How to enable JMX on Tomcat running on EC2 (behind a firewall)

Step 1: Copy catalina-jmx-remote.jar into Tomcat’s lib folder. This jar file is available in the extras folder of Tomcat’s binary distribution.

Step 2: Modify Tomcat’s server.xml by adding a new Listener entry.

<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" 
rmiRegistryPortPlatform="9090" rmiServerPortPlatform="9091"/>

Step 3: Open both of these ports in your firewall. Ports 9090 and 9091 and just examples, you can choose to use any port numbers you like.

Step 4: Add the following options to Tomcat startup script.

-Dcom.sun.management.jmxremote 
-Dcom.sun.management.jmxremote.authenticate=false 
-Dcom.sun.management.jmxremote.ssl=false 
-Djava.rmi.server.hostname=public-ip (or public dns)

All done! Restart Tomcat and connect to it using jconsole or visualvm from a remote system.

Installing Oracle JDK and Tomcat on an EC2 Linux instance

Installing Java JDK on Amazon Linux AMI

Most likely you already have Open JDK installed on you EC2 instance. You will have replace OpenJDK with Oracle JDK. Here is how you do it.

Perform all the operations below as root.Get the latest Oracle (Sun) JDK rmp binary from the Oracle website and copy it to the EC2 instance.

# make it exec
chmod +x jdk-6u34-linux-x64-rpm.bin

# Install Java
sudo ./jdk-6u34-linux-x64-rpm.bin

# Check if the default java version is set to sun jdk
# Normally it says OpenJDK
java -version

# Create another alternative for Java for Sun JDK
sudo /usr/sbin/alternatives --install /usr/bin/java java /usr/java/jdk1.6.0_34/bin/java 20000

# Set the SUN JDK as the default java
sudo /usr/sbin/alternatives --config java

# Verify if change in SDK was done.
java -version

Installing Tomcat on Amazon Linux AMI

# Check if tomcat is already installed 
yum info tomcat6

# To install tomcat6, run the following command
yum install tomcat6

# Start Tomcat as follows
service tomcat6 start

Tomcat has now been installe in /usr/share/tomcat6/

# To check that Tomcat has indeed started and is listening on port 8080:
fuser -v -n tcp 8080

#To have Tomcat start automatically on instance reboot
chkconfig --level 345 tomcat6 on 

Tomcat by default runs on port 8080. Traffic can be redirected from port 80 to 8080 by running the following commands:

/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/service iptables save

Tomcat: redirecting traffic from port 80 to 8080 using iptables

First verify that Tomcat is running on port 8080. Run the following command

# netstat -ntl

The output will look something like

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 ::ffff:127.0.0.1:8005       :::*                        LISTEN
tcp        0      0 :::8009                     :::*                        LISTEN
tcp        0      0 :::8080                     :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN

Run the following command to redirect port 80 traffic to port 8080

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Run the folloing command to verify that redirect is working fine

# iptables -t nat -L

The output will look something like

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 8080

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Run the following command to remove the routing

# iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080