config of your machine, you could try adding -Djava.rmi.server.hostname=localhost or -Djava.rmi.server.hostname=

You could also add -Dcom.sun.management.jmxremote.port=

and create a custom connection to localhost: or :

// Klara, Java Mission Control Dev

OTHER TIPS

I needed all these arguments to run my Integrated Weblogic, coming bundled in Jdeveloper:

-Dcom.sun.management.jmxremote 
-Dcom.sun.management.jmxremote.port=8999 
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false 
-XX:+UnlockCommercialFeatures 
-XX:+FlightRecorder

Be careful wit these options on production systems

-Dcom.sun.management.jmxremote.port=8999 
-Dcom.sun.management.jmxremote.ssl=false

Keep in mind that according to the Java documentation this can enable the execution of arbitrary source code as can read here:

Disabling Security

To disable both password authentication and SSL (namely to disable all security), you should set the following system properties when you start the Java VM.

com.sun.management.jmxremote.authenticate=false

com.sun.management.jmxremote.ssl=false

Caution - This configuration is insecure: any remote user who knows (or guesses) your port number and host name will be able to monitor and control your Java applications and platform. Furthermore, possible harm is not limited to the operations you define in your MBeans. A remote client could create ajavax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code. Consequently, while disabling security might be acceptable for development, it is strongly recommended that you do not disable security for production systems.

Source: https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html

I believe the best way to use it in a secure way is using 2-way SSL as is exposed in this document:

https://www.ibm.com/support/knowledgecenter/en/SSJJ9R_5.0.1/com.ibm.jazz.repository.web.admin.doc/topics/t_server_mon_tomcat_option3.html

Set up client SSL authentication

From this point, a full SSL-secured solution requires that you also activate client-level SSL authentication. About this task You can configure client authentication for JMX to be SSL-certificate based. The following example shows how to configure JConsole to be SSL-certificate based. You can use similar steps to configure any other client. As a guideline, the general steps for this configuration are as follows: Create SSL key stores and trust stores for the client and server. Export certificates on each side. Exchange and import the certificates at the server level and client level. The Apache Tomcat server that is bundled with CLM has a keystore, and the previous instructions showed how to export the certificate and import it in the client. The following steps show the rest of configuration for implementing client authentication for JConsole. Sample values and self-signed certificates are used in the examples for clarity; you should adjust them for your environment policies.

Procedure

To create a keystore for JConsole, open a command prompt, and go to JazzInstallDir/server/jre/bin and enter the following command:

keytool -genkey -alias jconsole -keyalg RSA -validity 365 -keystore jconsole.keystore -storepass password -keypass password

Enter the following command to export the certificate from JConsole: keytool -export -alias jconsole -keystore jconsole.keystore -file client.cer -storepass password

Enter the following command to import into the Apache Tomcat trust store. The command generates a new trust store: keytool -import -alias jconsole-ibm-team -file client.cer -keystore ibm-team-ssl.truststore -storepass ibm-team -noprompt

To configure the server with the truststore, add the relevant properties to the server.startupfile, in addition to the properties for previous SSL configurations: Linux:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=path_to_the_trust_store/ibm-team-ssl.truststore" JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=ibm-team"

Microsoft Windows:

JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=path_to_the_trust_store/ibm-team-ssl.truststore JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=ibm-team Copy

To connect to JConsole, the following sample call uses these new assets. The authentication is based on certificate exchange.

jconsole -J-Djavax.net.ssl.trustStore=jconsole.truststore -J-Djavax.net.ssl.trustStorePassword=ibm-team -J-Djavax.net.ssl.keyStore=jconsole.keystore -J-Djavax.net.ssl.keyStorePassword=password service:jmx:rmi:///jndi/rmi://host:1099/jmxrmi

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top