Oleg’s Weblog

My Tech Rant

Archive for the ‘osgi’ Category

JMX connectivity through the firewall

Posted by Oleg Zhurakousky on March 23, 2009

Recently I’ve been asked to help out a customer who was having issues with JMX connectivity to Spring Source dmServer through the firewall. However, one thing I want to point out right up front is that the issue is rather generic and has nothing to do with dmServer. It is really about understanding JMX, RMI and proper configuration. But I will use dmServer and its configuration as an example.
Here is the sample JMX configuration options provided in the dmServer startup script:
-Dcom.sun.management.jmxremote.port=${jmxPort} \
-Dcom.sun.management.jmxremote.authenticate \
-Dcom.sun.management.jmxremote.password.file=${jmxUsersPath} \
-Djavax.net.ssl.keyStore=${keystorePath} \
-Djavax.net.ssl.keyStorePassword=${keystorePassword} \
-Dcom.sun.management.jmxremote.ssl=true \

This will enable JMX agent (MBean Server) when you start dmServer. Once started you can now monitor your process via JMX-compliant tool such as jconsole. Connectivity could be local or remote.
The above configuration seem to provide everything we need to access this process through the firewall, since com.sun.management.jmxremote.port is obviously the port that we need to open in the firewall. However there is a caveat.
Once connected to JMXRegistry running on the port specified by com.sun.management.jmxremote.port property, the actual objects are served by RMIServer which is running on different port. Unfortunately this port is chosen randomly by default instance of JMX Agent and there is no –D option to specify it. Obviously going through the firewall would require opening up two ports and with random port it presents a delicate issue.
Fortunately it is easily solvable by writing a custom Java Agent where you can programmatically specify each port and externalize it through custom properties (I am attaching sample code).
More info here: http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html
In the nutshell, the custom agent will take the port value provided by the com.sun.management.jmxremote.port property and will create a second port (RMIServer port) by incrementing it by 1. (in our case the port specified is 44444 which makes RMIServer port 44445)
Once such agent is in place (JAR) and the appropriate ports are open in the firewall all you need is modify the startup script to include –javaagent option providing the JAR.
. . . . .
$JAVA_HOME/bin/java \
. . . . .

Well, that really only solved one half of the problem, since by default RMI stubs sent to the client contain the server’s private address instead of the public

Just look at this tcpdump fragment while monitoring the client’s access (jconsole running on the local network):
. . . . . . .
09:41:23.778663 IP > . ack 71 win 65535 <nop,nop,timestamp 919359579 313492>
09:41:23.779958 IP > P 20:251(231) ack 71 win 65535 <nop,nop,timestamp 919359579 313492>
09:41:23.780456 IP > P 20:251(231) ack 71 win 65535 <nop,nop,timestamp 919359579 313492>
09:41:23.796075 IP > S 1334070579:1334070579(0) win 5840 <mss 1460,sackOK,timestamp 313496 0,nop,wscale 6>
09:41:23.796328 IP > S 1760846938:1760846938(0) ack 1334070580 win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 919359579 313496,sackOK,eol>

. . . . . . .

You can clearly see that (client i.e., jconsole) is attempting to connect directly to (server) instead of which is a public IP, although the JMX URL is:

If I was behind the firewall I would obviously had problems connecting to
Fortunately, this one is easy to fix. All you need is to provide additional option on the server side (java.rmi.server.hostname) and add it to the script This option represents the host name string that should be associated with remote stubs for locally created remote objects, in order to allow clients to invoke methods on the remote object:
. . . . . . .
-Dcom.sun.management.jmxremote.port=${jmxPort} \
-Djava.rmi.server.hostname= \
. . . . . . .

