Watching Java Applications' Heap over SSH
Ever want to peek into a production Tomcat server's memory, but couldn't get around the firewall? Millions of new debug statements couldn't get you the information that you so desperately needed? — Me too.
Here's how to get around it:
Let's assume your production server is located in a network segment that you can only access through a dedicated login server that is part of both your network and the production network. Let's also assume you have access to any production server over SSH via that login server, using public key authentication and key forwarding. Then you can actually rely on SSH's dynamic proxy capabilities to get to live performance data.
Simply issue the following command to open a dynamic proxy on port 9494 of your host:
ssh -D 9494 loginserver
Next, start JVisualVM using that port as proxy and within JVisualVM, open a connection to the desired host (that production server that you wanted to look into) by right clicking on "Remote".
Note: Most likely your computer will not use the same DNS server as your production network and will thus not be able to resolve host names in that network. Therefore you will need to know the host's IP address.
jvisualvm -J-Dnetbeans.system_socks_proxy=localhost:9494 -J-Djava.net.useSystemProxies=true
If you want to use JConsole — JVisualVM actually has a JConsole plugin, so you don't really need to, but you probably have your reasons — this is how it's done:
jconsole -J-DsocksProxyHost=localhost -J-DsocksProxyPort=9494