how to monitor tomcat

[inetquestion]

I'm looking for some tools either built into tomcat or auxiliary
scripts which could be used to extract performance data and hopefully
integrate with cacti/tivoli. Given that there appear to be quite a few
of these out there I was also hoping for some guidance on which ones
are the most comprehensive and have the least problems with their use.

Regards,

-Inet

 

[inetquestion]

I forgot to mention that the default application that comes with
tomcat for status has been removed for security purposes. Is it
possible to obtain some of this data through some other means?

 

[Juha Laiho]

I forgot to mention that the default application that comes with
tomcat for status has been removed for security purposes. Is it
possible to obtain some of this data through some other means?

Would it be any more secure if the data was available through some
other means? How about limiting access to the status application
appropriately?

That being said, enabling JMX on the Tomcat might help, but then,
how can you trust the JMX interface if you cannot trust the status
app is again another issue.

 

[inetquestion]

what did you have in mind by enabling the data through some other
means?

The problem I've got is I'm dealing with a crippled version of apache/
tomcat because its a CA/Netegrity's bundled version they call SPS.
They have removed all this stuff, but it may be possible to add pieces
of it back in. I was able to get the sever-status in apache to work
by adding one of the .so files back into the build.

As for JMX, I'm not a java programmer, so I'll need to do some
research on what that is before commenting further.

 

[Juha Laiho]

what did you have in mind by enabling the data through some other
means?

You wrote there were things disabled because of security reasons.
Now, you'll need to dig out what are these security reasons.
Is the reason for removal that an implementation of some functionality
is seen as a risk to security, or is the risk in the fuctionality
itself. So, f.ex. you tell that the "application that comes with tomcat
for status" is disabled. Now, is the risk in:
- the functionality of providing status
(in which case you'd break your security model with any piece of
code providing this functionality)
- the Tomcat status implementation for providing status
(in which case providing status is ok, but someone considers the
Tomcat implementation of this unsafe, and an alternative
implementation for the same functionality would be acceptable,
but bringing back in the Tomcat status implementation would
be considered a security risk)

The problem I've got is I'm dealing with a crippled version of apache/
tomcat because its a CA/Netegrity's bundled version they call SPS.
They have removed all this stuff, but it may be possible to add pieces
of it back in. I was able to get the sever-status in apache to work
by adding one of the .so files back into the build.

As for JMX, I'm not a java programmer, so I'll need to do some
research on what that is before commenting further.

JMX is "Java Management Extension"; a standard for providing an API
for extracting management information from a Java application.

Here's one article discussing JMX and Tomcat; however this
also mixes in Tomcat clustering, but not too much; the information
can also be used for a standalone Tomcat;
http://www.javaworld.com/javaworld/jw-08-2005/jw-0801-jmx.html

 

[inetquestion]

Thanks for the JMX info, I will take a look at that this evening.

As for the security concerns of the status application, I don't have
much insight as to why they packaged their product that way I'm only
guessing as to why they did it. It wouldn't surprises me if they just
didn't want to get support questions on it, so they took it out. The
problem I'm facing is I need to pry some information out of this thing
and the logs aren't that helpful. Hopefully I can put the status
application back in or give the JMX stuff a shot? I assume there are
no snmp hooks for tomcat right?


-Inet