cuberri / jmxquery

Automatically exported from code.google.com/p/jmxquery
0 stars 0 forks source link

Does this plugin work with SSL? #5

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Modify check_jmx to:-

java -Djavax.net.ssl.trustStore=cacerts.jts
-Djavax.net.ssl.trustStorePassword=testing -cp $RDIR/jmxquery.jar
jmxquery.JMXQuery $@

2. Use the modified .jar file posted on these issues boards..

3. Then run then run:-

./check_jmx -U service:jmx:rmi:///jndi/rmi://localhost:17300/jmxrmi -O
java.lang:type=Memory -A HeapMemoryUsage -K used -I HeapMemoryUsage -J used
-vvvv -w 731847066 -c 1045495808 -username monitorRole -password test

What is the expected output? What do you see instead?
JMX CRITICAL - error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure connecting to java.lang:type=Memory by URL
service:jmx:rmi:///jndi/rmi://anise.semantico.net:17300/jmxrmijava.rmi.ConnectIO
Exception:
error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:274)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:171)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:94)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at
javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2229)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:271)
at
javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248
)
at jmxquery.JMXQuery.connect(JMXQuery.java:64)
at jmxquery.JMXQuery.main(JMXQuery.java:89)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1542)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl
.java:1025)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:619)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.DataOutputStream.flush(DataOutputStream.java:106)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
... 8 more

What version of the product are you using? On what operating system?
debian sarge with sun java 5 talking to a tomcat6 running on jdk1.6.0_06

Please provide any additional information below.

Original issue reported on code.google.com by Giles.We...@gmail.com on 16 Sep 2009 at 10:04

GoogleCodeExporter commented 9 years ago

Original comment by ryangrav...@gmail.com on 8 Dec 2009 at 10:18

GoogleCodeExporter commented 9 years ago
I have updated the plugin to work with SSL.
Here are the changes (I have also attached the source).
ALL changes are to JMXQuery.java:

Add Imports:

import javax.rmi.ssl.SslRMIClientSocketFactory;
import javax.rmi.ssl.SslRMIServerSocketFactory;
import javax.management.remote.rmi.RMIConnectorServer;

Here is connect function:

private void connect() throws IOException
        {
         JMXServiceURL jmxUrl = new JMXServiceURL(url);

         if(username!=null) {
                 Map<String, Object> m = new HashMap<String,Object>();
                 SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
                 SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
                 m.put(JMXConnector.CREDENTIALS,new String[] {username,password});
                 m.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
                 m.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);
                 m.put("com.sun.jndi.rmi.factory.socket", csf);
                 connector = JMXConnectorFactory.connect(jmxUrl,m);
         } else {
                 connector = JMXConnectorFactory.connect(jmxUrl);
         }
         connection = connector.getMBeanServerConnection();
        }

Original comment by nigel.be...@gmail.com on 18 Aug 2010 at 3:05

Attachments:

GoogleCodeExporter commented 9 years ago
I have updated even further, as it didn't work with non-SSL now.
I now only use SSL if the javax.net.ssl.trustStore is defined.

I have also fixed the problem of it not working when you don't specify warn and 
critical values for Number style objects.

Original comment by nigel.be...@gmail.com on 18 Aug 2010 at 7:50

Attachments:

GoogleCodeExporter commented 9 years ago
Hi Nigel,

Thanks for your work, in the end we used the jmxproxy that's built into the 
Tomcat manager app, we can poll it via http without having to fire up java. 
Having said that the munin jmx plugins use the Java method. If we were 
supporting other webservers I guess we'd need to use a different way.

g.

Original comment by Giles.We...@gmail.com on 18 Aug 2010 at 8:14

GoogleCodeExporter commented 9 years ago
Ok, I did one more, probably the last update.
I have changed so it supports jmx.remote.protocol.provider.pkgs.

This means you can get it to connect to other app servers like WebLogic / JBoss.

I have successfully tested against WebLogic 10.1.  Its slow when you do it, and 
I had to add a retry to the connection, as it seems the first time hardly ever 
works due to the classloading done by the JMXConnector.

