Tunneling JMX in the 7u4 JDK

JMX is quite commonly used by various Java tools, such as Java Mission Control, JConsole and JVisualVM, to provide monitoring and management capabilities of the Java runtime and applications running in the JVM. The protocol most commonly used behind the scenes is JMX over RMI. It requires an RMI registry to be running, from which a stub for communicating with the RMI server can be looked up by the client. The RMI registry is running on well known port. For JRockit it was 7091 by default. For Hotspot it must be specified using a system property. The port for the RMI server, which is returned in the stub retrieved from the registry, is however anonymous by default. This makes tunneling traffic pretty cumbersome.

Now, one handy but often overlooked feature that entered the 7u4 JDK as part of the JRockit convergence, was the ability to specify the port of the RMI server. By setting the port used by the RMI registry and the RMI server to the same port, tunneling will be much easier. Now, the name of the property for setting the port of the RMI Server was slightly changed from the JRockit implementation, and is now called com.sun.management.jmxremote.rmi.port, instead of com.sun.management.rmiserver.port. Here is an example of how to enable the external management agent with the same RMI registry and RMI server port on the command line, in JDK 7u4 and later:

java -Dcom.sun.management.jmxremote.port=7091 -Dcom.sun.management.jmxremote.rmi.port=7091 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

One could argue that better names for the properties would have been rmi.server.port and rmi.registry.port. Ler

With some luck we will get startup flags similar to JRockit’s into Hotspot in the future. It is all too easy to get one of the system properties wrong, and there is no way you can tell for sure. The parameters are not validated. In JRockit the same command line as above would have been:

java –Xmanagement:port=7091,rmiserver.port=7091,ssl=false,authenticate=false

IMHO it makes much more sense to let the directive to tell the JVM to start a management agent be a startup flag, rather than a set of arbitrary system properties. Not to mention getting some of that sweet validation of the parameters. Blinkar

11 Responses to "Tunneling JMX in the 7u4 JDK"

  1. dimo says:

    Hi Marcus,

    thank you for the post – this is something we have been waiting for quite some time. BTW, it does not really work with all versions after jdk1.7u4. With u21 the JVM complained that the port is already in use so one has to use two different ports.
    With u40 and u45 it works as one would expect – you can define the same port and the communication really takes place only over this one port.

    Cheers,
    Dimo

  2. admin says:

    Hi Dimo,

    It really should have worked back in 7u4, but maybe there was a bug. I am on vacation this week, so can’t verify. Glad that it is useful for you! I’ve filed other improvements, such as improving the socket factories so that you can bind to a specific IP/interface. With some luck we’ll see those as an update to JDK 8. 🙂

    Kind regards,
    Marcus

  3. Alexis Hassler says:

    Really useful, but 2 years later this property does not appear in the Oracle documentation. Does it mean that the feature is not fully supported ?

  4. Marcus says:

    Sorry about that. It’s supported. I filed https://bugs.openjdk.java.net/browse/JDK-8129948 to make sure it is added to the docs.

  5. hamid Seleman says:

    Hi Marcus,
    Thank you so much. I hit this issue when using openjdk 7. I have no encounters with sun jdk though. Now that i added -Dcom.sun.management.rmi.port along with -Dcom.sun.management.port, JConsole and JVisualVM work again!

  6. Marcus says:

    Oracle JDK FTW! 😉

  7. Krishna Enugandula says:

    Thank you Marcus. It worked for me.
    I hit this problem with firewall and after lot of googling and was about to write the jmx agent and the final attempt to search how could this be possible with nobody fixed this in later JDK, i found your article.

  8. Dmitry says:

    Many Thanks for that property!!!!

  9. Goutam Reja says:

    It is a very interesting ports. I have some firewall limitation to open so many ports. So, I became very excited after reading it.
    Unfortunately, setting same port for RMI and JMX, I am getting
    Bind exception, port is already used.
    I have tested with activemq 5 and tomacat 7 and java version is jdk 1.8.0_131.
    So, I am confused, how it worked for others.
    Do I need to use anything more to make it workable?

    Thanks,
    Goutam

  10. Hemant says:

    Wow…saved my day. Thanks a lot

Leave a Reply

Your email address will not be published.