For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Configure JMX connection for Apache Tomcat

You must configure a secure JMX connection for Apache Tomcat application server.

The Server Configuration Tool and the Ant tasks can configure a default secure JMX connection, which includes the definition of a JMX remote port, and the definition of authentication properties. They modify tomcat_install_dir/bin/setenv.bat and tomcat_install_dir/bin/setenv.sh to add these options to CATALINA_OPTS:

-Djava.rmi.server.hostname=localhost
-Dcom.sun.management.jmxremote.port=8686
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

Note: 8686 is a default value. The value for this port can be changed if the port is not available on the computer.

• The setenv.bat file is used if you start Apache Tomcat with tomcat_install_dir/bin/startup.bat, or tomcat_install_dir/bin/catalina.bat.
• The setenv.sh file is used if you start Apache Tomcat with <tomcatInstallDir>/bin/startup.sh, or tomcat_install_dir/bin/catalina.sh.

This file might not be used if you start Apache Tomcat with another command. If you installed the Apache Tomcat Windows Service Installer, the service launcher does not use setenv.bat.

Important: This configuration is not secure by default. To secure the configuration, we must manually complete steps 2 and 3 of the following procedure.

Procedure

Manually configuring Apache Tomcat:

1. For a simple configuration, add the following options to CATALINA_OPTS:

   -Djava.rmi.server.hostname=localhost
   -Dcom.sun.management.jmxremote.port=8686
   -Dcom.sun.management.jmxremote.authenticate=false
   -Dcom.sun.management.jmxremote.ssl=false

2. To activate authentication, see the Apache Tomcat user documentation SSL Support - BIO and NIO and SSL Configuration HOW-TO.
3. For a JMX configuration with SSL enabled, add the following options:

   -Dcom.sun.management.jmxremote=true
   -Dcom.sun.management.jmxremote.port=8686
   -Dcom.sun.management.jmxremote.ssl=true 
   -Dcom.sun.management.jmxremote.authenticate=false 
   -Djava.rmi.server.hostname=localhost  
   -Djavax.net.ssl.trustStore=<key store location>
   -Djavax.net.ssl.trustStorePassword=<key store password>
   -Djavax.net.ssl.trustStoreType=<key store type>
   -Djavax.net.ssl.keyStore=<key store location>
   -Djavax.net.ssl.keyStorePassword=<key store password>
   -Djavax.net.ssl.keyStoreType=<key store type>

   Note: The port 8686 can be changed.

4. If the Tomcat instance is running behind a firewall, the JMX Remote Lifecycle Listener must be configured. See the Apache Tomcat documentation for JMX Remote Lifecycle Listener.

   The following environment properties must also be added to the Context section of the administration service application in the server.xml file, such as in the following example:

   <Context docBase="mfpadmin" path="/mfpadmin ">
       <Environment name="mfp.admin.rmi.registryPort" value="registryPort" type="java.lang.String" override="false"/>
       <Environment name="mfp.admin.rmi.serverPort" value="serverPort" type="java.lang.String" override="false"/>
   </Context>

   In the previous example:

   • registryPort must have the same value as the rmiRegistryPortPlatform attribute of the JMX Remote Lifecycle Listener.
   • serverPort must have the same value as the rmiServerPortPlatform attribute of the JMX Remote Lifecycle Listener.

5. If you installed Apache Tomcat with the Apache Tomcat Windows Service Installer instead of adding the options to CATALINA_OPTS, run tomcat_install_dir/bin/Tomcat7w.exe, and add the options in the Java tab of the Properties window.

   

Parent topic: Apache Tomcat prerequisites