Java: Difference between revisions
No edit summary |
|||
(24 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
=To list keys in java keystore.= | =To list keys in java keystore.= | ||
/usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts | /usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts | ||
=look deeper at certificates= | |||
/usr/java/latest/jre/bin/keytool -list -keystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -storepass changeit -v --alias my_nice_certificate | |||
=Import key in java keystore.= | =Import key in java keystore.= | ||
openssl x509 -outform der -in certificate.pem -out certificate.der | openssl x509 -outform der -in certificate.pem -out certificate.der | ||
keytool -import -alias your-alias -keystore cacerts -file certificate.der | keytool -import -alias your-alias -keystore cacerts -file certificate.der | ||
=Copy certificate to file= | |||
keytool -export -alias special_private_key -file special_private_key.crt -keystore cacerts | |||
=Import keys from one javastore to another= | |||
/usr/java/jdk1.6.0_45/bin/keytool -importkeystore -srckeystore /tmp/cacerts -destkeystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -srcstorepass changeit -deststorepass changeit -srcalias special_private_key | |||
=remove key from keystore= | |||
keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list' | |||
=change password of keystore= | |||
/usr/java/jdk1.8.0_111/bin/keytool -importkeystore -srckeystore java-keystore.jks -destkeystore java-keystore.jks.password.change -srcstoretype jks -deststoretype jks -srcstorepass changeit -deststorepass s3cur3 -srcalias keystore -destalias keystore -srckeypass changeit -destkeypass s3cur3 | |||
=test keystore= | |||
/apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443 | |||
=Change password on alias abcd= | |||
keytool -keypasswd -alias abcd -keystore keystore.jks -storepass blablabla | |||
=List content of der.= | =List content of der.= | ||
Line 12: | Line 30: | ||
=show jar file signing= | =show jar file signing= | ||
jarsigner -verify -verbose -certs file.jar | jarsigner -verify -verbose -certs file.jar/ | ||
=modify settiings= | =modify settiings= | ||
jcontrol | jcontrol | ||
=connect via jmx= | =connect via jmx= | ||
jcontrol | jcontrol | ||
=connect to jvm= | |||
jvisualvm | |||
=java options= | =java options= | ||
Sets the initial memory size | Sets the initial memory size | ||
Line 22: | Line 43: | ||
Specifies the maximum memory size | Specifies the maximum memory size | ||
-Xmx2048m / -mx20148m | -Xmx2048m / -mx20148m | ||
=Max memory usage= | |||
Max memory = [-Xmx] + [-XX:MaxPermSize] + number_of_threads * [-Xss] | |||
=install java= | =install java= | ||
#!/bin/bash | #!/bin/bash | ||
Line 32: | Line 56: | ||
=heap utilization= | =heap utilization= | ||
jstat -gc ${PID} | jstat -gc ${PID} | ||
=stack trace= | |||
Error output in logfile. | |||
=multicast test= | |||
host1: java MulticastReceiver | |||
Starting multicast receiver in group 224.1.0.1 on port 14454 | |||
hello | |||
how are you | |||
On host2: | |||
host2: java MulticastSender | |||
hello | |||
how are you | |||
=Garbage Collection= | |||
PSYoungGen refers to the garbage collector in use for the minor collection. PS stands for Parallel Scavenge. | |||
The first set of numbers are the before/after sizes of the young generation and the second set are for the entire heap. (Diagnosing a Garbage Collection problem details the format) | |||
The name indicates the generation and collector in question, the second set are for the entire heap. | |||
An example of an associated full GC also shows the collectors used for the old and permanent generations: | |||
3.757: [Full GC [PSYoungGen: 2672K->0K(35584K)] | |||
[ParOldGen: 3225K->5735K(43712K)] 5898K->5735K(79296K) | |||
[PSPermGen: 13533K->13516K(27584K)], 0.0860402 secs] | |||
Finally, breaking down one line of your example log output: | |||
8109.128: [GC [PSYoungGen: 109884K->14201K(139904K)] 691015K->595332K(1119040K), 0.0454530 secs] | |||
107Mb used before GC, 14Mb used after GC, max young generation size 137Mb | |||
675Mb heap used before GC, 581Mb heap used after GC, 1Gb max heap size | |||
minor GC occurred 8109.128 seconds since the start of the JVM and took 0.04 seconds | |||
=look at memory usage= | |||
jmap -heap 7312 | |||
=heap dump= | |||
