Enabling JMX Monitoring
JMX Support for PAM Instances
The PAM Framework component (Java JRE) now includes support for Java Management Extensions (JMX). JMX is a broad topic.
There are many ways to configure JMX, and the correct configuration depends on the network environment and use case.
Comprehensive JMX documentation is provided in the JMX User Guide: https://docs.oracle.com/en/java/javase/21/jmx/java-management-extensions-jmx-user-guide.html.
There is also detailed JMX documentation for Apache Tomcat:
https://tomcat.apache.org/tomcat-9.0-doc/monitoring.html
The most common reason for enabling JMX in Apache Tomcat is to integrate with Zabbix, LogicMonitor, or other similar tools.
Monitoring software usually includes JMX integration documentation, for example:
https://www.zabbix.com/integrations/tomcat
JMX Security Considerations
JMX is often configured to expose management endpoints to external monitoring tools.
This must be done carefully with due consideration to security.
Recommended practice is to configure secure transport, authentication, and roles for remote connections.
The Tomcat JMX documentation linked above is a good source for guidance on this topic.
Network firewall policies can be (and probably should be) configured to control which network hosts are able to connect to the JMX endpoints.
Please note that the examples provided in this article assume PAM is installed into a specific folder $PAM_HOME which are expected to be /opt/pam for Linux or C:\PAM for Windows. Replace the $PAM_HOME with your correct PAM installation folder.
Checking JMX Support for PAM Framework Component (Java JRE)
You can check your current PAM Framework (Java JRE) to see if it has JMX enabled.
Run the following command.
For Windows:
$PAM_HOME\jre\bin\java.exe --list-modules | findstr java.management.rmiFor Linux:
$PAM_HOME/jre/bin/java --list-modules | grep java.management.rmiIf JMX is enabled, the current JMX RMI module version should be displayed, for example:
java.management.rmi@21.0.4
The version shown here (21.0.4) may update over time but if no output is produced, then JMX is not enabled and you may need to upgrade your PAM Framework component.
Please note that it is possible the version shown here (21.0.4) may update over time, but if no output is produced, then JMX is not enabled and you may need to upgrade your PAM Framework component.
Enabling and Configuring
JMX for Apache Tomcat on Linux
For PAM on Linux, Java options for Apache Tomcat are defined in this script file:
$PAM_HOME/bin/pammanager
This script file may be modified to extend Java options with JMX configuration properties. Please make a backup copy of the file before making any changes.
Open the $PAM_HOME/bin/pammanager file, locate the line with JAVA_OPTS, it should look similar to this:
export JAVA_OPTS="$DERBY_OPTS ..."
Note: This is usually a very long line of options. Only the first part is shown here to save space.
The idea is to extend JAVA_OPTS with JMX properties after this line, like this:
export JAVA_OPTS="$DERBY_OPTS ..."
# Enable JMX for Apache Tomcat
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote"
export JAVA_OPTS="$JAVA_OPTS -Djava.rmi.server.hostname=localhost"
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.port=8686"
export JAVA_OPTS="$JAVA_OPTS -Djava.net.preferIPv4Stack=true"
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
export JAVA_OPTS="$JAVA_OPTS -Dcom.sun.management.jmxremote.ssl=false"The first line is unchanged, but then additional lines are added to set the JMX properties.
This is a very simple example with authentication and secure transport disabled. In a production environment, authentication and secure transport should be enabled. Consult JMX documentation for guidance.
After updating this script file, the PAM Manager service must be reloaded and restarted to pick up the changes:
sudo systemctl daemon-reloadsudo systemctl restart pammanager.serviceJMX for Apache Tomcat on Windows
For PAM on Windows, Java options for Apache Tomcat are defined in this script file:
$PAM_HOME\bin\ServiceManagement.cmd
This script file may be modified to extend Java options with JMX configuration properties. Please make a backup copy of the file before making any changes.
Open the $PAM_HOME\bin\ServiceManagement.cmd file, locate the line with JAVA_OPTS, it should look similar to this:
@set JAVA_OPTS=%DERBY_OPTS% ...
Note: This is usually a very long line of options. Only the first part is shown here to save space.
The idea is to extend JAVA_OPTS with JMX properties after this line, like this:
@set JAVA_OPTS=%DERBY_OPTS% ...
:: Enable JMX for Apache Tomcat
@set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote
@set JAVA_OPTS=%JAVA_OPTS% -Djava.rmi.server.hostname=localhost
@set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.port=8686
@set JAVA_OPTS=%JAVA_OPTS% -Djava.net.preferIPv4Stack=true
@set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.authenticate=false
@set JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.management.jmxremote.ssl=falseThe first line is unchanged, but then additional lines are added to set the JMX properties.
This is a very simple example with authentication and secure transport disabled. In a production environment, authentication and secure transport should be enabled. Consult JMX documentation for guidance.
For Windows deployments, start the PamManagement service to update the Windows registry:
$PAM_HOME\bin\ServiceManagement.cmd remove$PAM_HOME\bin\ServiceManagement.cmd installNote: The PamManagement service resets to the default Local System account Log on property once this service for PAM is reinstalled. If you are using a Log account other than an Local System account for this service, then you must restore it prior to restarting the PamManagement service. Navigate to Services > PamManagement > Properties > Log, then select This account: and restore the required service account.
