SlideShare una empresa de Scribd logo

Monitoring Java Application Security with JDK Tools and JFR Events.pdf

Ana-Maria Mihalceanu
Ana-Maria Mihalceanu

Learn how JDK Flight Recorder, JDK Mission Control and JFR Security Events can help monitoring security of your Java application so that you can detect potential safety risks.

Tecnología
1 de 35
Descargar para leer sin conexión
Ana-Maria Mihalceanu Senior Developer Advocate Monitoring Java Application Security with JDK Tools and JFR Events
Java Champion Alumni Senior Developer Advocate at Oracle Twitter: @ammbra1508 Mastodon: @ammbra1508.mastondon.social Ana-Maria Mihalceanu Hello! I am Ana 2 Java Day Copyright © 2024, Oracle and/or its affiliates
Agenda • JFR Security Events Overview • Observing JDK Security Properties • Monitoring TLS Protocol • Analysing X.509 certificates • Continuous Monitoring in the Cloud Java Day Copyright © 2024, Oracle and/or its affiliates 3
Goal Learn how JDK Flight Recorder, JDK Mission Control and JFR Security Events can help monitoring security of your Java application so that you can detect potential safety risks. Java Day Copyright © 2024, Oracle and/or its affiliates 4
JFR Security Events Overview Java Day Copyright © 2024, Oracle and/or its affiliates 5
JDK Flight Recorder(JFR) Events • When running a Java application, JFR can collect events that occur in the JVM. • JFR Events express the state of the application and underlying JVM. • For profiling, store event data in a .jfr file. Java Day Copyright © 2024, Oracle and/or its affiliates 6 Event ID Timestamp Duration Thread ID Stack Trace ID Event Specific Payload JFR Event Components
JDK Flight Recorder(JFR) Security Events NAME GOAL BACKPORTED TO ENABLED BY DEFAULT* jdk.InitialSecurityProperty For insights on initial JDK security properties. Oracle JDK 17.0.7 and 11.0.20 Yes jdk.SecurityPropertyModification Records Security.setProperty(Strin g key, String value) calls. Oracle JDK 11.0.5 and 8u231 No jdk.SecurityProviderService Records service provider method invocations. JDK 17.0.8, 11.0.22 and 8u391 No jdk.TLSHandshake Keeps track of TLS handshake activity. Oracle JDK 11.0.5 and 8u231 No jdk.X509Certificate Records details of X.509 Certificates. Oracle JDK 11.0.5 and 8u231 No jdk.X509Validation Records details of X.509 certificates negotiated in successful X.509 validation. Oracle JDK 11.0.5 and 8u231 No 7 Java Day Copyright © 2024, Oracle and/or its affiliates * In default.jfc and profile.jfc shipped within a JDK
Observing JDK Security Properties Java Day Copyright © 2024, Oracle and/or its affiliates 8
Ways to observe initial security properties • Initial security properties set statically in the $JAVA_HOME/conf/security file. • Dynamically set security properties via java.security.Security methods. • Print the initial security properties java -Djava.security.debug=properties • Record jdk.InitialSecurityProperty JFR event • Enable JFR recording java -XX:StartFlightRecording:settings=default,duration=60s • Or start a flight recording by connecting to the running application from JDK Mission Control Java Day Copyright © 2024, Oracle and/or its affiliates 9
How to trace security properties changes? Java Day Copyright © 2024, Oracle and/or its affiliates 10
Have jdk.SecurityPropertyModification enabled in JFR configuration. $JAVA_HOME/bin/jfr configure jdk.SecurityPropertyModification#enabled=true Start a JFR recording when launching the application. java -XX:StartFlightRecording:settings=default,duration=60s Inspect the recording with jcmd or JDK Mission Control. Complete view of changes over JDK security properties 11 Java Day Copyright © 2024, Oracle and/or its affiliates
Extra tips to observe security properties • Configure more JFR events by adding a space between each setting $JAVA_HOME/bin/jfr configure event1#enabled=true event2#enabled=false • Setup jdk.SecurityPropertyModification when launching the JVM java -XX:StartFlightRecording:settings=default,duration=60s,+jdk.SecurityPropertyModification#enabled=true • Set more JFR events when launching the JVM, separated by comma java -XX:StartFlightRecording:settings=default,duration=60s,+event1#enabled=true,+event2#enabled=false • Configure each JFR event from JDK Mission Control (JMC) • Create a connection to a running JVM (-XX:StartFlightRecording is not mandatory in this scenario) • In JMC menu, select File > Connection... > [Select one running JVM] > Start Flight Recording • Configure each JDK Security event • Inspect the evolution of captured events in JMC • Event Browser > Java Development Kit > Security Java Day Copyright © 2024, Oracle and/or its affiliates 12
Java Day Copyright © 2024, Oracle and/or its affiliates 13
Monitoring TLS Protocol Java Day Copyright © 2024, Oracle and/or its affiliates 14
