Monitor Websphere Liberty Profile with JConsole

Question

I'm trying to monitor my WLP v8.5.5 with JConsole.

My Liberty profile is up and running and has SSL properlly configured. I also have configured as features the monitor-1.0 and restConnector-1.0.

After that I sftp'ed from my WLP the restConnector.jar to my machine and created a keystore on my machine as described here

After that I'm trying to start JConsole with this command:

jconsole -J-Djava.class.path="C:\Program Files\Java\jdk1.7.0_67\lib\jconsole.jar;
                              C:\Program Files\Java\jdk1.7.0_67\lib\tools.jar;
                              <whereIDownloaded>\restConnector.jar" 
         -J-Djavax.net.ssl.keyStore="<locationToCreated>\keystore.jks" 
         -J-Djavax.net.ssl.keyStorePassword=<password> 
         -J-Djavax.net.ssl.keyStoreType=jks 
         -J-Dcom.ibm.ws.jmx.connector.client.disableURLHostnameVerification=true

However, when I try to connect to my WLP via remote with the string:

service:jmx:rest://<ip>:<httpsPort>/IBMJMXConnectorREST

As a credential I'm passing a user configured on <administrator-role>.

I get a JConsole error saying:

Secure connection failed. Retry insecurely?

I don't get why I'm seeing this error, and I don't see any logs to see why it failed. My next step if getting the keystore from WLP and try that on my machine but I don't think that makes much sense.

Does anyone have any suggestion on where should I look for logs or on that I'm doing wrong? Thanks in advance!

Reference: http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_mon.html?cp=SSAW57_8.5.5%2F1-3-11-0-6&lang=en

Answer 1

Ensure you don't have localConnector-1.0 feature. If you have that, please remove it. You can find more details here Remote monitoring of Liberty with Health Center. Although it discusses Health Center connection, I was testing using JConsole also.

UPDATE
You might be invoking console with incorrect params - it should be trustStore not keystore see below. And for start use key.jks copied from Liberty (as you need Liberty certificate as trusted)

jconsole -J-Djava.class.path=%JAVA_HOME%/lib/jconsole.jar;
                         %JAVA_HOME%/lib/tools.jar;
                         %WLP_HOME%/clients/restConnector.jar
     -J-Djavax.net.ssl.trustStore=key.jks 
     -J-Djavax.net.ssl.trustStorePassword=Liberty 
     -J-Djavax.net.ssl.trustStoreType=jks

For details check Configuring secure JMX connection to the Liberty

Answer 2

As an additional note - you must not have a webAppSecurity entry with loginFormURL set in your server.xml as this will cause the JMX login to fail (e.g., <webAppSecurity loginFormURL="login.html"/> is problematic). Each individual WAR needs to set their own login-config and not rely on any global method of configuring logins.

`