How to connect to AMQ JMX using Jconsole remotely

Solution In Progress - Updated -

Environment

  • Red Hat AMQ
    • 6.x

Issue

How to connect to AMQ JMX using Jconsole remotely?

Resolution

I have broken the tasks into the following steps

  1. Enable JMX
  2. Enable Remote Access
  3. Remote Connection String
  4. Common problems

Enable JMX

The JVM provides a JMX agent. The JMX agent is made up of an MBean Server, some agent services, some protocol adapters and connectors.

To enable the JMX agent you need to pass in the following system property into the JVM


-Dcom.sun.management.jmxremote

This property is set by default in the activemq start script.

Note: The property is required for accessing JMX from both the local machine or a remote machine.

By default the ActiveMQ jmx domain will be exposed however be aware that this can be disabled in the activemq.xml by using the following broker attribute.


<broker ... useJmx="false"> </broker>

Enable Remote Access

To enable access to JMX from a remote machine you need to pass in the following system properties to the JVM used by the activemq broker:


-Dcom.sun.management.jmxremote.port=<portNumber> -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false

When you specify the JMX remote port, JMX Authentication and SSL are activated by default. For demonstration purposes only, the sample config above deactivates both Authentication and SSL. This Oracle JMX article deals with setting up JMX remote access security.

Alternative approach to Enabling Remote Access

You can configure activemq to create its own JMX connector within the activemq.xml


<broker ...> ... <managementContext> <managementContext createConnector="true" connectorPort="2099"/> </managementContext> ... </broker>

Remote Connection String

In the Jconsole "New Connection" dialog box, enter the following string in the "Remote Process" area, where IP_ADDRESS and JMX_PORT are substituted with appropriate values


service:jmx:rmi:///jndi/rmi://IP_ADDRESS:JMX_PORT/jmxrmi

Common problem

Internally JMX uses RMI proxies. By default these proxies should contain the IP address of the machine exposing the JMX agent. However in a multi homed machine that IP address may not be visible/accessible from your remote machine. To ensure these proxies contain the accessible IP address pass the following system property to the activemq broker's JVM where X.X.X.X is the IP value.


-Djava.rmi.server.hostname=X.X.X.X

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

Note:

Tested with apache-activemq-5.5.1-fuse-04-01

I am trying to access remote brokers using jconsole from my local PC but it doesn't work. My A-MQ version is 6.3-310. I suppose I have configured all that is necessary as explained in this solution but it doesn't seem to help.

After long time struggling, I am finally able to connect to a remote AMQ 6 broker with remote JMX. Note that there is firewall opened in the remote broker Linux box. Here is my configuration.

  • In the setenv file, below is used:
export KARAF_OPTS="...... -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
  • In my activemq.xml, below is used:
        <managementContext>
            <managementContext createConnector="true" connectorPort="2099" connectorHost="10.72.45.226" rmiServerPort="38120"/>
        </managementContext>

Note that I specically used connectorHost as my broker Ip and rmiServerPort to point a non-used port. By default the rmiServerPort is 0, this will not be able to let me remote connect successful.

  • Restart broker, in the log, you will be able to see:
2020-04-07 11:52:47,338 | INFO  | JMX connector    | ManagementContext                | q.broker.jmx.ManagementContext$1  155 | 162 - org.apache.activemq.activemq-osgi - 5.11.0.redhat-630283 | JMX consoles can connect to service:jmx:rmi://10.72.45.226:38120/jndi/rmi://10.72.45.226:2099/jmxrmi
  • On my local box, start a JConsole and in the remote address tab, put below:
service:jmx:rmi://10.72.45.226:38120/jndi/rmi://10.72.45.226:2099/jmxrmi

This will first try a SSL connect then fail fast, then select "insecure" connect, it should be able to access.

  • Note: As I said before, the remote broker hosting on Linux have firewall enabled. So you need to open port for both 2099 and 38120 to allow access.
firewall-cmd --add-port=2099 --permanent
firewall-cmd --add-port=38120 --permanent
firewall-cmd --reload
firewall-cmd --list-all

You can use netstat -antlp on the broker side to see the port 2099 and 38120 are both ESTABLISHED.