Hi,
We would like to monitor the JIRA nodes and Tomcat.
We are using Manage Engine (ME) to monitor the nodes.
We also would like to monitor the Tomcat but whenever Manage Engine gets data from the nodes, it can't get through as JIRA is automatically prompting for a login. Thus, ME cannot get data from the nodes.
Is there any way we can skip the redirection to login prompt whenever connecting to JIRA for specific purpose like ME monitoring for Tomcat?
Please let me know any pointers.
Thanks
To ensure clarity and security, adopt a refined approach to configure access control:
Firstly, modify server.xml using the <Valve> element to bypass authentication for specified IP addresses. Instead of using multiple valves, utilize a single <RemoteAddrValve> or <RemoteHostValve> to list allowed IPs:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1|::1|<ManageEngine_IP>" />
This configuration grants access only to requests from specified IPs (e.g., Manage Engine server), blocking all other IPs from unauthenticated access.
Consider security implications carefully:
For granular URL pattern control (optional), configure web.xml:
- Map specific URLs required by Manage Engine, bypassing authentication only for those endpoints.
<security-constraint>
<web-resource-collection>
<web-resource-name>MonitoringEndpoints</web-resource-name>
<url-pattern>/monitoring/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Leave empty to bypass auth for specified URLs -->
</auth-constraint>
</security-constraint>
Finally, restart Jira to apply changes made to server.xml or web.xml.
Hope this helps - Happy to help further!!
Thank you very much and have a great one!
Warm regards
Hi @Humashankar VJ ,
Thanks for the pointers.
I will have a try and let you know.
Thanks again.
Much appreciated.
Cheers,
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Humashankar VJ ,
I have tried the setup on JIRA server's server.xml as to;
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1|::1|ManageEngineIPAddress"/>
There are 2 valve setups, another one is;
<Valve className="org.apache.ctalina.valves.AccessLogValve", pattern="XXXXX"/>
As well as in JIRA server's web.xml as to;
<!-- Manage Engine Monitoring Setup -->
<security-constraint>
<web-resource-collection>
<web-resource-name>MonitoringEndpoints</web-resource-name>
<url-pattern>/manager/status*</url-pattern>
<url-pattern>/manager/jmxproxy*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Leave empty to bypass auth for specified URLs -->
</auth-constraint>
</security-constraint>
But doesn't seem to work. I am getting connection refused from the Manage Engine server invoking the URL (e.g. https://JIRA_IP:PORT/manager/jmxproxy?qry=*:type=DataSource,*). URL should be https://JIRA_IP:PORT/manager/jmxproxy*
And sometimes, not able to open up the JIRA webclient (HTTP error 403).
And also still prompting with logon prompt. It is not bypassing the user logon prompt.
Can you please let me know your comments.
Thanks,
Fidelito
There are 2 Valve setups, another one is;
<Valve className="org.apache.catalina.valves.AccessLogValve" patterhn="XXXXXXX""/>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
To enhance security, modify your server.xml and web.xml files. First, update server.xml to restrict access to specific IP addresses, including your ManageEngine server, using a single <Valve> element:
Add the following line, replacing <ManageEngine_IP> with your ManageEngine server's IP address:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1|::1|<ManageEngine_IP>"/>
Next, configure web.xml to allow unauthenticated access to select URLs required by ManageEngine. Apply security constraints to specific paths using:
<security-constraint>
<web-resource-collection>
<web-resource-name>MonitoringEndpoints</web-resource-name>
<url-pattern>/monitoring/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Empty auth-constraint bypasses authentication -->
</auth-constraint>
</security-constraint>
This setup restricts access based on IP in server.xml and allows unauthenticated access to only specified monitoring endpoints in web.xml.
Restart Jira after applying these configurations and confirm the outcome.
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks @Humashankar VJ , I will give it a try and let you know.
Thanks again, much appreciated.
Regards,
Fidelito
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Humashankar VJ ,
I have tried the above suggestion but still not working.
I am getting "refused to connect".
On web.xml, this is my setup.
<!-- Manage Engine Monitoring Setup -->
<security-constraint>
<web-resource-collection>
<web-resource-name>MonitoringEndpoints</web-resource-name>
<url-pattern>/manager/jmxproxy/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Empty auth-constraint bypasses authentication -->
</auth-constraint>
</security-constraint>
On server.xml, this is my setup; (Please note that I have 999.99.999.99 as IP for security reason)
Can you please let me know your comments.
Thanks,
Fidelito
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Can you try the web.xml configuration with this minor adjustments
XML:
<security-constraint>
<web-resource-collection>
<web-resource-name>MonitoringEndpoints</web-resource-name>
<url-pattern>/manager/jmxproxy/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The current configuration grants unrestricted access to the /manager/jmxproxy/* endpoint, while still maintaining control through authentication constraints. Besides that, please note that the effectiveness of this setup may vary depending on your Tomcat version. If you encounter issues, verify that the endpoint is not subject to higher-level restrictions that may override these settings
Next step should be, to ensure seamless connectivity, add the ManageEngine server's IP address to the allow list by configuring the RemoteAddrValve in the xml file. Specifically, update the following line:
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1|::1|999.99.999.999|<ManageEngine_IP>"/>
Replace <ManageEngine_IP> with the actual IP address of your ManageEngine server.
For testing purposes, you can temporarily bypass restrictions by setting allow=".*", but be sure to revert to the original configuration after testing to maintain security.
Try ensuring the JML Config as given below,
To enable JMX monitoring without authentication, modify the Tomcat configuration by adding the following parameters to the setenv.sh (Unix/Linux) or setenv.bat (Windows) file:
Add the following lines:
CATALINA_OPTS="$CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=12345 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
Replace 12345 with an available port of your choice. After updating the configuration, restart Tomcat to apply the changes. To verify JMX connectivity, use the jconsole command:
jconsole <server_IP>:12345
Replace <server_IP> with the IP address of your server.
Also make sure the Firewall configuration, to ensure uninterrupted JMX connectivity, confirm that the designated port (12345) is open and accessible. Utilize network diagnostic tools, such as telnet or nc, to verify the port's status. Simply run the command "telnet <server_IP> 12345" to test connectivity, replacing <server_IP> with your server's IP address. A successful connection confirms the port is open and ready for JMX communication
Then at last, In ManageEngine, create a new Tomcat monitor. Enter the JIRA server's hostname or IP address as the target host. Specify port 12345, which was previously configured for JMX access. Note that authentication is not required, so leave the username and password fields blank.
Other quick tips should be -
For logs and troubleshooting, inspect Tomcat logs at $CATALINA_HOME/logs/catalina.out for error messages or blocked requests. To gain deeper insights, temporarily enable detailed request logging by adding the RequestDumperValve configuration to your server.xml file. This valve provides comprehensive information on incoming requests, helping identify issues
Hope this helps !!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Humashankar VJ ,
Thanks for the updates.
I will try these out and let you know the outcome.
Your effort is much appreciated.
Regards,
Fidelito
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Humashankar VJ ,
I have tried all the setups as mentioned above.
JIRA service is coming up and running.
But from Manage Engine I am getting " Failed. Kindly provide the details of username/password of the user with Manager role. Please check the user in tomcat-users.xml file."
Here is my tomcat-users.xml;
</tomcat-users>
Anything I need to do further?
Please let me know your comments.
Thanks,
Fidelito
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for giving a try. Let me try further to this and keep you posted.
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.