You need to wait for the heap dump to complete. Based on the size of the heap it may take few seconds to several minutes. At least once, it took 20 minutes for me (Size of the dump was around 10G if I remember correctly). You may try "-dump:live" option, that will dump only the live objects and no garbage. | |||
jmap -F -dump:live,format=b,file=<file_name.hprof> <rdu_process_id> | |||
=disable ipv6= | |||
Add this startup option. | |||
-Djava.net.preferIPv4Stack=true | |||
=url exception allow= | |||
~/.java/deployment/security/exception.sites | |||
=allow old encryption= | |||
grep '###' /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security | |||
### jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ | |||
### RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 | |||
### jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 | |||
### jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ | |||
### EC keySize < 224, 3DES_EDE_CBC, anon, NULL | |||
=logfile analyze= | |||
Look in between dates for a string. | |||
cat /catalina.out | tr -d '\n' | sed 's/\(\[[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}\]\)/\n\1/g' | grep OutOfMemoryError | |||
=enable jmx monitoring= | |||
-Dcom.sun.management.jmxremote | |||
-Dcom.sun.management.jmxremote.port=8099 | |||
-Dcom.sun.management.jmxremote.rmi.port=8099 | |||
-Dcom.sun.management.jmxremote.ssl=false | |||
-Dcom.sun.management.jmxremote.authenticate=false | |||
-Djava.rmi.server.hostname=127.0.0.1 | |||
=troubleshoot ssl ciphers compatability= | |||
list supported ciphers on source. | |||
$ nmap --script ssl-enum-ciphers -p 443 www.example.com | |||
Starting Nmap 5.51 ( http://nmap.org ) at 2019-05-11 06:20 GMT | |||
Nmap scan report for api-paas.ipcenter.com (208.82.199.71) | |||
Host is up (0.00032s latency). | |||
rDNS record for 208.82.199.71: paas.ipcenter.com | |||
PORT STATE SERVICE | |||
443/tcp open https | |||
| ssl-enum-ciphers: | |||
| TLSv1.2 | |||
| Ciphers (2) | |||
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |||
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |||
| Compressors (1) | |||
|_ uncompressed | |||
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds | |||
[2019-05-11 06:20:12 root@produtil01.paas.ny1.ipcenter.com:/tmp/nmap] | |||
List ciphers provided via java. | |||
/usr/java/jdk1.8.0_121/jre/bin/java -Dcom.sun.net.ssl.enableECC=false -Djavax.net.debug=ssl -classpath /home/abjorklund/bin -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_121/jre/lib/security/cacerts SSLPoke www.example.com 443 | |||
=jtrack= | |||
capture thread dumps | |||
=dump when out of memory= | |||
-XX:+HeapDumpOnOutOfMemoryError | |||
=send diagnostic command requests to the JVM= | |||
List available module. | |||
jcmd $pid help | |||
List threads | |||
jcmd $pid Thread.print | |||
Enable memory queries | |||
-XX:NativeMemoryTracking=summary | |||
Query with: | |||
jcmd $pid VM.native_memory summary |
Latest revision as of 08:15, 23 September 2022
Java information
To list keys in java keystore.
/usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts
look deeper at certificates
/usr/java/latest/jre/bin/keytool -list -keystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -storepass changeit -v --alias my_nice_certificate
Import key in java keystore.
openssl x509 -outform der -in certificate.pem -out certificate.der keytool -import -alias your-alias -keystore cacerts -file certificate.der
Copy certificate to file
keytool -export -alias special_private_key -file special_private_key.crt -keystore cacerts
Import keys from one javastore to another
/usr/java/jdk1.6.0_45/bin/keytool -importkeystore -srckeystore /tmp/cacerts -destkeystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -srcstorepass changeit -deststorepass changeit -srcalias special_private_key
remove key from keystore
keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'
change password of keystore
/usr/java/jdk1.8.0_111/bin/keytool -importkeystore -srckeystore java-keystore.jks -destkeystore java-keystore.jks.password.change -srcstoretype jks -deststoretype jks -srcstorepass changeit -deststorepass s3cur3 -srcalias keystore -destalias keystore -srckeypass changeit -destkeypass s3cur3
test keystore
/apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443
Change password on alias abcd
keytool -keypasswd -alias abcd -keystore keystore.jks -storepass blablabla
List content of der.
