Java: Difference between revisions

From Halfface
Jump to navigation Jump to search
No edit summary
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
Java information
Java information


To list keys in java keystore.
=To list keys in java keystore.=
  /usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts
  /usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts
=look deeper at certificates=
/usr/java/latest/jre/bin/keytool -list -keystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -storepass changeit -v --alias my_nice_certificate


Import key in java keystore.
=Import key in java keystore.=
  openssl x509 -outform der -in certificate.pem -out certificate.der
  openssl x509 -outform der -in certificate.pem -out certificate.der
  keytool -import -alias your-alias -keystore cacerts -file certificate.der
  keytool -import -alias your-alias -keystore cacerts -file certificate.der


List content of der.
=Copy certificate to file=
keytool -export -alias special_private_key -file special_private_key.crt -keystore cacerts
 
=Import keys from one javastore to another=
/usr/java/jdk1.6.0_45/bin/keytool -importkeystore -srckeystore /tmp/cacerts -destkeystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -srcstorepass changeit -deststorepass changeit -srcalias special_private_key
=remove key from keystore=
keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'
=change password of keystore=
/usr/java/jdk1.8.0_111/bin/keytool -importkeystore -srckeystore java-keystore.jks -destkeystore java-keystore.jks.password.change -srcstoretype jks -deststoretype jks -srcstorepass changeit -deststorepass s3cur3 -srcalias keystore -destalias keystore -srckeypass changeit -destkeypass s3cur3
 
=test keystore=
/apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443
 
=Change password on alias abcd=
keytool -keypasswd -alias abcd -keystore keystore.jks -storepass blablabla
 
=List content of der.=
  openssl x509 -in BPClass3RootCA.cer -inform der -noout -text
  openssl x509 -in BPClass3RootCA.cer -inform der -noout -text
=show jar file signing=
jarsigner -verify -verbose -certs file.jar/
=modify settiings=
jcontrol
=connect via jmx=
jcontrol
=connect to jvm=
jvisualvm
=java options=
Sets the initial memory size
-Xms256m / -ms256m
Specifies the maximum memory size
-Xmx2048m / -mx20148m
=Max memory usage=
Max memory = [-Xmx] + [-XX:MaxPermSize] + number_of_threads * [-Xss]
=install java=
#!/bin/bash
JDK_VERSION=8u71
JDK_BUILD_VERSION=b15
cd /tmp
curl -LO "http://download.oracle.com/otn-pub/java/jdk/$JDK_VERSION-$JDK_BUILD_VERSION/jdk-$JDK_VERSION-linux-x64.rpm" -H 'Cookie: oraclelicense=accept-securebackup-cookie'
rpm -i jdk-$JDK_VERSION-linux-x64.rpm
rm -f jdk-$JDK_VERSION-linux-x64.rpm
=heap utilization=
jstat -gc ${PID}
=stack trace=
Error output in logfile.
=multicast test=
host1: java MulticastReceiver
Starting multicast receiver in group 224.1.0.1 on port 14454
hello
how are you
 