Confidentiality: protect sensitive data/information from unauthorized users. encryption/decryption Authenticity: ability to identify a user/system before communicating information. certificate authorities/digital certificates Message integrity: identify the unauthorized modification of data during transit. message digests/signing Why is SSL/TLS important? 15 Java Day Copyright © 2024, Oracle and/or its affiliates
Capture TLS protocol information • Use a network protocol analyzer tool. • Attach the tool to the network interface where the JVM communicates. • Look for "Server Hello" record to determine TLS version used on a particular socket. • A Java developer friendly way: inspect debug logs. java -Djavax.net.debug=ssl:handshake • Get more filtered logging via: java -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager • Configure jdk.TLSHandshake JFR event to get essential TLS information. Java Day Copyright © 2024, Oracle and/or its affiliates 16
"ServerHello": { "server version" : "TLSv1.2", "random" : "8B9226A071E9418850BE24838F42FDAF7422A07FDE62CB7D510FBF59E8E88F78", "session id" : "CF0AB2C10ED94F56C8FA0214E7BD2C378352E66D29543B321AB7878A72304E47", "cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)", "compression methods" : "00", "extensions" : [ "supported_versions (43)": { "selected version": [TLSv1.3] }, "key_share (51)": { "server_share": { "named group": x25519 "key_exchange": { 0000: 60 36 B3 39 35 71 9F F0 16 93 1E 96 87 FB 65 6E `6.95q........en 0010: 44 1B C6 D8 9B 67 83 52 85 D9 C0 00 FC D6 1D 24 D....g.R.......$ } }, } ] } An example of a ServerHello record captured in logs 17 Java Day Copyright © 2024, Oracle and/or its affiliates
Start a recording while jdk.TLSHandshake is enabled as well. java -XX:StartFlightRecording:settings=default,duration=60s, +jdk.TLSHandshake#enabled=true,+jdk.TLSHandshake#stackTrace=true Switch jdk.TLSHandshake options to true in JFR configuration file. Run jfr configure command in a terminal window. jfr configure jdk.TLSHandshake#enabled=true jdk.TLSHandshake#stackTrace=true Capture protocol details by enabling jdk.TLSHandshake 18 Java Day Copyright © 2024, Oracle and/or its affiliates
Local demo setup overview Running TicTacToe locally Monitor with JDK tools Spring Boot application with JDK 22 Keystore 19 Java Day Copyright © 2024, Oracle and/or its affiliates Truststore Client Certificate #local.ext file authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = springboot IP.1 = 127.0.0.1
# start a recording jcmd llvmid JFR.start duration=60s filename=/tmp/TLS.jfr # use jfr print command $JAVA_HOME/bin/jfr print --events "TLS*" /tmp/TLS.jfr jdk.TLSHandshake { startTime = 12:55:27.396 (2024-03-03) peerHost = "google.com" peerPort = 443 protocolVersion = "TLSv1.3" cipherSuite = "TLS_AES_128_GCM_SHA256" certificateId = 587815551 eventThread = "tomcat-handler-15" (javaThreadId = 93, virtual) stackTrace = [ sun.security.ssl.Finished.recordEvent(SSLSessionImpl) line: 1165 sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(ServerHandshakeContext, ByteBuffer) line: 1138 ... ] } Inspect TLS handshakes with jcmd and JFR 20 Java Day Copyright © 2024, Oracle and/or its affiliates
Analysing X.509 Certificates Java Day Copyright © 2024, Oracle and/or its affiliates 21
Importance of X.509 certificates • Bind an identity to a public key using a digital signature. • Enable secure communication and transaction between two parties. • Establish trust based on a series of fields: • version • serial number • signature (algorithm ID and parameters) • issuer name • validity period • subject name • subject public key (and associated algorithm ID) Java Day Copyright © 2024, Oracle and/or its affiliates 22
# use keytool to query certificates in JDK truststore $JAVA_HOME/bin/keytool -cacerts -list –v # use keytool to query certificates in a keystore keytool -v -list -keystore /path/to/keystore # configure the debug system properties to print verbose X.509 certificate information java -Djava.security.debug=certpath -Djavax.net.debug=all View certificate details 23 Java Day Copyright © 2024, Oracle and/or its affiliates
# switch the jdk.X509Certificate and jdk.X509Validation options to true in your JFR configuration file <event name="jdk.X509Certificate"> <setting name="enabled">true</setting> <setting name="stackTrace">true</setting> </event> <event name="jdk.X509Validation"> <setting name="enabled">true</setting> <setting name="stackTrace">true</setting> </event> # or run jfr configure command in a terminal window $JAVA_HOME/bin/jfr configure jdk.X509Certificate#enabled=true jdk.X509Validation#enabled=true # or enable the options on application launch java -XX:StartFlightRecording:settings=default,jdk.X509Certificate#enabled=true,+jdk.X509Validation#enabled=true Enable relevant details about X.509 certificates in JFR 24 Java Day Copyright © 2024, Oracle and/or its affiliates
Show recorded details about X.509 Certificates. $JAVA_HOME/bin/jfr print --events jdk.X509Certificate /tmp/cert.jfr Run your application with -XX:StartFlightRecording flag and have jdk.X509Certificate and jdk.X509Validation options enabled. Execute a diagnostic command via jcmd. jcmd llvmid JFR.start duration=60s filename=/tmp/cert.jfr Capture details on X.509 certificates with jcmd and JFR 25 Java Day Copyright © 2024, Oracle and/or its affiliates
