Ad Widget

Collapse

JMX through firewall Zabbix 2.0

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • jruizjimenez
    Junior Member
    • Jul 2012
    • 10
    #1

    JMX through firewall Zabbix 2.0

    Hi

    We have been using the new Zabbix 2.0 JMX Agent but i believe it can't be used if there is a firewall between Zabbix and the monitored server.

    From our testing with Zabbix 2.0

    • JMX uses two ports, one for the RMI registry and another to export JMX RMI connection objects.
    • The second port is random. It's possible but very difficult to change that port from random to fixed. It's not just adding some configuration options to the java server [note 1]
    • Since we can't open all ports on the firewall then Zabbix Java Agent can't connect to the RMI port on the monitored host.


    We are going to test Zapcat with Zabbix 2.0, because Zapcat is firewall friendly as you only have to open a single port, JMX and RMI is handled by Zapcat on the monitored host.

    I will suggest to include the possibility to run a Zabbix Java gateway in each monitored host, that way communication is done thought a single port.

    Do you have any other suggestions?

    Thanks

    note 1: Connecting Through Firewall Using JMX - Without modifying the server application https://blogs.oracle.com/jmxetc/entr...wall_using_jmx
    Tags: firewall, jmx, zabbix java gateway
    • jruizjimenez
      Junior Member
      • Jul 2012
      • 10
      #2
      I can confirm that zapcat stills works with Zabbix 2.0.

        Comment

        • hrouxel
          Junior Member
          • Jul 2012
          • 8
          #3
          Hello,

          If tomcat is over 6.0.24, http://gabenell.blogspot.fr/2010/04/...6-through.html gives a simple way to do it with two fixed ports.
          Use rmiRegistryPortPlatform port for the JMX connector

          As we have several tomcats running on the same server, we've needed to declare each one as a separate server (with its own JMX connector port) elsewhere Zabbix blames for duplicate keys (it doesn't care that the JMX connectors ports are different).

          And it works !

            Comment

            • jruizjimenez
              Junior Member
              • Jul 2012
              • 10
              #4
              Thanks,

              I will try you solution, we have many JMX servers to monitor: JBoss, Oracle Weblogic, Apache Tomcat, Apache Servicemix, more to add..., so I will need to find how to set RMIServer port for each one, it should be easier than adding the ZapCat agent.

              On the post that you mention they talk about using the following URL in JConsole.

              service:jmx:rmi://your.public.dns:10002/jndi/rmi://your.public.dns:10001/jmxrmi

              Zabbix Java Agent doesn't support such URL (I believe there is an open issue to be able to craft custom URLs but is not fixed)

              Is it correct that you only had to add the listener with the two ports and then just configure zabbix JMX to target the right port?

              It will be nice if Zabbix Java Agent could run in remote hosts so only a single port should be open... in order to support different JMX services on the monitored machine a "secondary" port could be sent to the agent to identify the local JMX port that should be queried by the agent.

                Comment

                • hrouxel
                  Junior Member
                  • Jul 2012
                  • 8
                  #5
                  Hello,

                  > <Listener className="org.apache.catalina.mbeans.JmxRemoteLif ecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002"/>

                  > service:jmx:rmi://your.public.dns:10002/jndi/rmi://your.public.dns:10001/jmxrmi

                  Zabbix : just add a JMX interface corresponding to the rmiRegistryPortPlatform
                  Firewall : check the two ports are authorized.

                  If you have several applications running on your server, you will have to create as much servers (agent with same IP, interface JMX with port of the rmiRegistryPortPlatform of your application)

                  > Is it correct that you only had to add the listener with the two ports and then just configure zabbix JMX to target the right port?
                  Yes as soon as Zabbix java gateway is started ! http://www.zabbix.com/documentation/.../concepts/java

                    Comment

                    Previous template Next
                    Working...