Contenu connexe Similaire à Monitoring Java Application Security with JDK Tools and JFR Events.pdf (20) Plus de Ana-Maria Mihalceanu (20) Monitoring Java Application Security with JDK Tools and JFR Events.pdf2. Java Champion Alumni
Senior Developer Advocate at Oracle
Twitter: @ammbra1508
Mastodon: @ammbra1508.mastondon.social
Ana-Maria Mihalceanu
Hello! I am Ana
2 Java Day Copyright © 2024, Oracle and/or its affiliates
3. Agenda
• JFR Security Events Overview
• Observing JDK Security Properties
• Monitoring TLS Protocol
• Analysing X.509 certificates
• Continuous Monitoring in the Cloud
Java Day Copyright © 2024, Oracle and/or its affiliates
3
4. Goal
Learn how JDK Flight Recorder, JDK Mission
Control and JFR Security Events can help
monitoring security of your Java application so
that you can detect potential safety risks.
Java Day Copyright © 2024, Oracle and/or its affiliates
4
6. JDK Flight Recorder(JFR) Events
• When running a Java application, JFR can collect events that occur in the JVM.
• JFR Events express the state of the application and underlying JVM.
• For profiling, store event data in a .jfr file.
Java Day Copyright © 2024, Oracle and/or its affiliates
6
Event
ID
Timestamp Duration
Thread
ID
Stack
Trace ID
Event Specific Payload
JFR Event Components
7. JDK Flight Recorder(JFR) Security Events
NAME GOAL BACKPORTED
TO
ENABLED BY
DEFAULT*
jdk.InitialSecurityProperty For insights on initial JDK security
properties.
Oracle JDK 17.0.7
and 11.0.20
Yes
jdk.SecurityPropertyModification Records Security.setProperty(Strin
g key, String value) calls.
Oracle JDK 11.0.5
and 8u231
No
jdk.SecurityProviderService Records service provider method
invocations.
JDK 17.0.8, 11.0.22
and 8u391
No
jdk.TLSHandshake Keeps track of TLS handshake activity. Oracle JDK 11.0.5
and 8u231
No
jdk.X509Certificate Records details of X.509 Certificates. Oracle JDK 11.0.5
and 8u231
No
jdk.X509Validation Records details of X.509 certificates
negotiated in successful X.509 validation.
Oracle JDK 11.0.5
and 8u231
No
7 Java Day Copyright © 2024, Oracle and/or its affiliates
* In default.jfc and profile.jfc shipped within a JDK
9. Ways to observe initial security properties
• Initial security properties set statically in the $JAVA_HOME/conf/security file.
• Dynamically set security properties via java.security.Security methods.
• Print the initial security properties
java -Djava.security.debug=properties
• Record jdk.InitialSecurityProperty JFR event
• Enable JFR recording java -XX:StartFlightRecording:settings=default,duration=60s
• Or start a flight recording by connecting to the running application from JDK Mission Control
Java Day Copyright © 2024, Oracle and/or its affiliates
9
10. How to trace security properties
changes?
Java Day Copyright © 2024, Oracle and/or its affiliates
10
11. Have jdk.SecurityPropertyModification enabled in JFR configuration.
$JAVA_HOME/bin/jfr configure jdk.SecurityPropertyModification#enabled=true
Start a JFR recording when launching the application.
java -XX:StartFlightRecording:settings=default,duration=60s
Inspect the recording with jcmd or JDK Mission Control.
Complete view of changes over JDK security properties
11 Java Day Copyright © 2024, Oracle and/or its affiliates
12. Extra tips to observe security properties
• Configure more JFR events by adding a space between each setting
$JAVA_HOME/bin/jfr configure event1#enabled=true event2#enabled=false
• Setup jdk.SecurityPropertyModification when launching the JVM
java -XX:StartFlightRecording:settings=default,duration=60s,+jdk.SecurityPropertyModification#enabled=true
• Set more JFR events when launching the JVM, separated by comma
java -XX:StartFlightRecording:settings=default,duration=60s,+event1#enabled=true,+event2#enabled=false
• Configure each JFR event from JDK Mission Control (JMC)
• Create a connection to a running JVM (-XX:StartFlightRecording is not mandatory in this scenario)
• In JMC menu, select File > Connection... > [Select one running JVM] > Start Flight Recording
• Configure each JDK Security event
• Inspect the evolution of captured events in JMC
• Event Browser > Java Development Kit > Security
Java Day Copyright © 2024, Oracle and/or its affiliates
12
15. Confidentiality: protect sensitive data/information from unauthorized users.
encryption/decryption
Authenticity: ability to identify a user/system before communicating information.
certificate authorities/digital certificates
Message integrity: identify the unauthorized modification of data during transit.
message digests/signing
Why is SSL/TLS important?
