Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Enabling Java Management Extensions (JMX) for Jamf Pro

Overview

Java Management Extensions (JMX) can be used to generate metrics for Jamf Pro host server performance monitoring for on-premise environments. This article describes the process used to set up JMX.

Java provides built-in tools such as Jconsole that you can use to monitor these metrics. Alternatively, you may choose to use any third-party monitoring tool that can connect to JMX.

Versions Affected

All versions of Jamf Pro

Requirements

JMX monitoring tool (e.g., Jconsole, Zabbix, Nagios)

Procedures

Linux

  1. On the Jamf Pro host server, copy the default JMX password file to /etc/ by executing:
    sudo cp /usr/lib/jvm/java<version>/jre/lib/management/jmxremote.password /etc/jmxremote.password
  2. Change the owner and the permissions of the jmxremote.password file by executing:
    sudo chown jamftomcat:jamftomcat /etc/jmxremote.password
    sudo chmod 400 /etc/jmxremote.password
    Note: The JMX password file must be owned by the user and the group that runs Tomcat on the Jamf Pro host server and access must be restricted to that user. To confirm the user and the group, execute a command similar to the following:
    ls -al /path/to/tomcat/
  3. Modify the jmxremote.password file and uncomment monitorRole and controlRole by removing "#" at the beginning of the line, then changing the password. The "monitorRole" role has password "QED". The "controlRole" role has password "R&D". Modify the file by executing:
    sudo nano /etc/jmxremote.password
  4. Save and exit.

  5. Modify the Java options on the Jamf Pro host server as defined by the setenv.sh file. Modify the file by executing:

    sudo nano /usr/local/jss/tomcat/bin/setenv.sh

    Add the following lines and modify the Djava.rmi.server.hostname value of My.IP.Address.Number to match the IP address of the Jamf Pro host server. The default port of 3333 can be modified as well. Note: Do not remove any settings.

    export CATALINA_OPTS="$CATALINA_OPTS -Djava.awt.headless=true"
    export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.port=3333"
    export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.ssl=false"
    export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
    export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote=true"
    export CATALINA_OPTS="$CATALINA_OPTS -Djava.rmi.server.hostname=My.IP.Address.Number"
    export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote.password"
  6. Save and exit.
  7. Modify the DataBase.xml file to turn on JMX for the specific web application by executing:
    sudo nano /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
    Add the following between the <DataBase> </DataBase> entries: <EnableJMX>true</EnableJMX> Note: This enables connection pool metrics that can help you to understand how the connection pool is performing.
  8. Save and exit.
  9. Restart Tomcat. For instructions, see Starting and Stopping Tomcat.
  10. If you have a firewall enabled in your environment, you must allow for incoming traffic on the port you specified above so that an external monitoring system can connect to your Jamf Pro host server via JMX.
  11. On a macOS system with Java installed, open Terminal and execute:
    jconsole
    Enter the Jamf Pro host server IP address, port, username, and password for the monitorRole specified above.

At this point, you can use Jconsole or any third-party monitoring tool to leverage JMX.

For the full list of JMX objects, see the Java Management Extensions (JMX) Glossary for Jamf Pro Knowledge Base article.


Windows

  1. On the Jamf Pro host server, open Command Prompt and execute the following to copy the default JMX password file to the root of the C: drive:
    copy "C:\Program Files\Java\jre<version>\lib\management\jmxremote.password.template" C:\jmxremote.password
  2. Change the owner of C:\jmxremote.password Notes: -The JMX password file must be owned by the user that runs Tomcat on the Jamf Pro host server. If you used the Jamf Pro installer, the default owner of Tomcat is "System". For instructions on modifying ownership of the file, see: https://docs.oracle.com/javase/8/docs/technotes/guides/management/security-windows.html -You may see the following errors in the tomcat8-stderr<date>.log on Systems if the file is not restricted to the owner of Tomcat: Error: Password file read access must be restricted: C:\jmxremote.password -You may see the following errors in the tomcat8-stderr<date>.log on Systems if the file is restricted to a user other than the owner of Tomcat: Error: Failed in reading the password file: C:\jmxremote.password
  3. Use a text editor to modify the jmxremote.password file located at C:\jmxremote.password. Uncomment monitorRole and controlRole, then change the password. The "monitorRole" role has password "QED". The "controlRole" role has password "R&D".

  4. Save and exit.

  5. Modify the Java options on the Jamf Pro host server. Open C:\Program Files\JSS\Tomcat\bin\tomcat8w.exe application and navigate to the Java tab. Add the following lines and modify the Djava.rmi.server.hostname value of My.IP.Address.Number to match the IP address of the Jamf Pro host server. The default port of 3333 can be modified as well. Note: Do not remove any settings.
    -Dcom.sun.management.jmxremote
    -Dcom.sun.management.jmxremote.port=3333
    -Dcom.sun.management.jmxremote.rmi.port=3333
    -Dcom.sun.management.jmxremote.ssl=false
    -Dcom.sun.management.jmxremote.authenticate=true
    -Djava.rmi.server.hostname=My.IP.Address.Number
    -Dcom.sun.management.jmxremote.password.file=C:\jmxremote.password
  6. Save and exit.
  7. Modify the Database.xml file located at the following filepath to turn on JMX for the specific web application:

    C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\xml\DataBase.xml

    Add the following between the <DataBase> </DataBase> entries:
    <EnableJMX>true</EnableJMX>
    Note: This enables connection pool metrics that can help you to understand how the connection pool is performing.

  8. Save and exit.

  9. Restart Tomcat. For instructions, see Starting and Stopping Tomcat.
  10. If you have a firewall enabled in your environment, you must allow for incoming traffic on the port you specified above so that an external monitoring system can connect to your Jamf Pro host server via JMX by executing:
    netsh advfirewall firewall add rule name=JamfProJMX dir=in action=allow protocol=TCP localport=3333
  11. On a system with Java installed, open C:\Program Files\Java\jdk<version>\bin\jconsole.exe Enter the Jamf Pro host server IP address, port, username, and password for the monitorRole specified above.

At this point, you can use Jconsole or any third-party monitoring tool to leverage JMX.

For the full list of JMX objects, see the Java Management Extensions (JMX) Glossary for Jamf Pro Knowledge Base article.

Like Comment