Enable JMX Agent for JVM

With JMX agent enabled for a JVM, you can use a JMX Client (JConsole or VisualVM) to tap into your JVM to monitor its performance and memory usage at runtime. Your java runtime is not enabled with JMX by default unless you explicitly specify to turn it on.

On the JVM side (target server), in general, you can enable the JMX (Java Management Extensions) agent by starting JVM with the following Java System Properties (via java -D):

  java.rmi.server.hostname=ineedabargain.com // without this, on linux, jconsole will fail to connect
  com.sun.management.jmxremote.authenticate=false // default is true if not set  
  com.sun.management.jmxremote.password.file=<password file location>   //2
  com.sun.management.jmxremote.ssl=false
  com.sun.management.jmxremote.port=<portNum>

[1] false, if no authentication is needed. true (default), if require JMX Client to access JMX Agent with username and password.
[2] Password file defines the password of each role/user. Only applicable if authenticate is set to true. What the actual role/user can do is defined in another file called access file. Default location/value is JRE_HOME/lib/management/jmxremote.password. 

JMX Client Accesses JMX Agent without Authentication

When starting up your Java app, for example, the following system properties enable JMX agent without requiring username password when accessed from a JMX client:

java ⋯⋯ -Djava.rmi.server.hostname=ineedabargain.com -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=1234 ⋯⋯

JMX Client Accesses JMX Agent with Authentication

If you'd like to require JMX client to access JMX Agent with username and password. To achieve this, leave com.sun.management.jmxremote.authenticate=true, com.sun.management.jmxremote.password.file=<pwd file location>, then set up a file-based password authentication file on the Agent side according to this doc: make a password file copy from the template file, then make the file (jmxremote.password) only readable and writable by the user that runs java so others won't be able to see the password.

su <user that runs java app>
cp /usr/java/default/jre/lib/management/jmxremote.password.template /home/tomcat/jmxremote.passwordcd ~
chmod 600 jmxremote.password   
emacs jmxremote.password       

Put the password you'd like to use in place of <password> in the jmxremote.password file. The predefined role/user are named monitorRole and controlRole. Access JMX Agent as controlRole also allows you analyze threads and profile CPU & memory, whereas monitorRole can not. Their access rights are defined in a predefined Access file somewhere. I simply leave the name of the role/user unchanged, and just change the password.

# specify actual password instead of the text password 
monitorRole <password>
controlRole <password>

When starting up your Java app, for example, the following system properties enable JMX agent requiring username password when accessed from a JMX client:

java ⋯⋯ -Djava.rmi.server.hostname=ineedabargain.com -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=1234 -Dcom.sun.management.jmxremote.password.file=/home/tomcat/jmxremote.password ⋯⋯

After you save the jmxremote.password, next time you access JMX agent using JMX client (e.g. VirtualVM) the username (monitorRole or controlRole) and password will be required.

Next Up

• Monitor Java Application with VisualVM
  

References

• Application Monitoring with JConsole, VisualVM and AppDynamics Lite
  
• Monitoring and Management Using JMX Technology
• VisualVM: Monitoring Remote JVM Over SSH (JMX Or Not)