Enable RMI
By default, the Horizon server’s RMI port is disabled for security reasons.
When enabled, it lets you access Horizon via jconsole
and remotely manage your instance.
To enable RMI, you must add some settings to the default Horizon installation.
Add the following code to ${OPENNMS_HOME}/etc/opennms.conf
:
# Configure remote JMX
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Dcom.sun.management.jmxremote.port=18980" (1)
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Dcom.sun.management.jmxremote.local.only=false"
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Dcom.sun.management.jmxremote.authenticate=true"
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Dcom.sun.management.jmxremote.ssl=false"
# Listen on all interfaces
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Dopennms.poller.server.serverHost=0.0.0.0" (2)
# Accept remote RMI connections on this interface
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Djava.rmi.server.hostname=<your-server-ip-address>" (3)
1 | Configures Horizon to listen for RMI on port 18980 . |
2 | Configures Horizon to listen for RMI on all interfaces. Note that originally, RMI was used only for the legacy remote poller; despite this property name mentioning the "OpenNMS poller server," it applies to RMI as a whole. |
3 | Allows Horizon to accept and complete RMI connections. You must include this option, otherwise Horizon will accept connections but will not be able to complete a valid connection. |
If ${OPENNMS_HOME}/etc/opennms.conf does not exist in your install, you can create it and add the code above.
|
Allow user authentication
Authentication is allowed only for users who are assigned the admin
or jmx
roles (ROLE_ADMIN
, ROLE_JMX
).
To assign the admin
role to a user, add ROLE_ADMIN
to their entry in users.xml
.
Similarly, to assign the jmx
role to a user, add ROLE_JMX
to their entry in users.xml
.
If the ROLE_USER
role is required to allow access to the web UI, ensure that the user’s account has it as well (see Assign User Permissions).
You should also ensure that ${OPENNMS_HOME}/etc/jmxremote.access
has the appropriate access settings for each role:
admin readwrite
jmx readonly
The following types of access are available in Horizon:
-
readwrite
: Lets a user retrieve JMX metrics and run MBeans. -
readonly
: Lets a user retrieve JMX metrics, but does not allow them to run MBeans.
Enable SSL
To enable SSL on the RMI port, you need an existing keystore for your Horizon server. For information on configuring a keystore, see Secure Jetty with HTTPS.
After your keystore is set up and configured, you must change the com.sun.management.jmxremote.ssl
to true
and tell Horizon where your keystore is:
# Configure SSL Keystore
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Djavax.net.ssl.keyStore=/opt/opennms/etc/opennms.keystore"
ADDITIONAL_MANAGER_OPTIONS="$ADDITIONAL_MANAGER_OPTIONS -Djavax.net.ssl.keyStorePassword=changeit"
Connect to RMI over SSL
Note that if you use a self-signed or otherwise untrusted certificate, you must configure a client-side truststore when you try to connect over SSL-enabled RMI. For information on creating and configuring a truststore, see Secure Jetty with HTTPS.
After you set up a truststore, you may use it to connect to your Horizon RMI server.
For example, when using jconsole
to connect to the Horizon RMI interface, run the following command to retrieve JVM statistics:
jconsole -J-Djavax.net.ssl.trustStore=/path/to/opennms.truststore -J-Djavax.net.ssl.trustStorePassword=changeit