Connecting To JBoss EAP Via JConsole in Domain Mode

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.x
    • 6.x

Issue

  • How do I connect to a JBoss instance within a domain via JConsole?
  • JConsole can not jmx connection domain mode
  • We saw the following instructions for jconsole, but this is for standalone mode. What about domain mode?
  • How to connect the JBoss EAP 6 via JConsole in domain mode on Windows ?
  • Can not see some mbeans through JConsole after enabling the rbac access-control in EAP 6.3 .
  • How to connect the JBoss using jconsole in domain mode on Linux?
  • How does one access the JMX info for a managed server instance in domain mode?

Resolution

To connect to JBoss EAP From JConsole:

  1. Make sure $JAVA_HOME is set correctly

  2. Set the remoting-connector in the jmx subsystem to not use the management endpoint. In domain mode only the host controller has a management port, i.e. the instances do not have a management endpoint. Setting use-management-endpoint=false makes the connection use the remote endpoint instead and it is valid for connecting with the individual servers.
    Example using the full-ha profile:

        /profile=full-ha/subsystem=jmx/remoting-connector=jmx:add(use-management-endpoint=false)

    This will result in a configuration change in the domain.xml as in:

        <subsystem xmlns="urn:jboss:domain:jmx:1.2">
         <expose-resolved-model/>
         <expose-expression-model/>
         <remoting-connector use-management-endpoint="false"/>
    </subsystem>

  3. Define an ApplicationRealm user with the help of add-user.sh or add-user.bat (i.e. option b when running add-user.sh). If your environment contains remote host controllers, the ApplicationRealm user would be defined on each of the host controllers.

  4. Start $JBOSS_HOME/bin/jconsole.sh and connect to the instance within the domain using service:jmx:remoting-jmx://{$HOSTNAME}:4447 and authenticating using the previously defined ApplicationRealm user.
    NOTE: JBoss EAP 7 has consolidated a lot of ports, so for JBoss EAP 7 the port associated with the HTTP socket binding (8080) should be used. In EAP 6 the protocol was remoting-jmx. In EAP 7 the protocol has been changed to remote+http.

Example

On domain configuration, set remoting connector on the domain:jmx subsystem:

<subsystem xmlns="urn:jboss:domain:jmx:1.3">
    <expose-resolved-model/>
    <expose-expression-model/>
    <remoting-connector use-management-endpoint="false"/>
</subsystem>

Then the remoting subsystem defines the remoting connector - here the native-remoting-connector defined:

<subsystem xmlns="urn:jboss:domain:remoting:4.0">
    <connector name="native-remoting-connector" socket-binding="remoting"/>
    <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
</subsystem>

Finally the respective socket binding:

<socket-binding-group name="full-ha-sockets" default-interface="public">
    <socket-binding name="remoting" port="4447" fixed-port="true"/>

Since here there is the remoting port set to 4447, therefore the URL would look like service:jmx:remote://<hostname>:<4447>. See notes below.

Notes :

  1. $HOSTNAME will be IP address or hostname on which server is running and 4447 is the default remoting port. Add respective port offset in 4447 to connect through jconsole.
  2. In EAP 6.3 ,if you have enabled the rbac access-control then you can not see all the mbeans throgh JConsole. To see all the mbeans through JConsole , you need to add that application user with superuser role through admin console and set realm to ApplicationRealm while adding it. The items you can see are accessible to all. The items you cannot see are protected. On top of that, most functionality of the visible items is refused with "Not authorized" when the user is not setup in a proper role.
  3. For JConsole connection with https, some additional steps are required.

Root Cause

As per jboss-as-jmx_1_2.xsd, it seems show-model is no longer available in EAP 6.1.x.

service:jmx:remoting-jmx://{host_name}:9999 cannot be used when attempting to connect to a specific instance within a domain. The aformentioned address connects to the domain controller. Port 9999 will be directed to the host controller, not to each managed server, using mgmt-users.properties for authentication.

Expected ports

The table below explains the port usage vs url:

Flag Definition Port URL
Use-management-endpoint=true (default) port="${jboss.management.http.port:9990}" Management Port service:jmx:remote+http://127.0.0.1:9990
Use-management-endpoint=false HTTP port="${jboss.http.port:8080}" service:jmx:remote+http://127.0.0.1:8080

Diagnostic Steps

To check if the connection request is raised on the JBoss, enable the TRACE log for org.jboss.remoting and check the connection information, like authentication or protocol issues.

<logger category="org.jboss.remoting">
    <level name="TRACE"/>
</logger>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

2 Comments

Log in to comment
JL Red Hat Pro 647 points
16 August 2013 6:21 AM

Good reference ==> http://planet.jboss.org/post/jmx_connections_to_jboss_as

CH Community Member 37 points
8 August 2016 4:27 PM

EAP7 has consolidated a lot of ports, so for EAP7 the port associated with the HTTP socket binding (8080) should be used. EAP6 lists a remoting port in the socket bindings. EAP7 does not, so it's not clear whether it's possible to put JMX on another port.