(DI-1902) General Information

Used technologies

JMX (Java Management Extensions) is a Java technology designed to monitor and manage (including remotely) various objects (resources)

MBeans (ManagedBeans) are managed resources. Each such object implements a specific interface, through which you can access the attribute values of this object, as well as call its methods and receive notifications (if the application registers the corresponding “listening” MBeans).

MBean Server is object registry (registering MBeans ). Any registered object becomes available to applications (more precisely, its interface).

JMX connectors accesses resources and make the MBean Server available to JMX clients. The JMX connector consists of a client and a server. The connector server connects to the MBean server and takes connection requests from clients. The connector client is usually located on another JVM (mostly machine in relation to the connector server).

Remote Method Invocation (RMI) is standard connection protocol for JMX API. This protocol allows the JMX client to remotely access MBeans on the MBean server.

JMXServiceURL or JMX endpoint special address of the JMX API connector server. The format of this address is:

service:jmx:rmi://host:port1/jndi/rmi://host:port2/

where

  • service:jmx:” is a constant.
  • rmi:” is protocol, used to connect to the connector server.
  • //host:port1” is the address at which the connector server can be found
  • /jndi/rmi://host:port2/” is url-path.It means literally the following - take the part of the URL that follows immediately behind /jndi/ and at this address execute the JNDI request in the RMI registry to get information about the RMI server. The registry in response will return the host and port of RMI server.

NOTE: In a case of access host from different domain the full network address of host has to be used e.g. host_name.domain_name.com

General introduction

SAP Business Object system can be monitored from central instance via JMX connector. The JMX (Java Management Extensions ) technology defines a connector based on RMI. This connector allows you to connect to an MBean via an MBean server from a remote location and view Business Objects servers and monitoring metrics. JMX connector is JAVA based and it is implemented in JCo service which runs on SAP application server of Datavard Insights central instance. BO specific collectors are calling JCo service from SAP ABAP to access JMX.

To make SAP BO monitoring up and running the following setup has to be done:

  1. Setup SAP BOBJ system
  2. Setup BOBJ add-on to run JCo service on SAP ABAP AS
  3. Setup system for monitoring in Datavard Insights cockpit

Architecture


Processing and security aspects

Deployment process of JCo service for JMX connector consists from loading and starting and it is fully performed from ABAP environment. Loading process will copy java application DVDJMXtoSAP.jar and other library files from database cluster to directory /tmp/DVD_JMX_to_SAP/ (depend on customizing) on SAP app. server.

Some files are created in the directory just before service is started like server.conf or destination.conf which is also deleted just after service is started from security reasons. For starting of service is used external OS command ‘nohup ’ also registered in SM69 under name YDVD_JMX_DEP_CMD. Parameter for executing of service is following (depend on customizing):

/usr/bin/java -jar /tmp/DVD_JMX_to_SAP/DVDJMXtoSAP.jar /tmp/DVD_JMX_to_SAP/ > /tmp/DVD_JMX_to_SAP/nohup_log.txt &

Process of deployment require to store vulnerable information in customizing like user names and passwords. User name used for connection of JCo client back to SAP system is not encrypted. Default user name is DVD_JMX_USR with recommended authorization profile from predefined role /DVD/JMX_JCO_RFC. Password for the user is encrypted by hard wired encryption (enhanced form of encryption algorithm implemented in SAP standard class CL_HARD_WIRED_ENCRYPTOR). The user name and the encrypted password for SAP system logon is stored in database table /DVD/JMX_CONF and it is provided to JCO service via file destination.con only in a process of starting the service. User name for connection of JCo to BOBJ system is also not encrypted. His password is encrypted by same hard wired encryption algorithm. The user name and encrypted password for BOBJ is stored in database table /DVD/JMX_CONN and it is send to running JCo service via RFC in decrypted form to establish connection with BOBJ.