Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

This document provides tutorials on how to enable the JMX listener on Apache Tomcat running on Unix.  The JMX protocol allows remote monitoring and managing of Apache Tomcat.  For more information, refer to Apache Tomcat Monitoring and Managing Tomcat.

 

Which type of configuration should be used?


 

Configuring JMX for Apache Tomcat (no authentication)

 

  1. On your Tomcat host, logon as the user that your Apache Tomcat server is running under then browse to CATALINA_BASE/bin

  2. Make a backup of the file setenv.sh, then edit the file setenv.sh with VI and add the following line:

    CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8008 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"


  3. Save the changes and restart Tomcat



If the Apache Tomcat service fails to start, make sure the selected JMX port (for example port 8008) is not in use by other processes and that you have not made a typing error in setenv.sh.

Check the log catalina.out under CATALINA_BASE/logs for additional troubleshooting information

    

Configuring JMX for Apache Tomcat for Network Address Translation (NAT)

   
If there is a 
Network Address Translation between your BIPST client and the Apache Tomcat, you need to add one additional property to support this.
    

  1. On your Tomcat host, logon as the user that your Apache Tomcat server is running under then browse to CATALINA_BASE/bin
       

        
  2. Make a backup of the file setenv.sh, then edit the file setenv.sh with VI and add the following line (where TomcatHostName is the hostname of your Apache Tomcat server)

    CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8008 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=TomcatHostName"


  3. Save the changes and restart Tomcat
       
     

 

If the Apache Tomcat service fails to start, make sure the selected JMX port (for example port 8008) is not in use by other processes and that you have not made a typing error in setenv.sh.

Check the log catalina.out under CATALINA_BASE/logs for additional troubleshooting information

 

Configuring JMX for Apache Tomcat (with Authentication)


  1. On your Tomcat host, logon as the user that your Apache Tomcat server is running under then browse to CATALINA_BASE/conf
       
  2. Create two new files named jmxremote.access and jmxremote.password

  3. Edit the file jmxremote.access with VI or another text editor and add the below text.  (This creates the user with the name jmxuser with Read Only access)

    jmxuser readonly


  4. Edit the file jmxremote.password with VI or another text editor and add the below text (Replace ThePassword123 with a password of your choosing)
     

    jmxuser ThePassword123




  5. Change the ownership of the file jmxremote.password to the user running Apache Tomcat (in my example: boeuser) and remove all permissions for group and other
       

    chown tomcatuser jmxremote.password
    chmod go-rwx jmxremote.password



     

  6. Browse to CATALINA_BASE/bin, make a backup of setenv.sh, then edit the file setenv.sh.  Add the following property (where /install/path/to/tomcat is the path to your Apache Tomcat installation)

    CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8008 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.access.file=/install/path/to/tomcat/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=/install/path/to/tomcat/conf/tomcat/conf/jmxremote.password"

      


     

  7. Save the changes and restart Tomcat
     
     

 

If the Apache Tomcat service fails to start, make sure you have correctly configured file permissions on the jmxremote files and that you have not made any mistakes in the Java Options (setenv.sh). Also make sure the selected JMX port (for example 8008) is not in use by other processes.

Check the log catalina.out under CATALINA_BASE/logs for additional troubleshooting information

Configuring JMX for Apache Tomcat with Firewall Support

These instructions are applicable if there is a firewall blocking TCP ports between the BIPST client and the Apache Tomcat server.  For more information regarding this setup, refer toJMX Remote Lifecycle Listener,
    

  1.  Download the file catalina-jmx-remote.jar from Apache.org according to your version of Apache Tomcat.

     

     

  2. Logon to your Unix/Linux host as the user which Apache Tomcat runs under (in this example: boeuser) and copy the file catalina-jmx-remote.jar to CATALINA_BASE/lib 
       
     
       

  3. Browse to CATALINA_BASE/conf and edit the file server.xml with a text editor such as VI
       

  4. Enable the new JMX Remote Lifecycle listener by adding the following tag to server.xml (where TomcatHostName is the host name of the server where Apache Tomcat is running)
     

    <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" rmiBindAddress="TomcatHostName"/>

           

  5. Save the changes to server.xml
     
  6. Browse to CATALINA_BASE/bin and make a backup of setenv.sh and then edit the file setenv.sh.  Add the below property: (where /install/path/to/tomcat is the path to your Apache Tomcat installation)
       
    No Authentication Option

    CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"


    With Authentication Option  (NOTE: you must first have already configured the jmxremote authentication files per this tutorial)

    CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.access.file=/install/path/to/tomcat/conf/jmxremote.access -Dcom.sun.management.jmxremote.password.file=/install/path/to/tomcat/conf/tomcat/conf/jmxremote.password"

