--- title: Connecting to a remote process description: Use the remote process option to establish a connection when the PingAccess server is running as a Windows service, or if the com.pingidentity.pa.cli.Starter class is unavailable in the Local Process list. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_monitoring_guide:pa_connecting_to_a_remote_process canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_monitoring_guide/pa_connecting_to_a_remote_process.html revdate: January 12, 2024 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: troubleshooting: Troubleshooting: --- # Connecting to a remote process Use the remote process option to establish a connection when the PingAccess server is running as a Windows service, or if the `com.pingidentity.pa.cli.Starter` class is unavailable in the **Local Process** list. ## About this task Use these instructions to configure the remote process option to establish a connection. For demonstration purposes, the following task uses an Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* configuration. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | No direct configuration support is provided for enabling remote access Java Management Extensions (JMX) *(tooltip: \
\

Java technology that provides tools for managing and monitoring applications, devices, system objects, and service-oriented networks.\

\
)* for the PingAccess server. To enable this level of access, use the built-in options that are available through the Java Virtual Machine (JVM) *(tooltip: \
\

A virtual machine that allows a computer to run Java programs and programs that are compiled to Java bytecode.\

\
)*. For more information, see [Monitoring and Management Using JMX Technology](https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html) in the Oracle Java Development Kit (JDK) *(tooltip: \
\

A development environment for building applications and components using Java.\

\
)* documentation. | ## Steps 1. In the `jvm-memory.options` file for the PingAccess server, add the following text at the end of the last memory settings: ``` #Settings to enable remote access to JMX -Dcom.sun.management.jmxremote.port=5000" -Dcom.sun.management.jmxremote.login.config=ExampleCompanyConfig" #Configuration is assumed to be in the conf folder, relative path used -Djava.security.auth.login.config=conf/ldap.config" -Dcom.sun.management.jmxremote.ssl=false" ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Each entry must reside on its own line. In this example, a relative path is used for the `ldap.config` file. Some deployments might require a full path. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In a production environment, use Secure Sockets Layer (SSL) *(tooltip: \
\

A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS).\

\
)*, as shown in this example for initial testing and debugging. For information about setting up SSL, see [Monitoring and Management Using JMX Technology](https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html) in the Oracle JDK documentation. | 2. Create the `ldap.config` file. ``` ExampleCompanyConfig { com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldaps://ldap.server:port/OU=where,OU=users,OU=located" userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))" authIdentity="uid={USERNAME},OU=where,OU=users,OU=located" authzIdentity=monitorRole useSSL=true; }; ``` | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Each entry must reside on its own line. In this example, `ldap.config` is placed in the PingAccess `conf` folder. If your JVM setup trusts the certificates, you can use SSL. Because of the `authIdentity` option, the configuration binds as the user that you enter. Otherwise, an anonymous bind validates the user name but not the password. | 3. Place the `ldap.config` file that you created in step 2 in a location from which the PingAccess process can read it at start up. 4. If you have a clustered PingAccess environment: 1. Perform steps 1 - 3 to each node in the cluster. 2. Restart each node. 5. After you enable the JMX service, connect to the remote JMX service by specifying one of the following: ### Choose from: * The name of the PingAccess server instance * The Internet Protocol (IP) *(tooltip: \
\

The method by which data is sent across the internet from the source host to the destination host.\

\
)* address, port, and authentication credentials. ![A screen capture of the JConsole: New Connection window for connecting through a remote process.](_images/wcy1580499695401.png) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Because JMX uses SSL by default when communicating with a remote host, the client host must trust the SSL certificate that is presented during setup for JMX. If the JMX client does not trust the JMX certificate, it displays the following message:``` ConnectionFailedSSL1 ``` | ![A screen capture of the failed connection error message.](_images/odg1580499734034.png) ### Troubleshooting: 1. If SSL is enabled, import the JMX SSL certificate to the client's trusted certificates. 2. If SSL is disabled, click **Insecure** to connect.