Java: Difference between revisions
(5 intermediate revisions by the same user not shown) | |||
Line 22: | Line 22: | ||
=test keystore= | =test keystore= | ||
/apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443 | /apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443 | ||
=Change password on alias abcd= | |||
keytool -keypasswd -alias abcd -keystore keystore.jks -storepass blablabla | |||
=List content of der.= | =List content of der.= | ||
openssl x509 -in BPClass3RootCA.cer -inform der -noout -text | openssl x509 -in BPClass3RootCA.cer -inform der -noout -text | ||
Line 39: | Line 43: | ||
Specifies the maximum memory size | Specifies the maximum memory size | ||
-Xmx2048m / -mx20148m | -Xmx2048m / -mx20148m | ||
=Max memory usage= | |||
Max memory = [-Xmx] + [-XX:MaxPermSize] + number_of_threads * [-Xss] | |||
=install java= | =install java= | ||
#!/bin/bash | #!/bin/bash | ||
Line 88: | Line 95: | ||
Add this startup option. | Add this startup option. | ||
-Djava.net.preferIPv4Stack=true | -Djava.net.preferIPv4Stack=true | ||
=url exception= | =url exception allow= | ||
~/.java/deployment/security/exception.sites | ~/.java/deployment/security/exception.sites | ||
=allow old encryption= | |||
grep '###' /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security | |||
### jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ | |||
### RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 | |||
### jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 | |||
### jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ | |||
### EC keySize < 224, 3DES_EDE_CBC, anon, NULL | |||
=logfile analyze= | =logfile analyze= | ||
Look in between dates for a string. | Look in between dates for a string. | ||
Line 122: | Line 137: | ||
=jtrack= | =jtrack= | ||
capture thread dumps | capture thread dumps | ||
=dump when out of memory= | |||
-XX:+HeapDumpOnOutOfMemoryError | |||
=send diagnostic command requests to the JVM= | |||
List available module. | |||
jcmd $pid help | |||
List threads | |||
jcmd $pid Thread.print | |||
Enable memory queries | |||
-XX:NativeMemoryTracking=summary | |||
Query with: | |||
jcmd $pid VM.native_memory summary |
Latest revision as of 08:15, 23 September 2022
Java information
To list keys in java keystore.
/usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts
look deeper at certificates
/usr/java/latest/jre/bin/keytool -list -keystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -storepass changeit -v --alias my_nice_certificate
Import key in java keystore.
openssl x509 -outform der -in certificate.pem -out certificate.der keytool -import -alias your-alias -keystore cacerts -file certificate.der
Copy certificate to file
keytool -export -alias special_private_key -file special_private_key.crt -keystore cacerts
Import keys from one javastore to another
/usr/java/jdk1.6.0_45/bin/keytool -importkeystore -srckeystore /tmp/cacerts -destkeystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -srcstorepass changeit -deststorepass changeit -srcalias special_private_key
remove key from keystore
keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'
change password of keystore
/usr/java/jdk1.8.0_111/bin/keytool -importkeystore -srckeystore java-keystore.jks -destkeystore java-keystore.jks.password.change -srcstoretype jks -deststoretype jks -srcstorepass changeit -deststorepass s3cur3 -srcalias keystore -destalias keystore -srckeypass changeit -destkeypass s3cur3
test keystore
/apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443
Change password on alias abcd
keytool -keypasswd -alias abcd -keystore keystore.jks -storepass blablabla
List content of der.
openssl x509 -in BPClass3RootCA.cer -inform der -noout -text
show jar file signing
jarsigner -verify -verbose -certs file.jar/
modify settiings
jcontrol
connect via jmx
jcontrol
connect to jvm
jvisualvm
java options
Sets the initial memory size
-Xms256m / -ms256m
Specifies the maximum memory size
-Xmx2048m / -mx20148m
Max memory usage
Max memory = [-Xmx] + [-XX:MaxPermSize] + number_of_threads * [-Xss]
install java
#!/bin/bash JDK_VERSION=8u71 JDK_BUILD_VERSION=b15 cd /tmp curl -LO "http://download.oracle.com/otn-pub/java/jdk/$JDK_VERSION-$JDK_BUILD_VERSION/jdk-$JDK_VERSION-linux-x64.rpm" -H 'Cookie: oraclelicense=accept-securebackup-cookie' rpm -i jdk-$JDK_VERSION-linux-x64.rpm rm -f jdk-$JDK_VERSION-linux-x64.rpm
heap utilization
jstat -gc ${PID}
stack trace
Error output in logfile.
