1

My understanding is that tomcat server can be accessed thru jmxrmi if we configure following properties. Port can also be configured.

-Dcom.sun.management.jmxremote.port=30000
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=xyz
-Dcom.sun.management.jmxremote.access.file=xyz

After that tomcat server can be connected thru some jmx tools like jconsole or jvisualvm etc. But I also noticed that same tomcat server can also be connected on default jmxrmi port 1099. I havent configured anywhere port 1099. Even though if I comment out all above properties, I see tomcat still can be connected to on port 1099 on jvisualvm.

Please suggest, what might be enabling this connectivity on default port. And how can I disable this connectivity?

Possibly some other third party libraries in classpath might be doing it, but how to figure which one?

YS_NE
  • 194
  • 2
  • 21

1 Answers1

3

JMX uses two ports: one for the JMX connection (which you have set to port 30000) and another one for RMI communications. Java defaults to port 1099, but if it's in use, it will choose the first port available after 1099. In Java 8, you cannot explicitly set this port via system properties.

For later Java versions, you can use the system property com.sun.management.jmxremote.rmi.port.

Tomcat has a workaround for this. You can use the JmxRemoteLifecycleListener to set the rmiServerPortPlatform attribute. Set that to whatever port you prefer.

Note that you cannot disable this second port: it is required for JMX to operate properly.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77
  • Thanks @Christopher Schultz. Could you also tell if tomcat is not to be accessible, then what is to be done. I noticed when I don't have these jmxremote properties as jvm argument. Still it could be connected on port 1099. – YS_NE Dec 24 '20 at 05:04
  • If you want to disable JMX, why are you configuring the JVM for JMX? You might have a look at [this answer](https://stackoverflow.com/questions/1255049/disabling-local-jmx-connections-on-jvm). – Christopher Schultz Dec 25 '20 at 03:44
  • Thanks @Christopher Schultz. Will it be possible to add some authentication mechanism on the rmi port. The real concern is that however the connection on jmxremote is protected by authentication, but connection on 1099 is not. – YS_NE Jan 07 '21 at 14:33
  • The RMI port should really only be serving class definitions. You shouldn't be able to invoke anything through RMI. If you want full control over authentication, you might want to look at switching to Tomcat's [JMXProxyServlet](http://tomcat.apache.org/tomcat-8.5-doc/manager-howto.html#Using_the_JMX_Proxy_Servlet) which is a part of the Manager application. That uses HTTP instead of JMX and you have all the authentication options usually available to a web application at your disposal. – Christopher Schultz Jan 11 '21 at 15:17
  • Christopher Schultz - Sorry, I am changing accepted answer. Actually I do have some other tomcat server with similar configuration and they are not listening on port 1099. Those tomcat instances are able to do all JMX operations fine also. So what is the missing link here. that some servers are listening on port 1099 and some not. This is I need to figure. – YS_NE Jun 21 '21 at 11:18