Remote JMX Monitoring
The out-of-the-box Windchill configuration results in server side processes that only allow incoming JMX connections from the same machine and user account.
|
This "local connection" capability is not provided by IBM JVMs. You must configure for remote JMX connections in order to connect to Tomcat or the server manager when an IBM JVM is used. Also, the Windows services normally run under a different user account. Unless this is changed, you cannot use local monitoring to monitor any process that is run as a Windows service.
|
This configuration is used out-of-the-box so as to default to a secure, locked down configuration.
You might want to check up on server processes from other machines and user accounts. JConsole and VisualVM are JMX consoles that capable of forming the type of connections allowed by the out-of-the-box configuration.
Managing a Remote Machine using JConsole
If you are using JConsole to manage a remote machine, you must specify the host name and port number of the specific servlet engine, server manager, or method server on the machine to which you want to connect. Use the Remote Process option that is on the JConsole connection window to enter this information.
Additionally, you must configure the remote machine to accept remote management. For details on configuring a machine to accept remote management, refer to the following URL:
Managing a Remote Machine using VisualVM
If you are using VisualVM to manage a remote machine, you must specify the host name and port number of the specific server manager or method server on the machine to which you want to connect. Select Add JMX Connection from the File menu that is on the VisualVM connection window to enter this information.
Additionally, you must configure the remote machine to accept remote management. For details on configuring a machine to accept remote management, refer to the following URL (the JConsole information provided also applies to VisualVM):
Configuring JMX Connections to Server Managers and Method Servers
|
This configuration should only be used for testing purposes as it is not secure. For details as to how to change these settings and configure for more secure JMX connections, see the documentation on the web site at the following URL:
|
Thus for maintenance, ease of interaction with Technical Support, and others, PTC recommends that the properties described in this section be used. Additionally, you can manually run the Windchill Configuration Assistant to configure an authenticated but non-SSL remote JMX connection. When running the assistant, respond with y to the following prompt:
Do you want to enable authenticated (non-SSL) remote JMX access (y/n)?
Method servers are different in that the server manager starts multiple method servers, starts new method servers when old ones become unresponsive, and so on.
Method servers select the first available port in the range specified by the wt.jmx.rmi.minPort and wt.jmx.rmi.maxPort wt.properties settings.
|
You should not assign a single fixed JMX RMI port to Windchill method servers (using the wt.jmx.rmi.port property). Instead allow each method server to obtain an available port from the port range specified by wt.jmx.rmi.minPort and wt.jmx.rmi.maxPort.
|
The information necessary to directly connect to a given method server is exposed using the JMX MBean attributes at the server manager level. Use the xconfmanager utility to set the following properties (the example is shown on multiple lines; enter the xconfmanager command on one line):
xconfmanager -s wt.manager.cmd.common.jmx.args="-Dcom.sun.management.jmxremote
-Djmx.remote.protocol.provider.pkgs=wt.jmx.remote.protocol
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.ssl.need.client.auth=false"
-s wt.manager.cmd.ServerManager.jmx.args="-Dwt.jmx.rmi.port=<open_port>"
-t wt.properties -p
where <open_port> can be the number of any open TCP/IP port you choose. This is the port number you specify when connecting remotely.
|
Be sure to propagate these changes by including the -p option in the xconfmanager command.
|
Connecting Remotely when there are Firewalls
Firewalls are generally configured to block RMI. Unfortunately, RMI is the built-in wire protocol for "JSR 160" JMX remote communication in the JDK. JSR 160 specifies a general architecture for JMX remote protocols, but no other protocols have been included in the latest supported version of the JDK.
Windchill provides a specialized, non-transparent HTTP(S) proxy for JMX JSR 160 remote communications called JmxProxyServlet. In terms of network access, this proxy only requires normal HTTP(S) access to the Windchill web application.
To use this JSR 160 savvy JMX console and the JMX RMI connections that you have established as a result of reading earlier sections in this guide, perform the following steps:
1. Copy the following files from codebase/lib to your Java JDK jdk/lib/ext directory:
WtHttpClientAddOns.jar
WtJmxClientConn.jar
You can do this by browsing to the following URL in the browser, picking these files, and saving the results to your Java JDK jdk/lib/ext directory:
http(s)://yourHostAndPort/yourWebAppName/lib
2. Provide your JMX console with the following JSR 160 connection URL:
service:jmx:ptchttp://yourHostAndPort/yourWebAppName/servlet/JmxProxyServlet?jmxurl
=service:jmx:rmi://jmxTargetHost/jndi/rmi://jmxTargetHost:jmxTargetPort/jmxrmi
where you should replace the following:
◦ http with https if using https.
◦ yourHostAndPort with your web server host and port.
◦ yourWebAppName with your Windchill web application name, for example, Windchill_10.
◦ jmxTargetHost and jmxTargetPort with the host name and port, respectively, that the proxy servlet should connect to using JMX RMI.
For JConsole, the URL required in step 2 can either be provided on the command line or by using the Remote Process option on the JConsole connection window.
A utility exists to ease the process of creating the required URLs. To use the utility, the JARs identified in step 1 do not have to be installed in the JDK jdk/lib/ext directory as long as they are in the same directory as each other and have their original names.
On the command line, enter the following command:
• From within the same directory as WtJmxClientConn.jar:
...java -jar WtJmxClientConn.jar -usage
|
You can use the help to enter a command line or graphical utility to construct a JMX service URL and optionally launch JConsole with it. On Windows, you can simply double-click on WtJmxClientConn.jar to launch the graphical version of the utility.
|