Here is an example command line I used to connect to WebLogic:

java -cp 
jmxquery.jar:$JAVA_HOME/lib/tools.jar:$WL_HOME/server/lib/wlfullclient.jar 
-Djmx.remote.protocol.provider.pkgs=weblogic.management.remote 
-Dweblogic.security.TrustKeyStore=CustomTrust 
-Dweblogic.security.CustomTrustKeyStoreFileName=/export/home/nbenns/trust.jks 
jmxquery.JMXQuery -U 
"service:jmx:t3s://<hostname>:<port>/jndi/weblogic.management.mbeanservers.runti
me" -username weblogic -password weblogic -O 
"java.lang:type=MemoryPool,name=Eden Space" -A Usage -K used -w 3 -c 800000000

Output:

JMX WARNING - Usage.used is 96571696

Here is the new connect() method:

private void connect() throws IOException
        {
                JMXServiceURL jmxUrl = new JMXServiceURL(url);
                Map<String, Object> m = new HashMap<String,Object>();

                if(username!=null) {
                        m.put(JMXConnector.CREDENTIALS,new String[] {username,password});
                }

                if (!System.getProperty("javax.net.ssl.trustStore", "NULL").equals("NULL")) {
                        SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
                        SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
                        m.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
                        m.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);
                        m.put("com.sun.jndi.rmi.factory.socket", csf);
                }

                if (!System.getProperty("jmx.remote.protocol.provider.pkgs", "NULL").equals("NULL")) {
                        m.put(JMXConnectorFactory.PROTOCOL_PROVIDER_PACKAGES, System.getProperty("jmx.remote.protocol.provider.pkgs"));
                }

                for (int c = 0; c < 3; c++) {
                        try {
                                connector = JMXConnectorFactory.connect(jmxUrl,m);
                                connection = connector.getMBeanServerConnection();
                                break;
                        }
                        catch (IOException ex) {
                                if (c < 2) continue;
                                else throw ex;
                        }
                }
        }

Original comment by nigel.be...@gmail.com on 19 Aug 2010 at 8:32

Attachments:

GoogleCodeExporter commented 9 years ago
Any update on this?  Are there any plans to release this soon?

Original comment by daro...@gmail.com on 8 Sep 2010 at 4:34

GoogleCodeExporter commented 9 years ago
Also, it occurs to me that to make this fix work smoothly, the truststore and 
the truststore password really out to be passed in as parms to the check_jmx 
script.  Any way to make that part of this fix?

Original comment by daro...@gmail.com on 8 Sep 2010 at 4:52

GoogleCodeExporter commented 9 years ago
Suggested implementation:

#!/bin/sh
#
# Nagios plugin to monitor Java JMX (http://java.sun.com/jmx)attributes.
#
RDIR=`dirname $0`
for parm in $@ ; do
    prefix=${parm:0:2}
    if [ "${prefix}" = "-J" ] ; then
        java_parms="${java_parms} ${parm}"
    else 
        parms="${parms} ${parm}"
    fi
done
java -cp $RDIR/jmxquery.jar ${java_parms} org.nagios.JMXQuery ${parms}

Original comment by daro...@gmail.com on 9 Sep 2010 at 3:02

GoogleCodeExporter commented 9 years ago
Ack!  Change the "-J" to "-D".

Original comment by daro...@gmail.com on 9 Sep 2010 at 3:13

GoogleCodeExporter commented 9 years ago
I am getting the following error. Am I missing something? Please let me know.

java -cp 
jmxquery.jar:$JAVA_HOME/lib/tools.jar:/opt/nagios/libexec/wlfullclient.jar 
-Djmx.remote.protocol.provider.pkgs=weblogic.management.remote 
jmxquery.JMXQuery -U 
"service:jmx:t3://<IP>:<PORT>/jndi/weblogic.management.mbeanservers.runtime" 
-username <user> -password <pass> -O "java.lang:type=MemoryPool,name=Eden 
Space" -A Usage -K used -w 3 -c 800000000

JMX CRITICAL - Anonymous attempt to get to a JNDI resource

Original comment by mail2ami...@gmail.com on 9 Nov 2012 at 2:27