JVM (with authentication)

Using Password and Access Files

The password and access files control security for monitoring. To be functional, a user must have an entry in both the password and the access files.


Password File

The password file defines different users and their passwords.

Create the password file (for example ‘jmxremote.password’) in a secure folder using the following template:

# The "monitorUser" user has password "QED".
monitorUser QED

The password file should be owned by the user who runs Java service and should have only reading permissions.


How to create the password file

On Linux systems:

  • start Terminal with the root rights
  • create a folder
  • create a file in an editor
  • change the file owner to the user which runs Java service by executing:

chown xxx jmxremote.password (where xxx is the user name)

  • set permissions for the password file by executing:

chmod 600 jmxremote.password

On Windows systems:

  • start windows session as administrator
  • create a folder in the root folder
  • create a file in an editor
  • set permissions for the password file by executing:

cacls jmxremote.password /G xxx:R (where xxx is the user name)


Access file

The access file defines users and their access levels. Note that it should be placed into the same folder where the password file is.

Create the access file (for example ‘jmxremote.access’) using the following template:

# The "monitorUser" user has readonly access.
monitorUser readonly

The access file should be owned by the user who runs Java service and should have only reading permissions.

How to create the access file

On Linux systems:

  • start Terminal with the root rights
  • create a folder
  • create a file in an editor using the template above
  • change the file owner to the user which runs Java service by executing:

chown xxx jmxremote.access (where xxx is the user name)

  • set permissions for the access file by executing:

chmod 600 jmxremote.access

On Windows systems:

  • start windows session as administrator
  • create a folder in the root folder
  • create a file in an editor using the template above
  • set permissions for the access file by executing:

cacls jmxremote.access /G xxx:R (where xxx is the user name)


Java service configuration

Configure your service to start with the following VM parameters:

-Dcom.sun.management.jmxremote.port=SELECTED_PORT
-Dcom.sun.management.jmxremote.local.only=false
-Dcom.sun.management.jmxremote.password.file=jmxremote.password
-Dcom.sun.management.jmxremote.access.file=jmxremote.access
-Dcom.sun.management.jmxremote.ssl=false

Note that you should use your port number instead of ‘SELECTED_PORT’ (see the example below).

Example:

java -Dcom.sun.management.jmxremote.port=9010 \
     -Dcom.sun.management.jmxremote.local.only=false \
     -Dcom.sun.management.jmxremote.password.file=jmxremote.password \
     -Dcom.sun.management.jmxremote.access.file=jmxremote.access \
     -Dcom.sun.management.jmxremote.ssl=false \
     -jar tomcat.jar