JMX (Java Management Extensions) is a Java technology designed to monitor and manage (including remotely) various objects (resources)
MBeans (ManagedBeans) are managed resources. Each such object implements a specific interface, through which you can access the attribute values of this object. You can also call its methods and receive notifications (if the application registers the corresponding “listening” MBeans).
MBean Server is object registry (registering MBeans ). Any registered object becomes available to applications (more precisely, its interface).
JMX connectors accesses resources and make the MBean Server available to JMX clients. The JMX connector consists of a client and a server. The connector server connects to the MBean server and takes connection requests from clients. The connector client is usually located on another JVM (mostly the machine in relation to the connector server).
Remote Method Invocation (RMI) is standard connection protocol for JMX API. This protocol allows the JMX client to remotely access MBeans on the MBean server.
JMXServiceURL or JMX endpoint special address of the JMX API connector server. The format of this address is:
service:jmx:rmi://host:port1/jndi/rmi://host:port2/
where
- “service:jmx:” is a constant.
- “rmi:” is a protocol, used to connect to the connector server.
- “//host:port1” is the address at which the connector server can be found
- “/jndi/rmi://host:port2/” is url-path. It means literally the following - take the part of the URL that follows immediately behind /jndi/ and at this address execute the JNDI request in the RMI registry to get information about the RMI server. The registry in response will return the host and port of the RMI server.
NOTE: In the case of access host from a different domain, the full network address of the host has to be used e.g. host_name.domain_name.com
SAP Business Object system can be monitored from the central instance via the JMX connector. The JMX (Java Management Extensions ) technology defines a connector based on RMI. This connector allows you to connect to MBean via an MBean server from a remote location and view Business Objects servers and monitoring metrics. JMX connector is JAVA-based and it is implemented in the JCo service which runs on the SAP application server of Datavard Insights central instance. BO specific collectors are calling JCo service from SAP ABAP to access JMX.
To make SAP BO monitoring up and running, the following setup has to be done:
- Setup SAP BOBJ system
- Setup BOBJ add-on to run JCo service on SAP ABAP AS
- Setup system for monitoring in Datavard Insights cockpit
Image Removed
Image Added
Processing and security aspects
Deployment process of the JCo service for the JMX connector consists of loading and starting and it is fully performed from the ABAP environment. Loading process will copy Java application DVDJMXtoSAP.jar and other library files from the database cluster to the directory /tmp/DVD_JMX_to_SAP/ (depends on customizing) on the SAP app. server.
Image Removed
Image Added
Some files are created in the directory just before service is started like server.conf or destination.conf which is also deleted just after the service is started for security reasons. For starting of the service, an external OS command ‘nohup’ is used. It is also registered in SM69 under the name YDVD_JMX_DEP_CMD. A parameter for executing the service is following (depends on customizing):
/usr/bin/java -jar /tmp/DVD_JMX_to_SAP/DVDJMXtoSAP.jar /tmp/DVD_JMX_to_SAP/ > /tmp/DVD_JMX_to_SAP/nohup_log.txt &
Process of deployment requires
storing vulnerable information in customizing like user names and passwords. The user name used for the connection of the JCo client back to the SAP system is not encrypted. The default user name is DVD_JMX_USR with recommended authorization profile from predefined role /DVD/JMX_JCO_RFC. Password for the user is encrypted by hard wired encryption (an enhanced form of encryption algorithm implemented in SAP standard class CL_HARD_WIRED_ENCRYPTOR). User name and the encrypted password for SAP system logon is stored in the database table /DVD/JMX_CONF and it is provided to the JCO service via a file destination.con only in a process of starting the service.
The user name for the connection of JCo to the BOBJ system is also not encrypted. His password is encrypted by the same hard-wired encryption algorithm. User name and encrypted password for BOBJ are stored in the database table /DVD/JMX_CONN and it is sent to running JCo service via RFC in the decrypted form to establish the connection with BOBJ.
Used technologies
JMX (Java Management Extensions) is a Java technology designed to monitor and manage (including remotely) various objects (resources)
MBeans (ManagedBeans) are managed resources. Each such object implements a specific interface, through which you can access the attribute values of this object. You can also call its methods and receive notifications (if the application registers the corresponding “listening” MBeans).
MBean Server is object registry (registering MBeans ). Any registered object becomes available to applications (more precisely, its interface).
JMX connectors accesses resources and make the MBean Server available to JMX clients. The JMX connector consists of a client and a server. The connector server connects to the MBean server and takes connection requests from clients. The connector client is usually located on another JVM (mostly the machine in relation to the connector server).
Remote Method Invocation (RMI) is standard connection protocol for JMX API. This protocol allows the JMX client to remotely access MBeans on the MBean server.
JMXServiceURL or JMX endpoint special address of the JMX API connector server. The format of this address is:
service:jmx:rmi://host:port1/jndi/rmi://host:port2/
where
NOTE: In the case of access host from a different domain, the full network address of the host has to be used e.g. host_name.domain_name.com
General introduction
SAP Business Object system can be monitored from the central instance via the JMX connector. The JMX (Java Management Extensions ) technology defines a connector based on RMI. This connector allows you to connect to MBean via an MBean server from a remote location and view Business Objects servers and monitoring metrics. JMX connector is JAVA-based and it is implemented in the JCo service which runs on the SAP application server of Datavard Insights central instance. BO specific collectors are calling JCo service from SAP ABAP to access JMX.
To make SAP BO monitoring up and running, the following setup has to be done:
Architecture
Processing and security aspects
Deployment process of the JCo service for the JMX connector consists of loading and starting and it is fully performed from the ABAP environment. Loading process will copy Java application DVDJMXtoSAP.jar and other library files from the database cluster to the directory /tmp/DVD_JMX_to_SAP/ (depends on customizing) on the SAP app. server.
Some files are created in the directory just before service is started like server.conf or destination.conf which is also deleted just after the service is started for security reasons. For starting of the service, an external OS command ‘nohup’ is used. It is also registered in SM69 under the name YDVD_JMX_DEP_CMD. A parameter for executing the service is following (depends on customizing):
/usr/bin/java -jar /tmp/DVD_JMX_to_SAP/DVDJMXtoSAP.jar /tmp/DVD_JMX_to_SAP/ > /tmp/DVD_JMX_to_SAP/nohup_log.txt &
Process of deployment requires
storing vulnerable information in customizing like user names and passwords. The user name used for the connection of the JCo client back to the SAP system is not encrypted. The default user name is DVD_JMX_USR with recommended authorization profile from predefined role /DVD/JMX_JCO_RFC. Password for the user is encrypted by hard wired encryption (an enhanced form of encryption algorithm implemented in SAP standard class CL_HARD_WIRED_ENCRYPTOR). User name and the encrypted password for SAP system logon is stored in the database table /DVD/JMX_CONF and it is provided to the JCO service via a file destination.con only in a process of starting the service.
The user name for the connection of JCo to the BOBJ system is also not encrypted. His password is encrypted by the same hard-wired encryption algorithm. User name and encrypted password for BOBJ are stored in the database table /DVD/JMX_CONN and it is sent to running JCo service via RFC in the decrypted form to establish the connection with BOBJ.