$JAVA_HOME/bin/jfr print --events “jdk.X509Certificate” /tmp/cert.jfr jdk.X509Certificate { startTime = 09:59:25.672 (2022-11-10) algorithm = "SHA1withRSA" serialNumber = "18dad19e267de8bb4a2158cdcc6b3b4a" subject = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US" issuer = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US" keyType = "RSA" keyLength = 2048 certificateId = 303010488 validFrom = 00:00:00.000 (2006-11-08) validUntil = 23:59:59.000 (2036-07-16) eventThread = "main" (javaThreadId = 1) stackTrace = [ sun.security.jca.JCAUtil.tryCommitCertEvent(Certificate) line: 126 java.security.cert.CertificateFactory.generateCertificate(InputStream) line: 356 ... ] } Example output of recorded details 26 Java Day Copyright © 2024, Oracle and/or its affiliates
Continuous Monitoring in the Cloud Java Day Copyright © 2024, Oracle and/or its affiliates 27
JDK Flight Recorder provides rich, structured data, and API support to event streams. Until JDK 16, developers could monitor a Java process on a remote host and control what is recorded via JDK Mission Control. Since JDK 16, you can transfer recorded events programmatically, as they occur, over the network using javax.management.MBeanServerConnection. Streaming JFR events 28 Java Day Copyright © 2024, Oracle and/or its affiliates
String host = "com.example"; int port = 7091; String url = "service:jmx:rmi:///jndi/rmi://" + host + ":" + port + "/jmxrmi"; JMXServiceURL u = new JMXServiceURL(url); JMXConnector c = JMXConnectorFactory.connect(u); MBeanServerConnection connection = c.getMBeanServerConnection(); try (RemoteRecordingStream stream = new RemoteRecordingStream(connection)) { stream.enabled("jdk.X509Certificate").withStackTrace(); stream.onEvent("jdk.X509Certificate", System.out::println), stream.start(); } Monitor a remote host using a MBeanServerConnection 29 Java Day Copyright © 2024, Oracle and/or its affiliates
CompositeMeterRegistry metricsRegistry = Metrics.globalRegistry; try (var es = EventStream.openRepository()) { es.onEvent("jdk.X509Validation", recordedEvent -> { Gauge.builder("jdk.X509Validation", recordedEvent, e -> e.getLong("validationCounter")) .description("X509 Certificate Validation Counter").register(metricsRegistry); }); es.start(); } catch (IOException e) { throw new RuntimeException("Couldn't process event", e); } Stream JFR events actively and within process 30 Java Day Copyright © 2024, Oracle and/or its affiliates
Evolving the demo setup Oracle Cloud 31 Java Day Copyright © 2024, Oracle and/or its affiliates Run podman compose with TicTacToe in Oracle Cloud Instance Monitor with JDK tools Spring Boot application with JDK 22 Keystore Player Monitoring tool (Prometheus) Configuration Volume Volume Java Management Service
Oracle Cloud service that helps manage and reduce total cost of ownership of Java deployments running on-premise (desktop, laptop, server) or in the cloud (OCI and non-OCI clouds). Visibility Discover, manage and patch your Java deployments across the enterprise Insight Telemetry data from the JVM to analyze configuration, security, performance, compliance, and efficiency Automation Security Analysis Migration Analysis Optimizing JVM tuning Java Management Service (JMS) 32 Java Day Copyright © 2024, Oracle and/or its affiliates
Let’s play and observe! Java Day Copyright © 2024, Oracle and/or its affiliates 33
Stay tuned for more! Java Day Copyright © 2024, Oracle and/or its affiliates 34 Inside.java Dev.java youtube.com/java
Useful links • Monitoring Java Application Security with JDK tools and JFR Events: https://dev.java/learn/security/monitor/ • Stack Walker ep 2 on JFR https://inside.java/2023/05/14/stackwalker-02/ • Continuous monitoring with JDK Flight Recorder: https://www.infoq.com/presentations/monitoring-jdk-jfr/ • Code used during demo: https://github.com/ammbra/tictactoe • OCI Instance installation: https://www.anamihalceanu.com/post/building-a-cloud-compute-instance-with-java-concepts • Compose files in OCI: https://docs.oracle.com/en/learn/podman-compose/index.html#confirm-podman-compose-is-working • More articles on Java Management Service: https://inside.java/tag/cloud • Gunnar Morling’s article on custom JFR events: https://www.morling.dev/blog/rest-api-monitoring-with-custom-jdk-flight- recorder-events/ Java Day Copyright © 2024, Oracle and/or its affiliates 35

