Monitoring Tomcat 7 on RHEL / AWS using JConsole/VisualVM over SSH

Problem:

• you have a Tomcat running on Red Hat Enterprise Linux (RHEL) on Amazon Web Services (AWS) and you want to monitor it or investigate some issue via JMX.
• you want to use JConsole and/or VisualVM and you want to do it at least partially secure
• you already have ssh access to the AWS Linux machine running your Tomcat.

I lost a couple of hours to find this out and I wanted to share it with everyone.

The solution implies 3 steps (excluding Tomcat restart) on server side and 3 steps on client side:

Server side:

1. download http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.23/bin/extras/catalina-jmx-remote.jar and put it in tomcat/lib
2. add following listener to server.xml: 
   
   <listener classname="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
    rmiregistryportplatform="10001"
    rmiserverportplatform="10002"
    uselocalports="true" />
   
   
3. add following settings in tomcat/bin/setenv.sh:
   
   CATALINA_OPTS="-Dcom.sun.management.jmxremote
    -Dcom.sun.management.jmxremote.ssl=false
    -Dcom.sun.management.jmxremote.authenticate=false"
    $CATALINA_OPTS
   
   

>>> Restart tomcat

Client side:

1. download http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.23/bin/extras/catalina-jmx-remote.jar and put it in JDK/JRE/lib/ext (same file as downloaded at Server step 1)
2. start ssh tunnel with:
   
       ssh user@aws-host -L10001:127.0.0.1:10001 -L10002:127.0.0.1:10002
   
   
3. Start JConsole and enter the following remote service URL:
   
       service:jmx:rmi://127.0.0.1:10002/jndi/rmi://127.0.0.1:10001/jmxrmi
   

>>> You have JConsole connected over SSH to your tomcat running on AWS.

Of course, if you want to configure plain authentication or even SSL for even greater security, all you have to do is add the corresponding standard JMX settings on the server side, and client side.

Happy monitoring.