Saturday, July 25, 2009

VisualVM remote application monitoring through SSH proxy

As many of you might already know Java VisualVM an all in one Java troubleshooting tool is available as a JDK tool in Sun JDK distributions starting from JDK 6 update 7 and Apple's Java for Mac OS X 10.5 Update 4. Also VisualVM a stand alone separately downloadable tool is also available at visualvm.dev.java.net. It's a visual tool enhances the capability of performance and monitoring analysis for Java SE platform for both production and development environments. You can find more detailed information in the VisualVM product site.

But our topic is how to make visualvm work through SSH Tunnel specifically in production systems where it's a normal practice to allow only SSH access on port 22 for the users or administrators, hence visualvm will not work with the default settings as it uses port 1099 to communicate to remote host via jstatd. For some reason, VisualVM doesn't seem to work through SSH Port Forwarding or SSH Proxy which seems to be a big blocker for many people which wish yo use this tool in this similar kind of setup.

The only way i came up so far to make the VisualVM work is to use to use a system proxifier like WideCap (Free) or ProxyCap (Shareware) and was able to connect to remotely a running java process over ssh proxy. Here are the steps detailing on how to configure ,

1) Download WideCap and install.
2)Open WideCap control panel and click on new proxy , provide hostname as localhost, port
8333, and select the socks version of your SSH that your client and server uses.





3)Add a new application and point to the location of java.exe and create new rule to get triggered when the java is started.




4) Enable WideCap.
5) run putty or any ssh client as SSH proxy daemon. (e.g) putty -D 8333 username@server or ssh -D 8333 user@host
6) Start VisualVM and add remote host and now you should be able to see the java process running on the remote server and you should be able to connect and monitor.



On a cautious note that widecap is not very consistent and it crashes outlook (at least for me ) and IE sometimes but on the other hand proxycap seem to work fine along with other standard windows applications without problems.

Also if you run into problems make sure all the instructions are followed in this link

4 comments:

YouCanPlayBetter said...

I'm trying to use VisualVM for monitoring my Tomcat installation running on an Amazon EC2 instance because I would like to get rid of LambdaProbe. You are indeed right to say that there's no other useful info about this problem all over the net. Thanks for sharing this!

I followed closely all your instructions, but I don't see jstatd or any other process from my remote server inside VisualVM. jstatd is running fine on the server and I started it with this line:

jstatd -J-Djava.security.policy=jstatd.all.policy

The security policy contains the suggested config from http://java.sun.com/javase/6/docs/technotes/tools/share/jstatd.html

Also the path to java.exe is the right one.

I just hope that there's nothing related to the fact that I'm running Vista x64 (the author of WideCap says he didn't test it on).

Are you sure that you didn't to any additional configuration in WideCap besides what you described? Maybe something in New Rule#1?

By the way, the last link from your post is invalid (it should point to http://visualvm.dev.java.net/applications_remote.html).

Thanks,
Robert

YouCanPlayBetter said...

I found another problem with WideCap. When it's installed (even if not running), I cannot start Eclipse (3.4, 3.5) because I receive this message in .metadata/.log from the workspace:

org.eclipse.swt.SWTError: Cannot initialize Drop
at org.eclipse.swt.dnd.DND.error(DND.java:267)
[...]

onewebclick said...

Make sure you start the jstatd with the user same as that of the java process that you would want to monitor. I haven't done any other configuration except the one i mentioned. i fpossible do some traccing on the SSH and see if the connections are coming, and btw thanks for letting me know about the broken link. Also try proxycap which seems to much better than widecap as i also ran into lot of problems with widecap.

Thorbjørn Ravn Andersen said...

I have used the JSocks proxy to access remote machines through socks4 and 5 (using both old AIX machines and new AS/400 machines to do so).

I have not tried yet with jvisualvm though, but this is a pure java solution, which might be nice for non-standard platforms.