Recomendados

ASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfMiro Wengner
 
DevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderDevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderMiro Wengner
 
Java mission control and java flight recorder
Java mission control and java flight recorderJava mission control and java flight recorder
Java mission control and java flight recorderWolfgang Weigend
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE Dr Anjan Krishnamurthy
 
Troubleshooting Tools In JDK
Troubleshooting Tools In JDKTroubleshooting Tools In JDK
Troubleshooting Tools In JDKPoonam Bajaj Parhar
 
Diagnosing Your Application on the JVM
Diagnosing Your Application on the JVMDiagnosing Your Application on the JVM
Diagnosing Your Application on the JVMStaffan Larsen
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceLucidworks (Archived)
 

Recomendados

ASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfASML_FlightRecorderMeetsJava.pdf
ASML_FlightRecorderMeetsJava.pdfMiro Wengner
 
DevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderDevDays: Profiling With Java Flight Recorder
DevDays: Profiling With Java Flight RecorderMiro Wengner
 
Java mission control and java flight recorder
Java mission control and java flight recorderJava mission control and java flight recorder
Java mission control and java flight recorderWolfgang Weigend
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE Dr Anjan Krishnamurthy
 
Troubleshooting Tools In JDK
Troubleshooting Tools In JDKTroubleshooting Tools In JDK
Troubleshooting Tools In JDKPoonam Bajaj Parhar
 
Diagnosing Your Application on the JVM
Diagnosing Your Application on the JVMDiagnosing Your Application on the JVM
Diagnosing Your Application on the JVMStaffan Larsen
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceLucidworks (Archived)
 
Java Flight Recorder Behind the Scenes
Java Flight Recorder Behind the ScenesJava Flight Recorder Behind the Scenes
Java Flight Recorder Behind the ScenesStaffan Larsen
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...Juarez Junior
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...Juarez Junior
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformMartin Toshev
 
JVMs in Containers - Best Practices
JVMs in Containers - Best PracticesJVMs in Containers - Best Practices
JVMs in Containers - Best PracticesDavid Delabassee
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsAna-Maria Mihalceanu
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Kafka Security
Kafka SecurityKafka Security
Kafka SecurityDataWorks Summit/Hadoop Summit
 
Dan Norris: Exadata security
Dan Norris: Exadata securityDan Norris: Exadata security
Dan Norris: Exadata securityKyle Hailey
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
JMC/JFR: Kotlin spezial
JMC/JFR: Kotlin spezialJMC/JFR: Kotlin spezial
JMC/JFR: Kotlin spezialMiro Wengner
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin ToshevJavantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin ToshevHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS TroubleshootingRomanTeresch
 
Profiling Java inside containers with ContainerJFR | DevNation Tech Talk
Profiling Java inside containers with ContainerJFR | DevNation Tech TalkProfiling Java inside containers with ContainerJFR | DevNation Tech Talk
Profiling Java inside containers with ContainerJFR | DevNation Tech TalkRed Hat Developers
 
Using Java Flight Recorder
Using Java Flight RecorderUsing Java Flight Recorder
Using Java Flight RecorderMarcus Hirt
 
Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Ana-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Más contenido relacionado

Similar a Monitoring Java Application Security with JDK Tools and JFR Events.pdf

Java Flight Recorder Behind the Scenes
Java Flight Recorder Behind the ScenesJava Flight Recorder Behind the Scenes
Java Flight Recorder Behind the ScenesStaffan Larsen
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...Juarez Junior
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...Juarez Junior
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformMartin Toshev
 
JVMs in Containers - Best Practices
JVMs in Containers - Best PracticesJVMs in Containers - Best Practices
JVMs in Containers - Best PracticesDavid Delabassee
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsAna-Maria Mihalceanu
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka confluent
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WaySaylor Twift
 
Dan Norris: Exadata security
Dan Norris: Exadata securityDan Norris: Exadata security
Dan Norris: Exadata securityKyle Hailey
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicHarihara sarma
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
 