       
     
       

  7. Save the changes to setenv.sh.  Finally, restart the Apache Tomcat server and confirm that Apache Tomcat is now listening on ports 10001 and 10002
     

       

If the Apache Tomcat service fails to start, make sure that you have not made a mistake in the server.xml and that the ports 10001 and 10002 are not in use by other processes

Check the Apache Tomcat catalina.out log under CATALINA_BASE/logs for troubleshooting information

Ensure you have downloaded the correct jmx-remote.jar file for your version of Tomcat, otherwise the Apache Tomcat service may fail to start. The following error can occur in the stderr.log when using an incompatible version of the jmx-remote.jar

Java.lang.unsupportedclassversionerror: .org/Apache/Catalina/Mbeans/JMXRemoteLifecycleListener: unsupported major.minor version 51.0.

 

Configuring JMX SSL for Apache Tomcat

  1. Navigate to the following folder, or any Java folder if using an external Tomcat Web Application Server
    1. <installdir>/sap_bobj/enterprise_xi40/linux_x64/sapjvm/bin
  2. Generate a Java Keystore for Tomcat
    1. Run: ./keytool -genkeypair -alias mytomcatserver -keyalg RSA -keystore /usr/home/boeuser/SSL/tomcatKeystore.jks -keysize 2048 -storepass Password1
  3. Create a certificate signing request for the keystore
    1. Run: ./keytool -certreq -alias mytomcatserver -keystore /usr/home/boeuser/SSL/TomcatSSL/tomcatKeystore.jks -file /usr/home/boeuser/SSL/TomcatSSL/myserver.csr -storepass Password1
  4. Provide the myserver.csr file to your certificate authority to sign
    1. To self-sign the certificate, follow the instructions here
    2. The certificate authority should provide two files, a certificate authority file such as cacert.pem and your signed certificate, myserver.pem OR a single file containing all certificates
  5. Import the signed certificate into the existing keystore
    1. Run: ./keytool -import -trustcacerts -alias myserver -file /usr/home/boeuser/SSL/TomcatSSL/myserver.pem -keystore /usr/home/boeuser/SSL/TomcatSSL/tomcatKeystore.jks
    2. Note - If an error occurs "keytool error: java.lang.Exception: Failed to establish chain from reply" import the cacert provided into the keystore or cacerts file of your java installation 
      1. ./keytool -importcert -file /usr/home/boeuser/SSL/TomcatSSL/cacert.pem -keystore /usr/home/boeuser/SSL/TomcatSSL/tomcatKeystore.jks
  6. Validate that the certificate is correctly stored in the keystore
    1. Run: ./keytool -list -v -keystore /usr/home/boeuser/SSL/TomcatSSL/tomcatKeystore.jks -storepass Password1
  7. Navigate to <tomcatinstall>/bin
  8. Edit setenv.sh and modify/add the following properties
CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true 
-Dcom.sun.management.jmxremote.access.file=/install/path/to/tomcat/conf/jmxremote.access 
-Dcom.sun.management.jmxremote.password.file=/install/path/to/tomcat/conf/tomcat/conf/jmxremote.password"
-Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.ssl.need.client.auth=false 
-Djavax.net.ssl.keyStore=/usr/home/boeuser/SSL/TomcatSSL/tomcatKeystore.jks -Djavax.net.ssl.keyStorePassword=Password1

9. Restart Tomcat

Configure BI Platform Support Tool to Trust the CA

  1. Copy cacert.pem to the computer running BI Platform Support Tool
  2. Import the self-signed certificate, or CA certificate to the trusted certificate file
  3. Open a command line window and navigate to the <BISTHOME>\BISupport\bin folder
  4. Run: keytool -import -trustcacerts -file cacert.pem -alias CA_Alias -keystore "<BISTHOME>\BISupport\lib\security\cacerts" -storepass changeit
    1. Note: The default password for the trusted certificate authority file is changeit
  5. Start BI Platform Support Tool
  6. Navigate to Landscape Configuration
  7. Check "Enable Java SSL"
  8. Set the Java Truststore to <BIPSTHOME>\BISupport\lib\security\cacerts
  9. Set the Java Truststore password to the password for the cacerts file
    1. Note: The default password for the trusted certificate authority file is changeit
  10. Click Save Changes
  11. Restart BI Platform Support Tool   

  12. From Landscape Configuration select the Tomcat Server
  13. Navigate to the JMX Settings tab and click Validate

Note: All Tomcat Java Application Servers should be signed using the same Certificate Authority, therefore it is only necessary to configure the BI Platform Support Tool once.

  • No labels