Using SSH as a SOCKS proxy to allow access to firewalled services

Posted by on 12/12/2011 No comments

I was recently working on an issue at work in which we had a java application that was failing to complete a load test. We wanted to use jvisualvm and jconsole to monitor the application while under load, however the machines were behind a firewall and it sometimes takes a while to get firewall rules pushed out. Enter the amazing ssh SOCKS proxy functionality.

Enabling jmx-remote in tomcat is pretty easy and is covered here.

Once jmx-remote was enabled on the remote servers we needed to get the previously mentioned applications connected to the jmx-remote port which was on port 9002.

To enable the SOCKS proxy simply you’ll  need to open a connection to the machine with the jmx-remote service you want to connect to via ssh with dynamic port forwarding enabled.

ssh -D9002 user@remotehostbehindfw

You can use any port that’s not already listening on your local system. I used 9002 just for simplicity but this could be any port and does NOT need to be the port you’re connecting to on the remote system. If you use a different port make sure the port specified in the commands below matches what you chose.

To use jvisualvm with this proxy start it with the following option.

jvisualvm -J-Dnetbeans.system_socks_proxy=localhost:9002

Then set up your remote JMX connection as you normally would and SSH will take care of the rest.

jconsole will work very similarly, the options for it are as follows:

jconsole -J-DsocksProxyHost=localhost -J-DsocksProxyPort=9002

Connect to the remote instance as you normally would.

This also works for AIM. I use it frequently to talk to some friends while I’m at work. While our office doesn’t forbid or block AIM usage I have found that when I’m connected via the corporate network I get disconnected from “chat rooms” frequently. I use the above method with pidgin to proxy via my external shell account and have found that I don’t get disconnected doing this.

After you open the socks proxy using ssh -D<myport> user@host configure pidgin to use a socks proxy. Edit your AIM account in pidgin, go to the proxy tab, select “Proxy type” SOCKS 5, point it at localhost and <myport> no need for username and password. Then just reconnect. *Note you’ll have to open the SSH proxy every time to connect to AIM after that unless you change these settings.

Enable JMX remote in Tomcat 6

Posted by on 12/07/2011 1 comment

In the course of my work I’ve found JMX with jvisualvm or jconsole to be a very valuable part of my arsenal when troubleshooting java applications. I enable JMX remote in all of my DEV, QA, and STAGING environments. It’s a great tool for troubleshooting and general information gathering.

This is the method I use to enable JMX remote with Tomcat 6.

In catalina.sh add the following:

CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9002
-Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.password.file=$CATALINA_HOME/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_HOME/conf/jmxremote.access"

Note, you must have the CATALINA_HOME variable set for this to work.

Then as the tomcat user:

echo 'tomcat readonly' > /opt/apache-tomcat-6.0.32/conf/jmxremote.access
echo 'tomcat password' > /opt/apache-tomcat-6.0.32/conf/jmxremote.password

In the statements above tomcat is the username. In the access file readonly can be replaced with readwrite. The password is whatever password you want to use for the tomcat user. I recommend not using password. :)