On host2:
host2: java MulticastSender
hello
how are you
=Garbage Collection=
PSYoungGen refers to the garbage collector in use for the minor collection. PS stands for Parallel Scavenge.
The first set of numbers are the before/after sizes of the young generation and the second set are for the entire heap. (Diagnosing a Garbage Collection problem details the format)
The name indicates the generation and collector in question, the second set are for the entire heap.
An example of an associated full GC also shows the collectors used for the old and permanent generations:
3.757: [Full GC [PSYoungGen: 2672K->0K(35584K)]
            [ParOldGen: 3225K->5735K(43712K)] 5898K->5735K(79296K)
            [PSPermGen: 13533K->13516K(27584K)], 0.0860402 secs]
Finally, breaking down one line of your example log output:
8109.128: [GC [PSYoungGen: 109884K->14201K(139904K)] 691015K->595332K(1119040K), 0.0454530 secs]
107Mb used before GC, 14Mb used after GC, max young generation size 137Mb
675Mb heap used before GC, 581Mb heap used after GC, 1Gb max heap size
minor GC occurred 8109.128 seconds since the start of the JVM and took 0.04 seconds
=look at memory usage=
jmap -heap 7312
=heap dump=
You need to wait for the heap dump to complete. Based on the size of the heap it may take few seconds to several minutes. At least once, it took 20 minutes for me (Size of the dump was around 10G if I remember correctly). You may try "-dump:live" option, that will dump only the live objects and no garbage.
jmap -F -dump:live,format=b,file=<file_name.hprof> <rdu_process_id>
=disable ipv6=
Add this startup option.
-Djava.net.preferIPv4Stack=true
=url exception allow=
~/.java/deployment/security/exception.sites
=allow old encryption=
grep '###' /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security
### jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
###    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
### jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
### jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
###    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
=logfile analyze=
Look in between dates for a string.
cat /catalina.out | tr -d '\n' | sed 's/\(\[[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}\]\)/\n\1/g' | grep OutOfMemoryError
=enable jmx monitoring=
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8099
-Dcom.sun.management.jmxremote.rmi.port=8099
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.rmi.server.hostname=127.0.0.1
=troubleshoot ssl ciphers compatability=
list supported ciphers on source.
$ nmap --script ssl-enum-ciphers -p 443 www.example.com
Starting Nmap 5.51 ( http://nmap.org ) at 2019-05-11 06:20 GMT
Nmap scan report for api-paas.ipcenter.com (208.82.199.71)
Host is up (0.00032s latency).
rDNS record for 208.82.199.71: paas.ipcenter.com
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (2)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds
[2019-05-11 06:20:12 root@produtil01.paas.ny1.ipcenter.com:/tmp/nmap]
List ciphers provided via java.
/usr/java/jdk1.8.0_121/jre/bin/java -Dcom.sun.net.ssl.enableECC=false -Djavax.net.debug=ssl -classpath /home/abjorklund/bin -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_121/jre/lib/security/cacerts SSLPoke www.example.com 443
=jtrack=
capture thread dumps
=dump when out of memory=
-XX:+HeapDumpOnOutOfMemoryError
=send diagnostic command requests to the JVM=
List available module.
jcmd $pid help
List threads
jcmd $pid Thread.print
Enable memory queries
-XX:NativeMemoryTracking=summary
Query with:
jcmd $pid VM.native_memory summary

Latest revision as of 08:15, 23 September 2022

Java information

To list keys in java keystore.

/usr/java/jre1.6.0_03/bin/keytool --list --keystore /usr/java/jre1.6.0_03/lib/security/cacerts

look deeper at certificates

/usr/java/latest/jre/bin/keytool -list -keystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -storepass changeit -v --alias my_nice_certificate

Import key in java keystore.

openssl x509 -outform der -in certificate.pem -out certificate.der
keytool -import -alias your-alias -keystore cacerts -file certificate.der

Copy certificate to file

keytool -export -alias special_private_key -file special_private_key.crt -keystore cacerts

Import keys from one javastore to another

/usr/java/jdk1.6.0_45/bin/keytool -importkeystore -srckeystore /tmp/cacerts -destkeystore /usr/java/jdk1.6.0_45/jre/lib/security/cacerts -srcstorepass changeit -deststorepass changeit -srcalias special_private_key

remove key from keystore

keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'

change password of keystore

/usr/java/jdk1.8.0_111/bin/keytool -importkeystore -srckeystore java-keystore.jks -destkeystore java-keystore.jks.password.change -srcstoretype jks -deststoretype jks -srcstorepass changeit -deststorepass s3cur3 -srcalias keystore -destalias keystore -srckeypass changeit -destkeypass s3cur3

test keystore

/apps/java/latest/bin/java -classpath /home/abjorklund/ -Djavax.net.ssl.trustStore=/usr/java/jdk1.6.0_45/jre/lib/security/cacerts SSLPoke www.halfface.se 443

Change password on alias abcd

keytool -keypasswd -alias abcd -keystore keystore.jks -storepass blablabla

List content of der.