multicast test
host1: java MulticastReceiver Starting multicast receiver in group 224.1.0.1 on port 14454 hello how are you On host2: host2: java MulticastSender hello how are you
Garbage Collection
PSYoungGen refers to the garbage collector in use for the minor collection. PS stands for Parallel Scavenge. The first set of numbers are the before/after sizes of the young generation and the second set are for the entire heap. (Diagnosing a Garbage Collection problem details the format) The name indicates the generation and collector in question, the second set are for the entire heap.
An example of an associated full GC also shows the collectors used for the old and permanent generations:
3.757: [Full GC [PSYoungGen: 2672K->0K(35584K)] [ParOldGen: 3225K->5735K(43712K)] 5898K->5735K(79296K) [PSPermGen: 13533K->13516K(27584K)], 0.0860402 secs]
Finally, breaking down one line of your example log output:
8109.128: [GC [PSYoungGen: 109884K->14201K(139904K)] 691015K->595332K(1119040K), 0.0454530 secs]
107Mb used before GC, 14Mb used after GC, max young generation size 137Mb 675Mb heap used before GC, 581Mb heap used after GC, 1Gb max heap size minor GC occurred 8109.128 seconds since the start of the JVM and took 0.04 seconds
look at memory usage
jmap -heap 7312
heap dump
You need to wait for the heap dump to complete. Based on the size of the heap it may take few seconds to several minutes. At least once, it took 20 minutes for me (Size of the dump was around 10G if I remember correctly). You may try "-dump:live" option, that will dump only the live objects and no garbage.
jmap -F -dump:live,format=b,file=<file_name.hprof> <rdu_process_id>
disable ipv6
Add this startup option.
-Djava.net.preferIPv4Stack=true
url exception allow
~/.java/deployment/security/exception.sites
allow old encryption
grep '###' /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security ### jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ ### RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 ### jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ### jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ ### EC keySize < 224, 3DES_EDE_CBC, anon, NULL
logfile analyze
Look in between dates for a string.
cat /catalina.out | tr -d '\n' | sed 's/\(\[[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}\]\)/\n\1/g' | grep OutOfMemoryError
enable jmx monitoring
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=8099 -Dcom.sun.management.jmxremote.rmi.port=8099 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false -Djava.rmi.server.hostname=127.0.0.1
troubleshoot ssl ciphers compatability
list supported ciphers on source.
$ nmap --script ssl-enum-ciphers -p 443 www.example.com Starting Nmap 5.51 ( http://nmap.org ) at 2019-05-11 06:20 GMT Nmap scan report for api-paas.ipcenter.com (208.82.199.71) Host is up (0.00032s latency). rDNS record for 208.82.199.71: paas.ipcenter.com PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2 | Ciphers (2) | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds [2019-05-11 06:20:12 root@produtil01.paas.ny1.ipcenter.com:/tmp/nmap]
List ciphers provided via java.
/usr/java/jdk1.8.0_121/jre/bin/java -Dcom.sun.net.ssl.enableECC=false -Djavax.net.debug=ssl -classpath /home/abjorklund/bin -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_121/jre/lib/security/cacerts SSLPoke www.example.com 443
jtrack
capture thread dumps
dump when out of memory
-XX:+HeapDumpOnOutOfMemoryError
send diagnostic command requests to the JVM
List available module.
jcmd $pid help
List threads
jcmd $pid Thread.print
Enable memory queries
-XX:NativeMemoryTracking=summary
Query with:
jcmd $pid VM.native_memory summary