Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Running JConsole through ssh tunnel to troubleshoot vCenter Operations Manager vApp behind firewall (2032539)

Symptoms

  • Java instances in the vCenter Operations Manager vApp fail
  • You need to troubleshoot Java instances on the vCenter Operations Manager vApp

Purpose

This article provides steps to run the Java Monitoring and Management Console so that you can remotely troubleshoot Java instances running in VMware vCenter Operations Manager 5.x using an ssh tunnel. These steps do not require modifications to the vApp or customer environment.

Note: The vCenter Operations Manager vApp does not have an X server and graphical interface.

Resolution

Note: The examples in this article use a UI virtual machine with an IP address of 192.168.1.85, and an Analytics virtual machine with an IP address of 192.168.1.86. Port 1500 is used as Socket Proxy.

To run the Java Monitoring and Management Console to troubleshoot Java instances:

To use ssh on Linux:

  1. In the terminal, run the command:

    # ssh -f -ND 1500 192.168.1.85 -l root

  2. Enter the root password.
  3. Open the Java Monitoring and Management Console by running this command:

    Note: Port 1205 in the command below can be changed to connect to different processes. For example, use 1099 for ActiveMQ, 1203 for Collector, or 1201 for Web.

    jconsole -J-DsocksProxyHost=localhost -J-DsocksProxyPort=1500 service:jmx:rmi:///jndi/rmi://192.168.1.85:1205/jmxrmi

To use ssh on Windows with PuTTY:

  1. Run PuTTY and enter the host name/IP address.
  2. Expand SSH in the Category panel, then click Tunnels.
  3. Select Dynamic, enter 1500 in the Source Port field, then click Add. D1500 appears in the Forwarded ports field.
  4. Click Open.
  5. Click Yes when when the PuTTY Security Alert appears.
  6. Log in as root. The tunnel is initiated.
  7. At the command prompt, open the Java Monitoring and Management Console by running this command:

    Note: Port 1205 in the command below can be changed to connect to different processes. For example, use 1099 for ActiveMQ, 1203 for Collector, or 1201 for Web.

    jconsole -J-DsocksProxyHost=localhost -J-DsocksProxyPort=1500 service:jmx:rmi:///jndi/rmi://192.168.1.85:1205/jmxrmi
In vCenter Operations Manager 5.7 and later, TCP Forwarding is disabled.
 
To allow SSH tunneling for JConsole Access:
  1. Connect to the UI VM using SSH.
  2. Open the /etc/ssh/sshd_config file using a text editor.
  3. Find the line that reads AllowTcpForwarding no.
  4. Change no to yes.
  5. Save and close the file.
  6. Restart the ssh daemon by running this command:

    service sshd restart

  7. Log in to the Analytics VM and repeat Steps 2 to 5. 
Note: When troubleshooting is completed, disable SSH Port Forwarding by resetting AllowTcpForwarding from yes to no.

Impact/Risks

Because a Socket Proxy is used, there is a security risk if the Linux or Windows host used for establishing the tunnel is a multiuser machine. All users on the machine can connect to the vApp when the tunnel is established. However, this method is more secure than opening the firewall on the vApp for remote JConsole troubleshooting.

Update History

12/12/2013 - Added steps to allow SSH tunneling for JConsole Access

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 1 Ratings
Actions
KB: