Page 1 of 4
check_jmx with certificate
Posted: Thu Feb 25, 2016 3:04 pm
by amit.ahuja
I am trying to use the check_jmx plugin to monitor remote devices that require an additional classpath with a certificate for authentication. I have followed the tutorials online and have the plugin correctly installed but when I run the command ./check_jmx -U service:jmx:rmi:///jndi/rmi://REMOTEADDRESS:PORT/jmxrmi -O java.lang:type=Memory -A HeapMemoryUsage -K used -vvvv -w 4248302272 -c 5498760192 it times out. Any help in how to import the needed certificate to connect to the remote devices using this plugin would be greatly appreciated
Re: check_jmx with certificate
Posted: Thu Feb 25, 2016 3:35 pm
by rkennedy
Can you please post your full check_jmx command definition?
This link (
http://devops-abyss.blogspot.com/2010/0 ... d-ssl.html) suggests you'll need to add two additional variables.
Code: Select all
-Djavax.net.ssl.trustStore=[full path to keystore file] -Djavax.net.ssl.trustStorePassword=[your password]
Re: check_jmx with certificate
Posted: Fri Feb 26, 2016 8:08 am
by amit.ahuja
The command I posted was the full test command found on the pdf documentation for the check_jmx plugin:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf I have an updated version of the plugin which allows username and password fields which I am using. I am following up on the link you sent and working to see if that fixes my issue. Thanks for the reply.
Re: check_jmx with certificate
Posted: Fri Feb 26, 2016 11:26 am
by rkennedy
You're welcome. I imagine it will work as it's java options, and not dependent on the java file that's running.
I'll leave this open for now, let us know if you have any other questions.
Re: check_jmx with certificate
Posted: Fri Mar 25, 2016 9:13 am
by haile711
rkennedy,
Does nagios has a keystore to import the cert in? Or do we have to create a keystore first? I'm a little confused with this part myself. I'm working on the same
Code: Select all
java -cp jmxquery.jar -Djavax.net.ssl.trustStore="/local/nagios/libexec/mashery-proxy.jks" -Djavax.net.ssl.trustStorePassword=xxxxx org.nagios.JMXQuery -U service:jmx:rmi:///jndi/rmi://10.72.48.125:8084/jmxrmi -O java.lang.type=Memory -A HeapMemoryUsage -K used
Thanks
Re: check_jmx with certificate
Posted: Fri Mar 25, 2016 12:47 pm
by rkennedy
You would need to create the java keystore yourself, import your cert(s), and use that in reference with the command.
Re: check_jmx with certificate
Posted: Fri Mar 25, 2016 3:01 pm
by haile711
yea i've done that, and also see the cert in the keystore. I'm still getting connection refused.
Code: Select all
./check_jmx -Djavax.net.ssl.trustStore='/usr/local/nagios/libexec/mashery-proxy.jks' -Djavax.net.ssl.trustStorePassword=xxx org.nagios.JMXQuery -U service:jmx:rmi:///jndi/rmi://10.72.48.129:8084/jmxrmi -O "java.lang:type=MemoryPool,name=Perm Gen" -A Usage -K used -I Usage
JMX CRITICAL - Error opening RMI connection: Connection refused to host: xx.xx.xx.xxx; nested exception is:
java.net.ConnectException: Connection timed out
Re: check_jmx with certificate
Posted: Mon Mar 28, 2016 3:10 pm
by tgriep
Can you add -vvvv to your command to get a verbose output and post that here?
Are you seeing any errors on the remote system?
Can you login to the XI server as root, run the following and post the output?
Code: Select all
ls -l /usr/local/nagios/libexec/mashery-proxy.jks
Re: check_jmx with certificate
Posted: Wed Mar 30, 2016 2:15 pm
by haile711
hey tgriep,
even tho i've added -vvv on the command it didn't produce any verbose output.
here is the output
Code: Select all
ls -l /usr/local/nagios/libexec/mashery-proxy.jks
-rw------- 1 root nagios 2901 Mar 25 10:17 /usr/local/nagios/libexec/mashery-proxy.jks
Re: check_jmx with certificate
Posted: Wed Mar 30, 2016 3:19 pm
by rkennedy
Can you show us the full input / output you're running?
Also, can you post the result of a nmap ipofjmxmachine?