15 Java Day Copyright © 2024, Oracle and/or its affiliates
16. Capture TLS protocol information
• Use a network protocol analyzer tool.
• Attach the tool to the network interface where the JVM communicates.
• Look for "Server Hello" record to determine TLS version used on a particular socket.
• A Java developer friendly way: inspect debug logs.
java -Djavax.net.debug=ssl:handshake
• Get more filtered logging via:
java -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
• Configure jdk.TLSHandshake JFR event to get essential TLS information.
Java Day Copyright © 2024, Oracle and/or its affiliates
16
17. "ServerHello": {
"server version" : "TLSv1.2",
"random" : "8B9226A071E9418850BE24838F42FDAF7422A07FDE62CB7D510FBF59E8E88F78",
"session id" : "CF0AB2C10ED94F56C8FA0214E7BD2C378352E66D29543B321AB7878A72304E47",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
0000: 60 36 B3 39 35 71 9F F0 16 93 1E 96 87 FB 65 6E `6.95q........en
0010: 44 1B C6 D8 9B 67 83 52 85 D9 C0 00 FC D6 1D 24 D....g.R.......$
}
},
}
]
}
An example of a ServerHello record captured in logs
17 Java Day Copyright © 2024, Oracle and/or its affiliates
18. Start a recording while jdk.TLSHandshake is enabled as well.
java -XX:StartFlightRecording:settings=default,duration=60s,
+jdk.TLSHandshake#enabled=true,+jdk.TLSHandshake#stackTrace=true
Switch jdk.TLSHandshake options to true in JFR configuration file.
Run jfr configure command in a terminal window.
jfr configure jdk.TLSHandshake#enabled=true jdk.TLSHandshake#stackTrace=true
Capture protocol details by enabling jdk.TLSHandshake
18 Java Day Copyright © 2024, Oracle and/or its affiliates
19. Local demo setup overview
Running TicTacToe locally
Monitor with JDK tools
Spring Boot application
with JDK 22
Keystore
19 Java Day Copyright © 2024, Oracle and/or its affiliates
Truststore
Client Certificate
#local.ext file
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = springboot
IP.1 = 127.0.0.1
20. # start a recording
jcmd llvmid JFR.start duration=60s filename=/tmp/TLS.jfr
# use jfr print command
$JAVA_HOME/bin/jfr print --events "TLS*" /tmp/TLS.jfr
jdk.TLSHandshake {
startTime = 12:55:27.396 (2024-03-03)
peerHost = "google.com"
peerPort = 443
protocolVersion = "TLSv1.3"
cipherSuite = "TLS_AES_128_GCM_SHA256"
certificateId = 587815551
eventThread = "tomcat-handler-15" (javaThreadId = 93, virtual)
stackTrace = [
sun.security.ssl.Finished.recordEvent(SSLSessionImpl) line: 1165
sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(ServerHandshakeContext, ByteBuffer) line: 1138
...
]
}
Inspect TLS handshakes with jcmd and JFR
20 Java Day Copyright © 2024, Oracle and/or its affiliates
22. Importance of X.509 certificates
• Bind an identity to a public key using a digital signature.
• Enable secure communication and transaction between two parties.
• Establish trust based on a series of fields:
• version
• serial number
• signature (algorithm ID and parameters)
• issuer name
• validity period
• subject name
• subject public key (and associated algorithm ID)
Java Day Copyright © 2024, Oracle and/or its affiliates
22
23. # use keytool to query certificates in JDK truststore
$JAVA_HOME/bin/keytool -cacerts -list –v
# use keytool to query certificates in a keystore
keytool -v -list -keystore /path/to/keystore
# configure the debug system properties to print verbose X.509 certificate information
java -Djava.security.debug=certpath -Djavax.net.debug=all
View certificate details
23 Java Day Copyright © 2024, Oracle and/or its affiliates
24. # switch the jdk.X509Certificate and jdk.X509Validation options to true in your JFR configuration file
<event name="jdk.X509Certificate">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
<event name="jdk.X509Validation">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
# or run jfr configure command in a terminal window
$JAVA_HOME/bin/jfr configure jdk.X509Certificate#enabled=true jdk.X509Validation#enabled=true
# or enable the options on application launch
java -XX:StartFlightRecording:settings=default,jdk.X509Certificate#enabled=true,+jdk.X509Validation#enabled=true
Enable relevant details about X.509 certificates in JFR
24 Java Day Copyright © 2024, Oracle and/or its affiliates
25. Show recorded details about X.509 Certificates.
$JAVA_HOME/bin/jfr print --events jdk.X509Certificate /tmp/cert.jfr
Run your application with -XX:StartFlightRecording flag and have
jdk.X509Certificate and jdk.X509Validation options enabled.
