Enabling SNMP Support for JRE

Instead of JMX, you can configure the eG agent to monitor Tomcat's JVM using SNMP-based access to the Java runtime MIB statistics.

In some environments, SNMP access might have to be authenticated by an ACL (Access Control List), and in some other cases, it might not require an ACL.

If SNMP access does not require ACL authentication, then follow the steps below to enable SNMP support:

  1. Login to the Tomcat host.
  2. Ensure that the SNMP service and the SNMP Trap Service are running on the host.
  3. Next, edit the management.properties file in the <JAVA_HOME>\jre\lib\management folder used by the target application.
  4. Append the following lines to the file:

    com.sun.management.snmp.port=<Port No>

    com.sun.management.snmp.interface=0.0.0.0

    com.sun.management.snmp.acl=false

    For instance, if the SNMP port is 1166, then the first line of the above specification will be:

    com.sun.management.snmp.port=1166

    If the second line of the specification is set to 0.0.0.0, then, it indicates that the JRE will accept SNMP requests from any host in the environment. To ensure that the JRE services only those SNMP requests that are received from the eG agent, set the second line of the specification to the IP address of the agent host. For instance, if the eG agent to monitor the Tomcat application is executing on 192.168.10.152, then the second line of the specification will be:

    com.sun.management.snmp.interface=192.168.10.152

  5. Next, edit the start-up script of the target application, include the following line it, and save the script file.

    -Dcom.sun.management.config.file=<management.properties_file_path>

  6. For instance, on a Windows host, the <management.properties_file_path> can be expressed as: D:\bea\jrockit_150_11\jre\lib\management\management.properties.

  7. On other hand, on a Unix/Linux/Solaris host, a sample <management.properties_file_path> specification will be as follows: /usr/jdk1.5.0_05/jre/lib/management/management.properties.

On the contrary, if SNMP access requires ACL authentication, then follow the steps below to enable SNMP support for the JRE:

  1. Login to the application host. If the target application is executing on a Windows host, login as a local/domain administrator.
  2. Ensure that the SNMP service and SNMP Trap Service are running on the host.
  3. Copy the snmp.acl.template file in the <java_home>\jre\lib\management folder to another location on the local host. Rename the snmap.acl.template file as snmp.acl, and copy the snmp.acl file back to the <java_home>\jre\lib\management folder.
  4. Next, edit the snmp.acl file, and set rules for SNMP access in the file.

    1-final

    Figure 1 : The snmp.acl file

  5. For that, first scroll down the file to view the sample code block revealed by Figure 2.

    2

    Figure 2 : The snmp.acl file revealing the SNMP ACL example

  6. Uncomment the code block by removing the # symbol preceding each line of the block as indicated by Figure 3.

    3

    Figure 3 : Uncommenting the code block

  7. Next, edit the code block to suit your environment.
  8. The acl block expects the following parameters:

    • communities : Provide a comma-separated list of community strings, which an SNMP request should carry for it to be serviced by this JRE; in the example illustrated by Figure 17, the community strings recognized by this JRE are public and private. You can add more to this list, or remove a community string from this list, if need be.
    • access : Indicate the access rights that SNMP requests containing the defined communities will have; in Figure 3, SNMP requests containing the community string public or private, will have only read-only access to the MIB statistics. To grant full access, you can specify rea-write instead.
    • managers : Specify a comma-separated list of SNMP managers or hosts from which SNMP requests will be accepted by this JRE; in the example illustrated by Figure 3, all SNMP requests from the localhost will be serviced by this JRE. Typically, since the SNMP requests originate from an eG agent, the IP of the eG agent should be configured against the managers parameter. For instance, if the IP address of the agent host is 192.16.10.160, then, to ensure that the JRE accepts requests from the eG agent alone, set managers to 192.168.10.160, instead of localhost.
  9. Every acl block in the snmp.acl file should have a corresponding trap block. This trap block should be configured with the following values:

    • trap-community: Provide a comma-separated list of community strings that can be used by SNMP traps sent by the Tomcat application to the managers specified in the acl block. In the example of Figure 3, all SNMP traps sent by the Tomcat application being monitored should use the community string public only.
    • hosts: Specify a comma-separated list of IP addresses / host names of hosts from which SNMP traps can be sent. In the case of Figure 3, traps can be sent by the localhost only. If a single snmp.acl file is being centrally used by multiple applications/devices executing on multiple hosts, then to ensure that all such applications are able to send traps to the configured SNMP managers (in the acl block), you can provide the IP address/hostname of these applications as a comma-separated list against hosts.
  10. Figure 4 depicts how the acl and trap blocks can be slightly changed to suit the monitoring needs of an application.

    4

    Figure 4 : The edited block

  11. Then, proceed to make the snmp.acl file secure by granting a single user “full access” to that file. For monitoring applications executing on Windows in particular, only the Owner of the snmp,.acl file should have full control of that file. To know how to grant this privilege to the Owner of a file, refer to Securing the ‘jmxremote.password’ file . This section actually details the procedure for making the jmxremote.password file on Windows, secure. Use the same procedure for making the snmp.acl file on Windows secure, but make sure that you select the snmp.acl file and not the jmxremote.password file.
  12. In case of applications executing on Solaris / Linux hosts on the other hand, any user can be granted full access to the snmp.acl file, by following the steps below:

    • Login to the host as the user who is to be granted full control of the snmp.acl file.
    • Issue the following command:

      chmod 600 snmp.acl

    • This will automatically grant the login user full access to the jmxremote.password file.
  13. Next, edit the management.properties file in the <JAVA_HOME>\jre\lib\management folder used by the target application.
  14. Append the following lines to the file:

    com.sun.management.snmp.port=<PortNo>

    com.sun.management.snmp.interface=0.0.0.0

    com.sun.management.snmp.acl=true 

    com.sun.management.snmp.acl.file=<Path_of_snmp.acl>

     

    If the second line of the specification is set to 0.0.0.0, then, it indicates that the JRE will accept SNMP requests from any host in the environment. To ensure that the JRE services only those SNMP requests that are received from the eG agent, set the second line of the specification to the IP address of the agent host.

    For example, if the Tomcat application being monitored listens for SNMP requests at port number 1166, the eG agent monitoring the Tomcat application is deployed on 192.168.10.152, and these SNMP requests need to be authenticated using the snmp.acl file in the D:\bea\jrockit_150_11\jre\lib directory, then the above specification will read as follows:

    com.sun.management.snmp.port=1166

    com.sun.management.snmp.interface=192.168.10.152

    com.sun.management.snmp.acl=true com.sun.management.snmp.acl.file=D:\\bea\\jrockit_150_11\\jre\\lib\\management\\snmp.acl

  15. However, if the application in question is executing on a Unix/Solaris/Linux host, and the snmp.acl file is in the /usr/jdk1.5.0_05/jre/lib/management folder of the host, then the last line of the specification will be:

    com.sun.management.snmp.acl.file =/usr/jdk1.5.0_05/jre/lib/management/snmp.acl

  16. Next, edit the start-up script of the target application, include the following line in it, and save the script file.

    -Dcom.sun.management.config.file=<management.properties_file_path>

  17. For instance, on a Windows host, the <management.properties_file_path> can be expressed as: D:\bea\jrockit_150_11\jre\lib\management\management.properties.
  18. On other hand, on a Unix/Linux/Solaris host, a sample <management.properties_file_path> specification will be as follows: /usr/jdk1.5.0_05/jre/lib/management/management.properties.

The sections to come discuss the top 2 layers of Figure 2, as the remaining layers have already been discussed at length in the Monitoring Unix and Windows Servers document.