Often times, we would like to use jconsole to manage a remote Alfresco server. If we can SSH to the server, it is possible to tunnel the jconsole connection through SSH.
If the remote server has an X server it is possible to use the `-X` flag to SSH to tunnel X Windows. This is often slow and can be tricky to set up if you need to run jconsole as the Alfresco user—especially if you’ve followed best practices and there is no way to directly log in as this user.
What we’d like to do is simply make a tunnel for the JMX communication to happen over. Unfortunately, it isn’t as simple as setting up a regular tunnel on the appropriate port because of the way JMX works. At this point, jconsole reaches out on the configured JMX/RMI port and then that service allocates another (random) port for the actual JMX communication. For folks who are familiar with FTP, this setup will be familiar.
We have not found an analog to the FTP passv mode that allows all communication on a single port. Fortunately, it is possible to configure jconsole to connect via a SOCKS proxy and it is possible to have SSH set up such a SOCKS proxy!
Before we begin, information on enabling JMX, and on updating the default password, can be found in the Alfresco documentation here: https://docs.alfresco.
Create a SOCKS proxy with your <username> to your Alfresco <hostname>:
ssh -N -D 5050 <username>@<hostname>
NOTE: The `-N` flag will cause you to connect but will not provide an interactive prompt. You can remove this flag if you want to be able to run commands on the Alfresco server while the proxy is running.
Start `jconsole` on your local machine, configured to route through your SOCKS proxy:
jconsole -J-DsocksNonProxyHosts= -J-DsocksProxyHost=localhost -J-DsocksProxyPort=5050
In the jconsole connection dialog use the following as the remote process string:
service:jmx:rmi:///jndi/rmi://localhost:50500/alfresco/jmxrmi
NOTE: This assumes Alfresco’s default JMX/RMI port of 50500. Feel free to update this if you have changed the port Alfresco uses to listen for JMX connections.
In the same dialog you will use `controlRole` as the username and then provide the appropriate password. Remember that the default password is `change_asap` if it has not been changed. Remember that it should be changed for production environments!
For more information, contact us today.