That is all .
Start jconsole: ./jconsole.sh service:jmx:rmi://<pub-ip>:<rmi-port>/jndi/rmi://<pub-ip>:<registry-port>/jmxrmi
Once you modify the script and start the dmServer you should see output similar to this:
. . . . . .
oleg-2:bin olegzhurakousky$ ./startup.sh
Getting the platform’s MBean Server
Local Connection URL: service:jmx:rmi://oleg-2.local:44445/jndi/rmi://oleg-2.local:44444/jmxrmi
Public Connection URL: service:jmx:rmi://
Creating RMI connector server
[2009-02-26 18:53:34.031] main                     <SPKB0001I> Server starting.
[2009-02-26 18:53:35.943] main                     <SPOF0001I> OSGi telnet console available on port 2401.
[2009-02-26 18:53:41.558] main                     <SPKE0000I> Boot subsystems installed.
. . . . .

The sample code could be downloaded from here: JMXAgent.java


Posted in JMX, osgi, Spring | Tagged: , | 3 Comments »

OSGi and “uses” directive

Posted by Oleg Zhurakousky on December 9, 2008

In current Java model, uniqueness of the class is defined by fully qualified name of the class plus the defining class loader. This mechanism actually creates a problem, where it is quite easy to have multiple versions of the same class loaded in a single JVM space. This happens quite a lot, giving Java’s ability to load classes dynamically. Modern framework such as Spring, Hibernate and others utilize this feature quite a bit. However if not used properly, having multiple instances of class loaded often results in memory leaks and various class type exceptions such as CCE, NCDF, Linkage etc. . .

OSGi approaches this problem rather differently and it does so by bringing the concept of class/packages version into the runtime environment, thus allowing you to still have multiple versions of the same class loaded without creating conflicts.  But it comes with the price. OSGi defines a very strict visibility and class sharing rules that must be explicitly declared, while at the same time moving us a way from the legacy mentality of the linear class path we are all so used to.

The following article article concentrates on one area of OSGi dependency resolution mechanism and that is “uses” directive. . .

Posted in osgi | Tagged: | Leave a Comment »

OSGi and Class.forName(..)

Posted by Oleg Zhurakousky on November 5, 2008

While I was presenting “Intro to OSGi” at the recent Philadelphia JUG, I’ve been asked several questions about java class loader dynamics in OSGI environment.  The following post discusses the implication of using Class.forName(..) in OSGi environment.

Let’s say we have the following code:


Usually the same class loader that loaded the class which contains this code will be used. This class loader will follow standard java class loading delegation mechanism to discover and load the class.

However. . .

In the case of the OSGi, each bundle will have its own class loader and outside of java.* packages, this class loader doesn’t follow standard java class loading delegation mechanism and strictly relies on visibility rules and constraint resolution mechanism defined by OSGi – such as providing Import/Export-Package, Required-Bundle and other manifest headers.

This class loader has two responsibilities

  1. Load classes available to the Bundle Space, where Bundle Space = Bundle JAR itself + attached Fragment Bundles
  2. Collaborate with class loaders of other bundles to reach all classes that are visible to a bundle based on OSGi visibility rules and contsraint resolution mechanism. In other words it must colaborate with Bundle’s Class Space, where Bundle’s Class Space = Bundle-Space + Import-Pckage + Import-Bundle etc…

The issue with using Class.forName(..) in the OSGi environment starts when an attempt is made to resolve such Bundle’s Class Space. To do that we have to make sure that the target class is in the Bundle’s Class Space, which means that advertising bundle with proper Export-Package: org.bar.Foo declaration must be available and appropriate dependency strategy is provided in the bundle that relies on such dependency (e.g., Import-Package: org.bar.foo or Require-Bundle: Foo).

The work of discovering dependencies and providing appropriate manifest headers is not a difficult task (after all in the conventional application model all dependent JARs are in the class path) and could be performed manually or using automated tools such as maven-bundle-plugin, by recursively evaluating dependencies of your JAR

However, giving dynamic nature of Class.forName(..) and lack of compile time validation, the target class might not be available or even known at the time of manifest creation, thus making such determination impossible. The result are missing Import/Export-Package, Require-Bundle etc…, headers which creates a nasty problem, when target Class is not available to the Bundle’s Class Space resulting in ClassNotFoundException being thrown.

Posted in osgi | Tagged: , | 7 Comments »