JMC/JFR: Kotlin spezial
JMC/JFR: Kotlin spezialJMC/JFR: Kotlin spezial
JMC/JFR: Kotlin spezialMiro Wengner
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationSimon Haslam
 
Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS TroubleshootingRomanTeresch
 
Profiling Java inside containers with ContainerJFR | DevNation Tech Talk
Profiling Java inside containers with ContainerJFR | DevNation Tech TalkProfiling Java inside containers with ContainerJFR | DevNation Tech Talk
Profiling Java inside containers with ContainerJFR | DevNation Tech TalkRed Hat Developers
 
Using Java Flight Recorder
Using Java Flight RecorderUsing Java Flight Recorder
Using Java Flight RecorderMarcus Hirt
 

Similar a Monitoring Java Application Security with JDK Tools and JFR Events.pdf (20)

Java Flight Recorder Behind the Scenes
Java Flight Recorder Behind the ScenesJava Flight Recorder Behind the Scenes
Java Flight Recorder Behind the Scenes
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
 
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
SevillaJUG - Unleash the power of your applications with Micronaut® ,GraalVM...
 
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
GeeCon Prague 2023 - Unleash the power of your applications with Micronaut®, ...
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
 
JVMs in Containers - Best Practices
JVMs in Containers - Best PracticesJVMs in Containers - Best Practices
JVMs in Containers - Best Practices
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Kafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right WayKafka 2018 - Securing Kafka the Right Way
Kafka 2018 - Securing Kafka the Right Way
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Dan Norris: Exadata security
Dan Norris: Exadata securityDan Norris: Exadata security
Dan Norris: Exadata security
 
Configuring kerberos based sso in weblogic
Configuring kerberos based sso in weblogicConfiguring kerberos based sso in weblogic
Configuring kerberos based sso in weblogic
 
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...
 
JMC/JFR: Kotlin spezial
JMC/JFR: Kotlin spezialJMC/JFR: Kotlin spezial
JMC/JFR: Kotlin spezial
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin ToshevJavantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin Toshev
 
WebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL ConfigurationWebLogic in Practice: SSL Configuration
WebLogic in Practice: SSL Configuration
 
Jetty TLS Troubleshooting
Jetty TLS TroubleshootingJetty TLS Troubleshooting
Jetty TLS Troubleshooting
 
Profiling Java inside containers with ContainerJFR | DevNation Tech Talk
Profiling Java inside containers with ContainerJFR | DevNation Tech TalkProfiling Java inside containers with ContainerJFR | DevNation Tech Talk
Profiling Java inside containers with ContainerJFR | DevNation Tech Talk
 
Using Java Flight Recorder
Using Java Flight RecorderUsing Java Flight Recorder
Using Java Flight Recorder
 

Más de Ana-Maria Mihalceanu

Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Ana-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Java 21 Language Features and Beyond
Java 21 Language Features and BeyondJava 21 Language Features and Beyond
Java 21 Language Features and BeyondAna-Maria Mihalceanu
 
Java 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of InnovationsJava 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of InnovationsAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdfAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdf A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdfAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdfAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdfAna-Maria Mihalceanu
 
How Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdfHow Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdfAna-Maria Mihalceanu
 
The Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdfThe Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdfAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
The automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsThe automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
DevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applicationsDevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applicationsAna-Maria Mihalceanu
 
The automation challenge: Kubernetes Operators vs Helm Charts
The automation challenge: Kubernetes Operators vs Helm ChartsThe automation challenge: Kubernetes Operators vs Helm Charts
The automation challenge: Kubernetes Operators vs Helm ChartsAna-Maria Mihalceanu
 

Más de Ana-Maria Mihalceanu (20)

Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Java 21 Language Features and Beyond
Java 21 Language Features and BeyondJava 21 Language Features and Beyond
Java 21 Language Features and Beyond
 
Java 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of InnovationsJava 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of Innovations
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox A Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf
 
A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdf A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdf
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf
 
How Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdfHow Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdf
 
The Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdfThe Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdf
 
Exploring Quarkus on JDK 17
Exploring Quarkus on JDK 17Exploring Quarkus on JDK 17
Exploring Quarkus on JDK 17
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
The automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsThe automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm charts
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
DevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applicationsDevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applications
 
The automation challenge: Kubernetes Operators vs Helm Charts
The automation challenge: Kubernetes Operators vs Helm ChartsThe automation challenge: Kubernetes Operators vs Helm Charts
The automation challenge: Kubernetes Operators vs Helm Charts
 

Último

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Último (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Monitoring Java Application Security with JDK Tools and JFR Events.pdf

