 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / February 2007how to monitor tomcat
I'm looking for some tools either built into tomcat or auxiliary scripts which could be used to extract performance data and hopefully integrate with cacti/tivoli. Given that there appear to be quite a few of these out there I was also hoping for some guidance on which ones are the most comprehensive and have the least problems with their use. Regards, -Inet I forgot to mention that the default application that comes with tomcat for status has been removed for security purposes. Is it possible to obtain some of this data through some other means? "inetquestion" <inetquestion@hotmail.com> said: >I forgot to mention that the default application that comes with >tomcat for status has been removed for security purposes. Is it >possible to obtain some of this data through some other means? Would it be any more secure if the data was available through some other means? How about limiting access to the status application appropriately? That being said, enabling JMX on the Tomcat might help, but then, how can you trust the JMX interface if you cannot trust the status app is again another issue.  SignatureWolf a.k.a. Juha Laiho Espoo, Finland (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++ "...cancel my subscription to the resurrection!" (Jim Morrison) what did you have in mind by enabling the data through some other means? The problem I've got is I'm dealing with a crippled version of apache/ tomcat because its a CA/Netegrity's bundled version they call SPS. They have removed all this stuff, but it may be possible to add pieces of it back in. I was able to get the sever-status in apache to work by adding one of the .so files back into the build. As for JMX, I'm not a java programmer, so I'll need to do some research on what that is before commenting further. >>>"inetquestion" <inetquestion@hotmail.com> said: >>>I forgot to mention that the default application that comes with >>>tomcat for status has been removed for security purposes. Is it >>>possible to obtain some of this data through some other means? >><Juha.Laiho@iki.fi> said: >>Would it be any more secure if the data was available through some [quoted text clipped - 4 lines] >>how can you trust the JMX interface if you cannot trust the status >>app is again another issue. "inetquestion" <inetquestion@hotmail.com> said: >what did you have in mind by enabling the data through some other >means? You wrote there were things disabled because of security reasons. Now, you'll need to dig out what are these security reasons. Is the reason for removal that an implementation of some functionality is seen as a risk to security, or is the risk in the fuctionality itself. So, f.ex. you tell that the "application that comes with tomcat for status" is disabled. Now, is the risk in: - the functionality of providing status (in which case you'd break your security model with any piece of code providing this functionality) - the Tomcat status implementation for providing status (in which case providing status is ok, but someone considers the Tomcat implementation of this unsafe, and an alternative implementation for the same functionality would be acceptable, but bringing back in the Tomcat status implementation would be considered a security risk) >The problem I've got is I'm dealing with a crippled version of apache/ >tomcat because its a CA/Netegrity's bundled version they call SPS. [quoted text clipped - 4 lines] >As for JMX, I'm not a java programmer, so I'll need to do some >research on what that is before commenting further. JMX is "Java Management Extension"; a standard for providing an API for extracting management information from a Java application. Here's one article discussing JMX and Tomcat; however this also mixes in Tomcat clustering, but not too much; the information can also be used for a standalone Tomcat; http://www.javaworld.com/javaworld/jw-08-2005/jw-0801-jmx.html SignatureWolf a.k.a. Juha Laiho Espoo, Finland (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++ "...cancel my subscription to the resurrection!" (Jim Morrison) Thanks for the JMX info, I will take a look at that this evening. As for the security concerns of the status application, I don't have much insight as to why they packaged their product that way I'm only guessing as to why they did it. It wouldn't surprises me if they just didn't want to get support questions on it, so they took it out. The problem I'm facing is I need to pry some information out of this thing and the logs aren't that helpful. Hopefully I can put the status application back in or give the JMX stuff a shot? I assume there are no snmp hooks for tomcat right? :) -Inet Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.