System Monitoring

This section provides information on selected DirX Access monitoring tasks. DirX Access Services container supports monitoring with Java MBeans. MBeans provide a Java-platform-standard method for monitoring a software system. DirX Access is equipped with MBeans that provide live data about the status of the containers as well as usage statistics.

MBeans are handled by Java technology called Java Management Extensions (JMX). This section provides basic instructions that will allow you to use this technology to monitor Java components running inside JVM containers, like DirX Access Services container (for monitoring DirX Access services), or other JVM-based containers (for monitoring Java clients like PEPs).

The figures reported by the DirX Access MBeans refer to quantities applicable to the particular JVM container being monitored. The numbers are not combined in clustered environments and provide per-process information. Restarting the JVM container resets all values.

The DirX Access MBeans can be changed without prior notice and should be considered as a helper and diagnostic tool, not a business API. We also recommend limiting the access to the JMX interface to trustworthy clients only, as it is possible to significantly influence the runtime state of the JVM container.

This section also describes how to configure DirX Access for the Nagios® monitoring environment.

Setup

To set up the MBeans environment:

Set up a functional DirX Access Services container.
Open the wrapper.conf file under DirXAccessInstallFolder*\Services\instances\default\etc* and then modify the JVM startup parameters (via the wrapper.java.additional.x) as described in: Platform Monitoring and Management Using JMX
Open jconsole and then connect to host*:*port, where host matches hostname or IP address, where the to-be-monitored JVM is running, port matches the port number specified in the wrapper.conf entry. Select the MBeans tab and inspect the com.siemens.dxa and net.atos.dirx.access trees.
After double-clicking on a primitive MBean attribute, the jconsole displays a graph that plots the MBeans attributes in time. After double-clicking on a composite MBean attribute, the jconsole displays the attribute’s components.

DirX Access MBeans

This section describes the DirX Access Mbeans.

DirX Access Services

This section describes the DirX Services MBeans and their attributes.

Audit Service

This MBean refers to the Audit Service. The object name for the Audit Service is com.siemens.dxa:type=Audit Service. The following attributes are supported:

NbAuditEventsCreated

The number of audit events created, including the events that have not yet been processed by the auditing backend.

NbAuditEventsWaiting

The number of audit events which are still waiting for processing by the auditing backend in server internal queues.

ThreadPoolActiveCount

The approximate number of audit event queue threads that are actively executing tasks.

ThreadPoolLargestSize

The largest number of threads that have ever simultaneously been in the pool that processes the audit event queue.

ThreadPoolSize

The current number of threads in the pool that processes the audit event queue.

Authentication Service

This MBean refers to the Authentication Service. The object name for the Authentication Service is com.siemens.dxa:type=Authentication Service. The following attributes are supported:

NbAuthnRequests

The number of invocations of AuthenticationService.authenticate() method.

Authorization Service

This MBean refers to the Authorization Service. The object name for the Authorization Service is com.siemens.dxa:type=Authorization Service. The following attributes are supported:

NbAuthzRequests

The combined count of invocations of the following Authorization Service methods: authorize() methods, isAuthorized() methods and isSubjectInRole() method.

NbPDPs

The number of PDPs that are operational.

Cluster Service

The cluster- and cache-related monitoring is provided by the underlying technology – Apache Ignite. Ignite metrics can be found under the org.apache node and comprehensively provide both memory and communication related attributes. For more information, please, see https://ignite.apache.org/releases/latest/javadoc/org/apache/ignite/cluster/ClusterMetrics.html .

Crypto Service

This MBean refers to the Crypto Service. The object name for the Crypto Service is com.siemens.dxa:type=Crypto Service. The following attributes are supported:

NbCertificateIssuanceRequests

The count of invocations of the generateSignedCertificate() Crypto Service method.

Federation Service

This MBean refers to the Federation Service. The object name for the Federation Service is com.siemens.dxa:type=Federation Service. The following attributes are supported:

NbSAMLAssertionIssuanceRequests

The overall number of SAML assertion issuance requests.

LDAP Requester

A group of MBeans that provide attributes for the three services that access the repository via LDAP (AppRepo Service, User Service).

The object name for the LDAP Requester is com.siemens.dxa:type=LDAP Requester, name=service, where service is one of the supported services. The following attributes are supported:

NbActiveAuthnBinds

The number of ongoing authentication binds.