  • 1. Ana-Maria Mihalceanu Senior Developer Advocate Monitoring Java Application Security with JDK Tools and JFR Events
  • 2. Java Champion Alumni Senior Developer Advocate at Oracle Twitter: @ammbra1508 Mastodon: @ammbra1508.mastondon.social Ana-Maria Mihalceanu Hello! I am Ana 2 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 3. Agenda • JFR Security Events Overview • Observing JDK Security Properties • Monitoring TLS Protocol • Analysing X.509 certificates • Continuous Monitoring in the Cloud Java Day Copyright © 2024, Oracle and/or its affiliates 3
  • 4. Goal Learn how JDK Flight Recorder, JDK Mission Control and JFR Security Events can help monitoring security of your Java application so that you can detect potential safety risks. Java Day Copyright © 2024, Oracle and/or its affiliates 4
  • 5. JFR Security Events Overview Java Day Copyright © 2024, Oracle and/or its affiliates 5
  • 6. JDK Flight Recorder(JFR) Events • When running a Java application, JFR can collect events that occur in the JVM. • JFR Events express the state of the application and underlying JVM. • For profiling, store event data in a .jfr file. Java Day Copyright © 2024, Oracle and/or its affiliates 6 Event ID Timestamp Duration Thread ID Stack Trace ID Event Specific Payload JFR Event Components
  • 7. JDK Flight Recorder(JFR) Security Events NAME GOAL BACKPORTED TO ENABLED BY DEFAULT* jdk.InitialSecurityProperty For insights on initial JDK security properties. Oracle JDK 17.0.7 and 11.0.20 Yes jdk.SecurityPropertyModification Records Security.setProperty(Strin g key, String value) calls. Oracle JDK 11.0.5 and 8u231 No jdk.SecurityProviderService Records service provider method invocations. JDK 17.0.8, 11.0.22 and 8u391 No jdk.TLSHandshake Keeps track of TLS handshake activity. Oracle JDK 11.0.5 and 8u231 No jdk.X509Certificate Records details of X.509 Certificates. Oracle JDK 11.0.5 and 8u231 No jdk.X509Validation Records details of X.509 certificates negotiated in successful X.509 validation. Oracle JDK 11.0.5 and 8u231 No 7 Java Day Copyright © 2024, Oracle and/or its affiliates * In default.jfc and profile.jfc shipped within a JDK
  • 8. Observing JDK Security Properties Java Day Copyright © 2024, Oracle and/or its affiliates 8
  • 9. Ways to observe initial security properties • Initial security properties set statically in the $JAVA_HOME/conf/security file. • Dynamically set security properties via java.security.Security methods. • Print the initial security properties java -Djava.security.debug=properties • Record jdk.InitialSecurityProperty JFR event • Enable JFR recording java -XX:StartFlightRecording:settings=default,duration=60s • Or start a flight recording by connecting to the running application from JDK Mission Control Java Day Copyright © 2024, Oracle and/or its affiliates 9
  • 10. How to trace security properties changes? Java Day Copyright © 2024, Oracle and/or its affiliates 10
  • 11. Have jdk.SecurityPropertyModification enabled in JFR configuration. $JAVA_HOME/bin/jfr configure jdk.SecurityPropertyModification#enabled=true Start a JFR recording when launching the application. java -XX:StartFlightRecording:settings=default,duration=60s Inspect the recording with jcmd or JDK Mission Control. Complete view of changes over JDK security properties 11 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 12. Extra tips to observe security properties • Configure more JFR events by adding a space between each setting $JAVA_HOME/bin/jfr configure event1#enabled=true event2#enabled=false • Setup jdk.SecurityPropertyModification when launching the JVM java -XX:StartFlightRecording:settings=default,duration=60s,+jdk.SecurityPropertyModification#enabled=true • Set more JFR events when launching the JVM, separated by comma java -XX:StartFlightRecording:settings=default,duration=60s,+event1#enabled=true,+event2#enabled=false • Configure each JFR event from JDK Mission Control (JMC) • Create a connection to a running JVM (-XX:StartFlightRecording is not mandatory in this scenario) • In JMC menu, select File > Connection... > [Select one running JVM] > Start Flight Recording • Configure each JDK Security event • Inspect the evolution of captured events in JMC • Event Browser > Java Development Kit > Security Java Day Copyright © 2024, Oracle and/or its affiliates 12
  • 13. Java Day Copyright © 2024, Oracle and/or its affiliates 13
  • 14. Monitoring TLS Protocol Java Day Copyright © 2024, Oracle and/or its affiliates 14