Execute a diagnostic command via jcmd.
jcmd llvmid JFR.start duration=60s filename=/tmp/cert.jfr
Capture details on X.509 certificates with jcmd and JFR
25 Java Day Copyright © 2024, Oracle and/or its affiliates
26. $JAVA_HOME/bin/jfr print --events “jdk.X509Certificate” /tmp/cert.jfr
jdk.X509Certificate {
startTime = 09:59:25.672 (2022-11-10)
algorithm = "SHA1withRSA"
serialNumber = "18dad19e267de8bb4a2158cdcc6b3b4a"
subject = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For
authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US"
issuer = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For
authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US"
keyType = "RSA"
keyLength = 2048
certificateId = 303010488
validFrom = 00:00:00.000 (2006-11-08)
validUntil = 23:59:59.000 (2036-07-16)
eventThread = "main" (javaThreadId = 1)
stackTrace = [
sun.security.jca.JCAUtil.tryCommitCertEvent(Certificate) line: 126
java.security.cert.CertificateFactory.generateCertificate(InputStream) line: 356
...
]
}
Example output of recorded details
26 Java Day Copyright © 2024, Oracle and/or its affiliates
28. JDK Flight Recorder provides rich, structured data, and API support to event streams.
Until JDK 16, developers could monitor a Java process on a remote host and control
what is recorded via JDK Mission Control.
Since JDK 16, you can transfer recorded events programmatically, as they occur, over
the network using javax.management.MBeanServerConnection.
Streaming JFR events
28 Java Day Copyright © 2024, Oracle and/or its affiliates
29. String host = "com.example";
int port = 7091;
String url = "service:jmx:rmi:///jndi/rmi://" + host + ":" + port + "/jmxrmi";
JMXServiceURL u = new JMXServiceURL(url);
JMXConnector c = JMXConnectorFactory.connect(u);
MBeanServerConnection connection = c.getMBeanServerConnection();
try (RemoteRecordingStream stream = new RemoteRecordingStream(connection)) {
stream.enabled("jdk.X509Certificate").withStackTrace();
stream.onEvent("jdk.X509Certificate", System.out::println),
stream.start();
}
Monitor a remote host using a MBeanServerConnection
29 Java Day Copyright © 2024, Oracle and/or its affiliates
30. CompositeMeterRegistry metricsRegistry = Metrics.globalRegistry;
try (var es = EventStream.openRepository()) {
es.onEvent("jdk.X509Validation", recordedEvent -> {
Gauge.builder("jdk.X509Validation", recordedEvent, e -> e.getLong("validationCounter"))
.description("X509 Certificate Validation Counter").register(metricsRegistry);
});
es.start();
} catch (IOException e) {
throw new RuntimeException("Couldn't process event", e);
}
Stream JFR events actively and within process
30 Java Day Copyright © 2024, Oracle and/or its affiliates
31. Evolving the demo setup
Oracle Cloud
31 Java Day Copyright © 2024, Oracle and/or its affiliates
Run podman compose with TicTacToe in Oracle Cloud Instance
Monitor with JDK tools
Spring Boot application
with JDK 22 Keystore
Player
Monitoring tool
(Prometheus) Configuration
Volume
Volume
Java Management Service
32. Oracle Cloud service that helps manage and reduce total cost of ownership of Java deployments
running on-premise (desktop, laptop, server) or in the cloud (OCI and non-OCI clouds).
Visibility
Discover, manage and patch
your Java deployments
across the enterprise
Insight
Telemetry data from the
JVM to analyze
configuration, security,
performance, compliance,
and efficiency
Automation
Security Analysis
Migration Analysis
Optimizing JVM tuning
Java Management Service (JMS)
32 Java Day Copyright © 2024, Oracle and/or its affiliates
33. Let’s play and observe!
Java Day Copyright © 2024, Oracle and/or its affiliates
33
34. Stay tuned for more!
Java Day Copyright © 2024, Oracle and/or its affiliates
34
Inside.java
Dev.java youtube.com/java
35. Useful links
• Monitoring Java Application Security with JDK tools and JFR Events: https://dev.java/learn/security/monitor/
• Stack Walker ep 2 on JFR https://inside.java/2023/05/14/stackwalker-02/
• Continuous monitoring with JDK Flight Recorder: https://www.infoq.com/presentations/monitoring-jdk-jfr/
• Code used during demo: https://github.com/ammbra/tictactoe
• OCI Instance installation: https://www.anamihalceanu.com/post/building-a-cloud-compute-instance-with-java-concepts
• Compose files in OCI: https://docs.oracle.com/en/learn/podman-compose/index.html#confirm-podman-compose-is-working
• More articles on Java Management Service: https://inside.java/tag/cloud
• Gunnar Morling’s article on custom JFR events: https://www.morling.dev/blog/rest-api-monitoring-with-custom-jdk-flight-
recorder-events/
Java Day Copyright © 2024, Oracle and/or its affiliates
35