NbActiveSearches

The number of ongoing LDAP search operations.

NbCompletedSearches

The number of finished LDAP search operations.

Provisioning Service

This MBean refers to the Provisioning Service. The object name for the Provisioning Service is com.siemens.dxa:type=Provisioning Service. The following attributes are supported:

NbProvisioningRequests

The overall number of requests received by the Provisioning Service.

SSO Service

This MBean refers to the SSO Service. The object name for the SSO Service is com.siemens.dxa:type=SSO Service. The following attributes are supported:

NbActiveSubjects

The number of active subjects.

User Service

This MBean refers to the User Service. The object name for the User Service is com.siemens.dxa:type=User Service. The following attributes are supported:

NbCachedObjects

The number of objects in the User Service cache.

Monitoring DirX Access with Nagios

MBeans published by DirX Access components can be used by a variety of monitoring tools and systems. DirX products provide additional tools to make integration with Nagios (available at Nagios), one of the widely used monitoring systems, a bit easier.

The recommended to integrate with Nagios as the monitoring system is via the third-party tool called JNRPE (available at Massimiliano Ziccardi · Massimiliano Ziccardi home page) as it provides a straight-forward means for monitoring Java processes out of the box and can be extended relatively easily with more options. One such extension is also available on the DirX Access installation medium in the Additions folder.

The Nagios Core system is usually installed on a dedicated machine and a remote agent takes care of gathering monitoring data from remote systems being monitored, like the DirX Access Server. The most common way is to use the check_nrpe command and an NRPE agent (visit NRPE - Nagios Remote Plugin Executor). JNRPE is a Java-based alternative to NRPE, fully compatible with the check_nrpe command, and as such it is better suited for monitoring Java applications than the original NRPE.

JNRPE is extensible with plugins. The CHECK_JMX plugin (already bundled with JNRPE) or CHECK_DELTA4JMX plugins (provided on the DirX Access installation medium) can then be used to retrieve monitoring data from MBeans via a JMX connection.

Because MBeans can be accessed remotely via a JMX connection, you aren’t required to have JNRPE co-located with the monitored Java process, but we strongly recommend it. The default JMX transport protocol is not firewall-friendly and securing JMX connections is not easy. While using the JMXMP protocol (needing some extra work) instead of the default JMX with RMI can help to overcome some of these issues and even provide some performance benefits, we still strongly recommend limiting the scope of JMX connections as much as possible.

Assuming that a Nagios installation is available, the following steps enable remote monitoring of a Java process like a DirX Access container:

Install JNRPE. As noted above, we recommend installing it on the same machine where the monitored process runs. Of course, JRE is required for it to run, using the JRE bundled with DirX Access is possible.
Adjust the JNRPE installation (usually with etc/jnrpe.ini) to allow connections from the Nagios host. JNRPE needs a proper specification of the local addresses and the port on which to listen and also the list of hosts that are allowed to connect. Adjust your firewall settings as necessary to make the selected port accessible from the Nagios host for the allowed hosts.The jnrpe.ini file can contain similar lines:

[server]
bind-address : SSL/0.0.0.0:5666
plugin-path : ${sys:app.home}/plugins
allow-address : 127.0.0.1,192.168.8.126

The bind-address and allow-address entries are notable:

Address 0.0.0.0 means all local network interfaces.
The port where JNRPE should listen (it must be free).
The SSL/ prefix forces SSL/TLS connection (strongly recommended if JNRPE does not run on the same host as Nagios).
Multiple hosts may be listed in allow-address (to allow them to connect), however, JNRPE does not support IPv6 address literals.
Configure the commands to be available for check_nrpe (which is invoked by Nagios and connects to JNRPE). When JNRPE is launched in interactive mode, it is possible to display the invocation syntax for any plugin (type, for example, plugin:CHECK_JMX without any arguments to get the help).

The following example of a command configuration defines the command that invokes the CHECK_JMX plugin to retrieve the number of threads:

[commands]
thread_count : CHECK_JMX -U service:jmx:rmi:///jndi/rmi://localhost:11110/jmxrmi -O java.lang:type=Threading -A ThreadCount -w 100 -c 150

For details, refer to the JNRPE documentation. For details on CHECK_DELTA4JMX plugin, see the documentation bundled with the plugin in the Additions folder.