openssl x509 -in BPClass3RootCA.cer -inform der -noout -text

show jar file signing

jarsigner -verify -verbose -certs file.jar/

modify settiings

jcontrol

connect via jmx

jcontrol

connect to jvm

jvisualvm

java options

Sets the initial memory size

-Xms256m / -ms256m

Specifies the maximum memory size

-Xmx2048m / -mx20148m

Max memory usage

Max memory = [-Xmx] + [-XX:MaxPermSize] + number_of_threads * [-Xss]

install java

#!/bin/bash
JDK_VERSION=8u71
JDK_BUILD_VERSION=b15
cd /tmp
curl -LO "http://download.oracle.com/otn-pub/java/jdk/$JDK_VERSION-$JDK_BUILD_VERSION/jdk-$JDK_VERSION-linux-x64.rpm" -H 'Cookie: oraclelicense=accept-securebackup-cookie'
rpm -i jdk-$JDK_VERSION-linux-x64.rpm
rm -f jdk-$JDK_VERSION-linux-x64.rpm

heap utilization

jstat -gc ${PID}

stack trace

Error output in logfile.

multicast test

host1: java MulticastReceiver
Starting multicast receiver in group 224.1.0.1 on port 14454
hello
how are you
 
On host2:

host2: java MulticastSender
hello
how are you

Garbage Collection

PSYoungGen refers to the garbage collector in use for the minor collection. PS stands for Parallel Scavenge. The first set of numbers are the before/after sizes of the young generation and the second set are for the entire heap. (Diagnosing a Garbage Collection problem details the format) The name indicates the generation and collector in question, the second set are for the entire heap.

An example of an associated full GC also shows the collectors used for the old and permanent generations:

3.757: [Full GC [PSYoungGen: 2672K->0K(35584K)] 
           [ParOldGen: 3225K->5735K(43712K)] 5898K->5735K(79296K) 
           [PSPermGen: 13533K->13516K(27584K)], 0.0860402 secs]

Finally, breaking down one line of your example log output:

8109.128: [GC [PSYoungGen: 109884K->14201K(139904K)] 691015K->595332K(1119040K), 0.0454530 secs]

107Mb used before GC, 14Mb used after GC, max young generation size 137Mb 675Mb heap used before GC, 581Mb heap used after GC, 1Gb max heap size minor GC occurred 8109.128 seconds since the start of the JVM and took 0.04 seconds

look at memory usage

jmap -heap 7312

heap dump

You need to wait for the heap dump to complete. Based on the size of the heap it may take few seconds to several minutes. At least once, it took 20 minutes for me (Size of the dump was around 10G if I remember correctly). You may try "-dump:live" option, that will dump only the live objects and no garbage.

jmap -F -dump:live,format=b,file=<file_name.hprof> <rdu_process_id>

disable ipv6

Add this startup option.

-Djava.net.preferIPv4Stack=true

url exception allow

~/.java/deployment/security/exception.sites

allow old encryption

grep '###' /usr/java/jdk1.8.0_202-amd64/jre/lib/security/java.security
### jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
###     RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
### jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
### jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
###    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

logfile analyze

Look in between dates for a string.

cat /catalina.out | tr -d '\n' | sed 's/\(\[[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\},[0-9]\{3\}\]\)/\n\1/g' | grep OutOfMemoryError

enable jmx monitoring

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8099
-Dcom.sun.management.jmxremote.rmi.port=8099
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.rmi.server.hostname=127.0.0.1

troubleshoot ssl ciphers compatability

list supported ciphers on source.

$ nmap --script ssl-enum-ciphers -p 443 www.example.com
Starting Nmap 5.51 ( http://nmap.org ) at 2019-05-11 06:20 GMT
Nmap scan report for api-paas.ipcenter.com (208.82.199.71)
Host is up (0.00032s latency).
rDNS record for 208.82.199.71: paas.ipcenter.com
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (2)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds
[2019-05-11 06:20:12 root@produtil01.paas.ny1.ipcenter.com:/tmp/nmap]

List ciphers provided via java.

/usr/java/jdk1.8.0_121/jre/bin/java -Dcom.sun.net.ssl.enableECC=false -Djavax.net.debug=ssl -classpath /home/abjorklund/bin -Djavax.net.ssl.trustStore=/usr/java/jdk1.8.0_121/jre/lib/security/cacerts SSLPoke www.example.com 443

jtrack

capture thread dumps

dump when out of memory

-XX:+HeapDumpOnOutOfMemoryError

send diagnostic command requests to the JVM

List available module.

jcmd $pid help

List threads

jcmd $pid Thread.print

Enable memory queries

-XX:NativeMemoryTracking=summary

Query with:

jcmd $pid VM.native_memory summary