I run Tomcat8 using JDK8 on Centos6.
I enable JMX using the following options:
CATALINA_OPTS="${CATALINA_OPTS} -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9123 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.local.only=true"
Unfortunately, when I check what ports are opened I discover that these ports listen to all IP:
netstat -plunt | grep java
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::60555 :::* LISTEN 22752/java
tcp 0 0 ::ffff:127.0.0.1:8080 :::* LISTEN 22752/java
tcp 0 0 :::9123 :::* LISTEN 22752/java
tcp 0 0 :::40867 :::* LISTEN 22752/java
I suppose that if I configure -Dcom.sun.management.jmxremote.local.only=true all ports should be bind to localhost only (::ffff:127.0.0.1 will appear before all ports).
How to configure JMX to bind to localhost only?
Added
I do not create JMX I use Tomcat JMX: https://tomcat.apache.org/tomcat-8.0-doc/monitoring.html.
解决方案
As far as I understand this answer and read Oracle's docs about it, there seems to be no way to configure it without coding. This says in the chapter "Connector server attributes":
When using the default JRMP transport, RMI socket factories can be
specified using the attributes jmx.remote.rmi.client.socket.factory
and jmx.remote.rmi.server.socket.factory in the environment given to
the RMIConnectorServer constructor. The values of these attributes
must be of type RMIClientSocketFactory and RMIServerSocketFactory,
respectively. These factories are used when creating the RMI objects
associated with the connector.
The only option I see is to implement a custom factory like here and pass the classname to the property along with the JAR/class in classpath.
Correct me if I am wrong.