Enabling Java Management Extensions (JMX) for Jamf Pro

Updated: 20 August 2021
Product: Jamf Pro

Java Management Extensions (JMX) can be used to generate metrics for Jamf Pro host server performance monitoring for on-premise environments. This article describes the process used to set up JMX.

Java provides built-in tools such as Jconsole that you can use to monitor these metrics. Alternatively, you may choose to use any third-party monitoring tool that can connect to JMX.

General Requirements

JMX monitoring tool (e.g., Jconsole, Zabbix, Nagios)

Enabling JMX on Linux

  1. On the Jamf Pro host server, copy the default JMX password file to /etc/ by executing:
    sudo cp /usr/lib/jvm/java<version>/jre/lib/management/jmxremote.password /etc/jmxremote.password
  2. Change the owner and the permissions of the jmxremote.password file by executing:
    sudo chown jamftomcat:jamftomcat /etc/jmxremote.password
sudo chmod 400 /etc/jmxremote.password
    Note:
    The JMX password file must be owned by the user and the group that runs Tomcat on the Jamf Pro host server and access must be restricted to that user. To confirm the user and the group, execute a command similar to the following: 
    ls -al /path/to/tomcat/
  3. Modify the jmxremote.password file and uncomment monitorRole and controlRole by removing "#" at the beginning of the line, then changing the password. The monitorRole role has password QED. The controlRole role has password R&D. Modify the file by executing:
    sudo nano /etc/jmxremote.password
  4. Save and exit.
  5. Modify the Java options on the Jamf Pro host server as defined by the setenv.sh file. Modify the file by executing:
    sudo nano /usr/local/jss/tomcat/bin/setenv.sh
    Add the following lines and modify the Djava.rmi.server.hostname value of My.IP.Address.Number to match the IP address of the Jamf Pro host server. The default port of 3333 can be modified as well.
    Note:

    Do not remove any settings.

    export CATALINA_OPTS="$CATALINA_OPTS -Djava.awt.headless=true"
export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.port=3333"
export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.ssl=false"
export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote=true"
export CATALINA_OPTS="$CATALINA_OPTS -Djava.rmi.server.hostname=My.IP.Address.Number"
export CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/jmxremote.password"
  6. Save and exit.
  7. Modify the DataBase.xml file to turn on JMX for the specific web application by executing:
    sudo nano /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/xml/DataBase.xml
    Add the following between the <DataBase> </DataBase> entries: <EnableJMX>true</EnableJMX>
    Note: This enables connection pool metrics that can help you to understand how the connection pool is performing.

    This enables connection pool metrics that can help you to understand how the connection pool is performing.

  8. Save and exit.
  9. Restart Tomcat. For instructions, see Starting and Stopping Tomcat.
  10. If you have a firewall enabled in your environment, you must allow for incoming traffic on the port you specified above so that an external monitoring system can connect to your Jamf Pro host server via JMX.
  11. On a macOS system with Java installed, open Terminal and execute:
    jconsole

    Enter the Jamf Pro host server IP address, port, username, and password for the monitorRole specified above.

You can now use Jconsole or any third-party monitoring tool to leverage JMX.

For the full list of JMX objects, see the Java Management Extensions (JMX) Glossary for Jamf Pro article.

Enabling JMX on Windows

  1. On the Jamf Pro host server, open Command Prompt and execute the following to copy the default JMX password file to the root of the C: drive:
    copy "C:\Program Files\Java\jre<version>\lib\management\jmxremote.password.template" C:\jmxremote.password
  2. Change the owner of C:\jmxremote.password
    Note:

    • The JMX password file must be owned by the user that runs Tomcat on the Jamf Pro host server. If you used the Jamf Pro installer, the default owner of Tomcat is "System". For instructions on modifying ownership of the file, see: https://docs.oracle.com/javase/8/docs/technotes/guides/management/security-windows.html

    • You may see the following errors in the tomcat8-stderr<date>.log on Systems if the file is not restricted to the owner of Tomcat: "Error: Password file read access must be restricted: C:\jmxremote.password"

    • You may see the following errors in the tomcat8-stderr<date>.log on Systems if the file is restricted to a user other than the owner of Tomcat: "Error: Failed in reading the password file: C:\jmxremote.password"

  3. Use a text editor to modify the jmxremote.password file located at C:\jmxremote.password. Uncomment monitorRole and controlRole, then change the password. The monitorRole role has password QED. The controlRole role has password R&D.
  4. Save and exit.
  5. Modify the Java options on the Jamf Pro host server. Open C:\Program Files\JSS\Tomcat\bin\tomcat8w.exe application and navigate to the Java tab. Add the following lines and modify the Djava.rmi.server.hostname value of My.IP.Address.Number to match the IP address of the Jamf Pro host server. The default port of 3333 can be modified as well.
    Note:

    Do not remove any settings.

    -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=3333
-Dcom.sun.management.jmxremote.rmi.port=3333
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=true
-Djava.rmi.server.hostname=My.IP.Address.Number
-Dcom.sun.management.jmxremote.password.file=C:\jmxremote.password
  6. Save and exit.
  7. Modify the Database.xml file located at the following filepath to turn on JMX for the specific web application:
    C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\xml\DataBase.xml
    Add the following between the <DataBase> </DataBase> entries: <EnableJMX>true</EnableJMX>
    Note:

    This enables connection pool metrics that can help you to understand how the connection pool is performing.

  8. Save and exit.
  9. Restart Tomcat. For instructions, see Starting and Stopping Tomcat.
  10. If you have a firewall enabled in your environment, you must allow for incoming traffic on the port you specified above so that an external monitoring system can connect to your Jamf Pro host server via JMX by executing:
    netsh advfirewall firewall add rule name=JamfProJMX dir=in action=allow protocol=TCP localport=3333
  11. On a system with Java installed, open C:\Program Files\Java\jdk<version>\bin\jconsole.exe Enter the Jamf Pro host server IP address, port, username, and password for the monitorRole specified above.

You can now use Jconsole or any third-party monitoring tool to leverage JMX.

For the full list of JMX objects, see the Java Management Extensions (JMX) Glossary for Jamf Pro article.