1
votes

I am trying to connect to a remote java app using jconsole as a JMX client over ssh

I have built the CustomAgent described on https://blogs.oracle.com/jmxetc/entry/connecting_through_firewall_using_jmx

The code for the agent is here

/**
* CustomAgent.java

* https://blogs.oracle.com/jmxetc/entry/connecting_through_firewall_using_jmx
*/

package example.rmi.agent;

import java.io.IOException;
import java.lang.management.ManagementFactory;
import java.net.InetAddress;
import java.rmi.registry.LocateRegistry;
import java.util.HashMap;
import javax.management.MBeanServer;
import javax.management.remote.JMXConnectorServer;
import javax.management.remote.JMXConnectorServerFactory;
import javax.management.remote.JMXServiceURL;

/**
 * This CustomAgent will start an RMI COnnector Server using only
 * port "example.rmi.agent.port".
 *
 * @author dfuchs
 */
public class CustomAgent {

    private CustomAgent() { }

    public static void premain(String agentArgs) 
    throws IOException {

        // Ensure cryptographically strong random number generator used
        // to choose the object number - see java.rmi.server.ObjID
        //
        System.setProperty("java.rmi.server.randomIDs", "true");

        // Start an RMI registry on port specified by example.rmi.agent.port
        // (default 3000).
        //
        final int port= Integer.parseInt(
                System.getProperty("example.rmi.agent.port","3000"));
        System.out.println("Create RMI registry on port "+port);
        LocateRegistry.createRegistry(port);


        // Retrieve the PlatformMBeanServer.
        //
        System.out.println("Get the platform's MBean server");
        MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();

        // Environment map.
        //
        System.out.println("Initialize the environment map");
        HashMap<String,Object> env = new HashMap<String,Object>();

        // This where we would enable security - left out of this
        // for the sake of the example....
        //

        // Create an RMI connector server.
        //
        // As specified in the JMXServiceURL the RMIServer stub will be
        // registered in the RMI registry running in the local host on
        // port 3000 with the name "jmxrmi". This is the same name the
        // out-of-the-box management agent uses to register the RMIServer
        // stub too.
        //
        // The port specified in "service:jmx:rmi://"+hostname+":"+port
        // is the second port, where RMI connection objects will be exported.
        // Here we use the same port as that we choose for the RMI registry. 
        // The port for the RMI registry is specified in the second part
        // of the URL, in "rmi://"+hostname+":"+port
        //
        System.out.println("Create an RMI connector server");
        final String hostname = InetAddress.getLocalHost().getHostName();
        //JMXServiceURL url =
        //    new JMXServiceURL("service:jmx:rmi://"+hostname+
        //    ":"+port+"/jndi/rmi://"+hostname+":"+port+"/jmxrmi");

        //Added to allow  connection through a firewall
        // We use (port+1) to export the RMI connection objects
        JMXServiceURL url =
            new JMXServiceURL("service:jmx:rmi://"+hostname+
            ":"+(port+1)+"/jndi/rmi://"+hostname+":"+port+"/jmxrmi");




        // Now create the server from the JMXServiceURL
        //
        JMXConnectorServer cs =
            JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);

        // Start the RMI connector server.
        //
        System.out.println("Start the RMI connector server on port "+port);
        cs.start();
    }
}

The build script is here

<project name="Agent" basedir="." default="main">

    <property name="src.dir"     value="src"/>
    <property name="build.dir"   value="build"/>
    <property name="classes.dir" value="${build.dir}/classes"/>
    <property name="jar.dir"     value="${build.dir}/jar"/>
    <property name="main-class"  value="example.rmi.agent.CustomAgent"/>

    <target name="clean">
        <delete dir="${build.dir}"/>
    </target>

    <target name="compile">
        <mkdir dir="${classes.dir}"/>
        <javac srcdir="${src.dir}" destdir="${classes.dir}"/>
    </target>

    <target name="jar" depends="compile">
        <mkdir dir="${jar.dir}"/>
        <jar destfile="${jar.dir}/${ant.project.name}.jar" basedir="${classes.dir}">
            <manifest>
                <attribute name="Main-Class" value="${main-class}"/>
            </manifest>
        </jar>
    </target>    

    <target name="run" depends="jar">
        <java jar="${jar.dir}/${ant.project.name}.jar" fork="true"/>
    </target>    
    <target name="clean-build" depends="clean,jar"/>    
    <target name="main" depends="clean,run"/>