openssl x509 -in BPClass3RootCA.cer -inform der -noout -text
show jar file signing
jarsigner -verify -verbose -certs file.jar/
modify settiings
jcontrol
connect via jmx
jcontrol
connect to jvm
jvisualvm
java options
Sets the initial memory size
-Xms256m / -ms256m
Specifies the maximum memory size
-Xmx2048m / -mx20148m
Max memory usage
Max memory = [-Xmx] + [-XX:MaxPermSize] + number_of_threads * [-Xss]
install java
#!/bin/bash JDK_VERSION=8u71 JDK_BUILD_VERSION=b15 cd /tmp curl -LO "http://download.oracle.com/otn-pub/java/jdk/$JDK_VERSION-$JDK_BUILD_VERSION/jdk-$JDK_VERSION-linux-x64.rpm" -H 'Cookie: oraclelicense=accept-securebackup-cookie' rpm -i jdk-$JDK_VERSION-linux-x64.rpm rm -f jdk-$JDK_VERSION-linux-x64.rpm
heap utilization
jstat -gc ${PID}
stack trace
Error output in logfile.
multicast test
host1: java MulticastReceiver Starting multicast receiver in group 224.1.0.1 on port 14454 hello how are you On host2: host2: java MulticastSender hello how are you
Garbage Collection
PSYoungGen refers to the garbage collector in use for the minor collection. PS stands for Parallel Scavenge. The first set of numbers are the before/after sizes of the young generation and the second set are for the entire heap. (Diagnosing a Garbage Collection problem details the format) The name indicates the generation and collector in question, the second set are for the entire heap.
An example of an associated full GC also shows the collectors used for the old and permanent generations:
3.757: [Full GC [PSYoungGen: 2672K->0K(35584K)] [ParOldGen: 3225K->5735K(43712K)] 5898K->5735K(79296K) [PSPermGen: 13533K->13516K(27584K)], 0.0860402 secs]
Finally, breaking down one line of your example log output:
8109.128: [GC [PSYoungGen: 109884K->14201K(139904K)] 691015K->595332K(1119040K), 0.0454530 secs]
107Mb used before GC, 14Mb used after GC, max young generation size 137Mb 675Mb heap used before GC, 581Mb heap used after GC, 1Gb max heap size minor GC occurred 8109.128 seconds since the start of the JVM and took 0.04 seconds
look at memory usage
jmap -heap 7312
heap dump
You need to wait for the heap dump to complete. Based on the size of the heap it may take few seconds to several minutes. At least once, it took 20 minutes for me (Size of the dump was around 10G if I remember correctly). You may try "-dump:live" option, that will dump only the live objects and no garbage.
jmap -F -dump:live,format=b,file=<file_name.hprof> <rdu_process_id>
disable ipv6
Add this startup option.
-Djava.net.preferIPv4Stack=true
url exception allow
~/.java/deployment/security/exception.sites
allow old encryption
grep '###' /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security ### jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ ### RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 ### jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ### jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ ### EC keySize < 224, 3DES_EDE_CBC, anon, NULL
logfile analyze
Look in between dates for a string.
cat /catalina.out | tr -d '\n' | sed 's/\(\[[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}\]\)/\n\1/g' | grep OutOfMemoryError
enable jmx monitoring
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8099 -Dcom.sun.management.jmxremote.rmi.port=8099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=127.0.0.1
troubleshoot ssl ciphers compatability
list supported ciphers on source.
$ nmap --script ssl-enum-ciphers -p 443 www.example.com Starting Nmap 5.51 ( http://nmap.org ) at 2019-05-11 06:20 GMT Nmap scan report for api-paas.ipcenter.com (208.82.199.71) Host is up (0.00032s latency). rDNS record for 208.82.199.71: paas.ipcenter.com PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2 | Ciphers (2) | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds [2019-05-11 06:20:12 root@produtil01.paas.ny1.ipcenter.com:/tmp/nmap]
List ciphers provided via java.
/usr/java/jdk1.8.0_121/jre/bin/java -Dcom.sun.net.ssl.enableECC=false -Djavax.net.debug=ssl -classpath /home/abjorklund/bin -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_121/jre/lib/security/cacerts SSLPoke www.example.com 443
jtrack
capture thread dumps
dump when out of memory
-XX:+HeapDumpOnOutOfMemoryError
send diagnostic command requests to the JVM
List available module.
jcmd $pid help
List threads
jcmd $pid Thread.print
Enable memory queries
-XX:NativeMemoryTracking=summary
Query with:
jcmd $pid VM.native_memory summary