  • 15. Confidentiality: protect sensitive data/information from unauthorized users. encryption/decryption Authenticity: ability to identify a user/system before communicating information. certificate authorities/digital certificates Message integrity: identify the unauthorized modification of data during transit. message digests/signing Why is SSL/TLS important? 15 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 16. Capture TLS protocol information • Use a network protocol analyzer tool. • Attach the tool to the network interface where the JVM communicates. • Look for "Server Hello" record to determine TLS version used on a particular socket. • A Java developer friendly way: inspect debug logs. java -Djavax.net.debug=ssl:handshake • Get more filtered logging via: java -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager • Configure jdk.TLSHandshake JFR event to get essential TLS information. Java Day Copyright © 2024, Oracle and/or its affiliates 16
  • 17. "ServerHello": { "server version" : "TLSv1.2", "random" : "8B9226A071E9418850BE24838F42FDAF7422A07FDE62CB7D510FBF59E8E88F78", "session id" : "CF0AB2C10ED94F56C8FA0214E7BD2C378352E66D29543B321AB7878A72304E47", "cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)", "compression methods" : "00", "extensions" : [ "supported_versions (43)": { "selected version": [TLSv1.3] }, "key_share (51)": { "server_share": { "named group": x25519 "key_exchange": { 0000: 60 36 B3 39 35 71 9F F0 16 93 1E 96 87 FB 65 6E `6.95q........en 0010: 44 1B C6 D8 9B 67 83 52 85 D9 C0 00 FC D6 1D 24 D....g.R.......$ } }, } ] } An example of a ServerHello record captured in logs 17 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 18. Start a recording while jdk.TLSHandshake is enabled as well. java -XX:StartFlightRecording:settings=default,duration=60s, +jdk.TLSHandshake#enabled=true,+jdk.TLSHandshake#stackTrace=true Switch jdk.TLSHandshake options to true in JFR configuration file. Run jfr configure command in a terminal window. jfr configure jdk.TLSHandshake#enabled=true jdk.TLSHandshake#stackTrace=true Capture protocol details by enabling jdk.TLSHandshake 18 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 19. Local demo setup overview Running TicTacToe locally Monitor with JDK tools Spring Boot application with JDK 22 Keystore 19 Java Day Copyright © 2024, Oracle and/or its affiliates Truststore Client Certificate #local.ext file authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE subjectAltName = @alt_names [alt_names] DNS.1 = localhost DNS.2 = springboot IP.1 = 127.0.0.1
  • 20. # start a recording jcmd llvmid JFR.start duration=60s filename=/tmp/TLS.jfr # use jfr print command $JAVA_HOME/bin/jfr print --events "TLS*" /tmp/TLS.jfr jdk.TLSHandshake { startTime = 12:55:27.396 (2024-03-03) peerHost = "google.com" peerPort = 443 protocolVersion = "TLSv1.3" cipherSuite = "TLS_AES_128_GCM_SHA256" certificateId = 587815551 eventThread = "tomcat-handler-15" (javaThreadId = 93, virtual) stackTrace = [ sun.security.ssl.Finished.recordEvent(SSLSessionImpl) line: 1165 sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(ServerHandshakeContext, ByteBuffer) line: 1138 ... ] } Inspect TLS handshakes with jcmd and JFR 20 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 21. Analysing X.509 Certificates Java Day Copyright © 2024, Oracle and/or its affiliates 21
  • 22. Importance of X.509 certificates • Bind an identity to a public key using a digital signature. • Enable secure communication and transaction between two parties. • Establish trust based on a series of fields: • version • serial number • signature (algorithm ID and parameters) • issuer name • validity period • subject name • subject public key (and associated algorithm ID) Java Day Copyright © 2024, Oracle and/or its affiliates 22
  • 23. # use keytool to query certificates in JDK truststore $JAVA_HOME/bin/keytool -cacerts -list –v # use keytool to query certificates in a keystore keytool -v -list -keystore /path/to/keystore # configure the debug system properties to print verbose X.509 certificate information java -Djava.security.debug=certpath -Djavax.net.debug=all View certificate details 23 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 24. # switch the jdk.X509Certificate and jdk.X509Validation options to true in your JFR configuration file <event name="jdk.X509Certificate"> <setting name="enabled">true</setting> <setting name="stackTrace">true</setting> </event> <event name="jdk.X509Validation"> <setting name="enabled">true</setting> <setting name="stackTrace">true</setting> </event> # or run jfr configure command in a terminal window $JAVA_HOME/bin/jfr configure jdk.X509Certificate#enabled=true jdk.X509Validation#enabled=true # or enable the options on application launch java -XX:StartFlightRecording:settings=default,jdk.X509Certificate#enabled=true,+jdk.X509Validation#enabled=true Enable relevant details about X.509 certificates in JFR 24 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 25. Show recorded details about X.509 Certificates. $JAVA_HOME/bin/jfr print --events jdk.X509Certificate /tmp/cert.jfr Run your application with -XX:StartFlightRecording flag and have jdk.X509Certificate and jdk.X509Validation options enabled. Execute a diagnostic command via jcmd. jcmd llvmid JFR.start duration=60s filename=/tmp/cert.jfr Capture details on X.509 certificates with jcmd and JFR 25 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 26. $JAVA_HOME/bin/jfr print --events “jdk.X509Certificate” /tmp/cert.jfr jdk.X509Certificate { startTime = 09:59:25.672 (2022-11-10) algorithm = "SHA1withRSA" serialNumber = "18dad19e267de8bb4a2158cdcc6b3b4a" subject = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US" issuer = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US" keyType = "RSA" keyLength = 2048 certificateId = 303010488 validFrom = 00:00:00.000 (2006-11-08) validUntil = 23:59:59.000 (2036-07-16) eventThread = "main" (javaThreadId = 1) stackTrace = [ sun.security.jca.JCAUtil.tryCommitCertEvent(Certificate) line: 126 java.security.cert.CertificateFactory.generateCertificate(InputStream) line: 356 ... ] } Example output of recorded details 26 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 27. Continuous Monitoring in the Cloud Java Day Copyright © 2024, Oracle and/or its affiliates 27
  • 28. JDK Flight Recorder provides rich, structured data, and API support to event streams. Until JDK 16, developers could monitor a Java process on a remote host and control what is recorded via JDK Mission Control. Since JDK 16, you can transfer recorded events programmatically, as they occur, over the network using javax.management.MBeanServerConnection. Streaming JFR events 28 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 29. String host = "com.example"; int port = 7091; String url = "service:jmx:rmi:///jndi/rmi://" + host + ":" + port + "/jmxrmi"; JMXServiceURL u = new JMXServiceURL(url); JMXConnector c = JMXConnectorFactory.connect(u); MBeanServerConnection connection = c.getMBeanServerConnection(); try (RemoteRecordingStream stream = new RemoteRecordingStream(connection)) { stream.enabled("jdk.X509Certificate").withStackTrace(); stream.onEvent("jdk.X509Certificate", System.out::println), stream.start(); } Monitor a remote host using a MBeanServerConnection 29 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 30. CompositeMeterRegistry metricsRegistry = Metrics.globalRegistry; try (var es = EventStream.openRepository()) { es.onEvent("jdk.X509Validation", recordedEvent -> { Gauge.builder("jdk.X509Validation", recordedEvent, e -> e.getLong("validationCounter")) .description("X509 Certificate Validation Counter").register(metricsRegistry); }); es.start(); } catch (IOException e) { throw new RuntimeException("Couldn't process event", e); } Stream JFR events actively and within process 30 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 31. Evolving the demo setup Oracle Cloud 31 Java Day Copyright © 2024, Oracle and/or its affiliates Run podman compose with TicTacToe in Oracle Cloud Instance Monitor with JDK tools Spring Boot application with JDK 22 Keystore Player Monitoring tool (Prometheus) Configuration Volume Volume Java Management Service
  • 32. Oracle Cloud service that helps manage and reduce total cost of ownership of Java deployments running on-premise (desktop, laptop, server) or in the cloud (OCI and non-OCI clouds). Visibility Discover, manage and patch your Java deployments across the enterprise Insight Telemetry data from the JVM to analyze configuration, security, performance, compliance, and efficiency Automation Security Analysis Migration Analysis Optimizing JVM tuning Java Management Service (JMS) 32 Java Day Copyright © 2024, Oracle and/or its affiliates
  • 33. Let’s play and observe! Java Day Copyright © 2024, Oracle and/or its affiliates 33
  • 34. Stay tuned for more! Java Day Copyright © 2024, Oracle and/or its affiliates 34 Inside.java Dev.java youtube.com/java
  • 35. Useful links • Monitoring Java Application Security with JDK tools and JFR Events: https://dev.java/learn/security/monitor/ • Stack Walker ep 2 on JFR https://inside.java/2023/05/14/stackwalker-02/ • Continuous monitoring with JDK Flight Recorder: https://www.infoq.com/presentations/monitoring-jdk-jfr/ • Code used during demo: https://github.com/ammbra/tictactoe • OCI Instance installation: https://www.anamihalceanu.com/post/building-a-cloud-compute-instance-with-java-concepts • Compose files in OCI: https://docs.oracle.com/en/learn/podman-compose/index.html#confirm-podman-compose-is-working • More articles on Java Management Service: https://inside.java/tag/cloud • Gunnar Morling’s article on custom JFR events: https://www.morling.dev/blog/rest-api-monitoring-with-custom-jdk-flight- recorder-events/ Java Day Copyright © 2024, Oracle and/or its affiliates 35