     <!-- Builds dist.agent.jar -->    
    <target name="build-agent-jar" description="build an agent jar that can be used with -javaagent"   depends="compile">
        <mkdir dir="${jar.dir}"/>
        <jar basedir="${classes.dir}"  destfile="${jar.dir}/${ant.project.name}.jar">
                <manifest>
                    <attribute name="Premain-Class" value="example.rmi.agent.CustomAgent"/>
                </manifest>
        </jar>
        <echo>To use this application with agent try:</echo>
        <echo>java -Dexample.rmi.port=3000 -javaagent:${dist.agent.jar} -classpath [application-classpath] [application-classpath] [application-main-class]</echo>
    </target>
</project>

I start the application on the remote machine using

java -javaagent:agents/build/jar/Agent.jar -Dexample.rmi.agent.port=6004 -server -server -Dcom.sun.management.jmxremote.authenticate="false" -Dcom.sun.management.jmxremote="true" -Dcom.sun.management.jmxremote.ssl="false" -Dcom.sun.management.jmxremote.local.only="false" -jar path-to-my-app/app.jar

Two ports open on the host machine, 6004 and 6005 and I can connect to the application through jconsole if the jconsole is local to the application.

I then create 2 ssh tunnels

ssh tunnels ssh -L 6004:localhost:6004 foo@server ssh tunnels ssh -L 6005:localhost:6005 foo@server

The tunnels are created successfully. I can telnet in on these ports.

Now the problem is that I can not connect remotely using Jconsole though

service:jmx:rmi://localhost:6005/jndi/rmi://localhost:6004/jmxrmi

jconsole was started by:

jconsole -J-Djava.util.logging.config.file=logging.properties -debug

The error log is:

Dec 18, 2011 4:57:46 PM RMIConnector connect
FINER: [javax.management.remote.rmi.RMIConnector: jmxServiceURL=service:jmx:rmi://localhost:6005/jndi/rmi://localhost:6004/jmxrmi]

connecting... Dec 18, 2011 4:57:46 PM RMIConnector connect FINER: [javax.management.remote.rmi.RMIConnector: jmxServiceURL=service:jmx:rmi://localhost:6005/jndi/rmi://localhost:6004/jmxrmi] finding stub... Dec 18, 2011 4:58:49 PM RMIConnector connect FINER: [javax.management.remote.rmi.RMIConnector: jmxServiceURL=service:jmx:rmi://localhost:6005/jndi/rmi://localhost:6004/jmxrmi] connecting stub... Dec 18, 2011 4:58:49 PM RMIConnector connect FINER: [javax.management.remote.rmi.RMIConnector: jmxServiceURL=service:jmx:rmi://localhost:6005/jndi/rmi://localhost:6004/jmxrmi] getting connection... Dec 18, 2011 4:59:52 PM RMIConnector connect FINER: [javax.management.remote.rmi.RMIConnector: jmxServiceURL=service:jmx:rmi://localhost:6005/jndi/rmi://localhost:6004/jmxrmi] failed to connect: java.rmi.ConnectException: Connection refused to host: 172.16.0.111; nested exception is: java.net.ConnectException: Connection timed out java.rmi.ConnectException: Connection refused to host: 172.16.0.111; nested exception is: java.net.ConnectException: Connection timed out at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:619) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216) at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202) at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:128) at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source) at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2343) at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:296) at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:267) at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:226) at sun.tools.jconsole.ProxyClient.tryConnect(ProxyClient.java:366) at sun.tools.jconsole.ProxyClient.connect(ProxyClient.java:316) at sun.tools.jconsole.VMPanel$2.run(VMPanel.java:298) Caused by: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384) at java.net.Socket.connect(Socket.java:546) at java.net.Socket.connect(Socket.java:495) at java.net.Socket.(Socket.java:392) at java.net.Socket.(Socket.java:206) at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:40) at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:146) at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613) ... 11 more

3

3 Answers

2
votes

I needed to add

-Djava.rmi.server.hostname=localhost

to the java -server parameters

1
votes

BTW second port now supported directly by the Hotspot 7 JVM - http://dimovelev.blogspot.de/2013/10/out-of-box-jmx-over-firewall-in-hotspot.html

0
votes

Try running your server with following options:

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=6004
-Dcom.sun.management.jmxremote.rmi.port=6004
-Dcom.sun.management.jmxremote.ssl=false 
-Dcom.sun.management.jmxremote.authenticate=false 
-Dcom.sun.management.jmxremote.local.only=true

Once you have a tunnel for 6004 try this with jconsole:

jconsole -J-DsocksProxyHost=127.0.0.1 -J-DsocksProxyPort=6004 service:jmx:rmi:///jndi/rmi://0.0.0.0:6004/jmxrmi -J-DsocksNonProxyHosts=