Postinstallation Tasks in the Denodo Web Container

By default, the monitoring interface - Java Management Extensions (JMX) - of the Denodo web container (Apache Tomcat) does not require authentication to connect to it.

To enable authentication in this interface, follow these steps:

  1. Stop all the Denodo Platform servers. The goal is to stop the web container of Denodo. It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Information Self-Service started, the web container will not shut down and the changes in the file tomcat.properties will not take effect.

  2. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat.properties and set the property com.denodo.tomcat.jmx.auth.enabled to true.

  3. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxremote.access (value of the property com.denodo.tomcat.jmx.auth.access.file).

    Make sure this file contains at least one line for the role controlRole with the readwrite access level. That is, at least one line of this file is like this:

    controlRole readwrite
    

    Any other role definitions are optional. See https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html for details on JMX access files.

  4. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxremote.password (value of the property com.denodo.tomcat.jmx.auth.password.file).

    In this file, the line that starts with controlRole contains the password of that user.

    So if the line is like this:

    controlRole denodojmx
    

    The password is “denodojmx”. That meant that, for a monitoring application that wants to monitor the web container, the user name will be controlRole and the password denodojmx. To change the password, replace “denodojmx” with the desired password.

    This file must contain an entry for all the roles defined in the file “jmxremote.access”. See https://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html for details on JMX password files.

  5. Change the privileges of the file <DENODO_HOME>/resources/apache-tomcat/conf/jmxremote.password so it can only be read by the same user account that starts the Denodo servers.

    To do this, execute these commands:

    • On Linux, run the following from the user account that starts the Denodo servers:
    chmod 600 <DENODO_HOME>/resources/apache-tomcat/conf/jmxremote.password
    
    • On Windows, right-click the icon Command Prompt of the Windows menu and click Run as administrator.

      In these prompt, run the following commands (replace <denodo_user> with the user account with which the Denodo servers are started):

    cd <DENODO_HOME>\resources\apache-tomcat\conf\
    icacls jmxremote.password /setowner <denodo_user>
    icacls jmxremote.password /grant <denodo_user>:F
    icacls jmxremote.password /inheritance:r