Monitoring Java Application Security with JDK Tools and JFR Events.pdf

Ana-Maria Mihalceanu
Senior Developer Advocate
Monitoring Java Application Security
with JDK Tools and JFR Events

Java Champion Alumni
Senior Developer Advocate at Oracle
Twitter: @ammbra1508
Mastodon: @ammbra1508.mastondon.social
Ana-Maria Mihalceanu
Hello! I am Ana
2 Java Day Copyright © 2024, Oracle and/or its affiliates

Agenda
• JFR Security Events Overview
• Observing JDK Security Properties
• Monitoring TLS Protocol
• Analysing X.509 certificates
• Continuous Monitoring in the Cloud
Java Day Copyright © 2024, Oracle and/or its affiliates
3

Goal
Learn how JDK Flight Recorder, JDK Mission
Control and JFR Security Events can help
monitoring security of your Java application so
that you can detect potential safety risks.
4

JFR Security Events Overview
5

JDK Flight Recorder(JFR) Events
• When running a Java application, JFR can collect events that occur in the JVM.
• JFR Events express the state of the application and underlying JVM.
• For profiling, store event data in a .jfr file.
6
Event
ID
Timestamp Duration
Thread
ID
Stack
Trace ID
Event Specific Payload
JFR Event Components

JDK Flight Recorder(JFR) Security Events
NAME GOAL BACKPORTED
TO
ENABLED BY
DEFAULT*
jdk.InitialSecurityProperty For insights on initial JDK security
properties.
Oracle JDK 17.0.7
and 11.0.20
Yes
jdk.SecurityPropertyModification Records Security.setProperty(Strin
g key, String value) calls.
Oracle JDK 11.0.5
and 8u231
No
jdk.SecurityProviderService Records service provider method
invocations.
JDK 17.0.8, 11.0.22
and 8u391
No
jdk.TLSHandshake Keeps track of TLS handshake activity. Oracle JDK 11.0.5
and 8u231
No
jdk.X509Certificate Records details of X.509 Certificates. Oracle JDK 11.0.5
and 8u231
No
jdk.X509Validation Records details of X.509 certificates
negotiated in successful X.509 validation.
Oracle JDK 11.0.5
and 8u231
No
* In default.jfc and profile.jfc shipped within a JDK

Observing JDK Security Properties
8

Ways to observe initial security properties
• Initial security properties set statically in the $JAVA_HOME/conf/security file.
• Dynamically set security properties via java.security.Security methods.
• Print the initial security properties
java -Djava.security.debug=properties
• Record jdk.InitialSecurityProperty JFR event
• Enable JFR recording java -XX:StartFlightRecording:settings=default,duration=60s
• Or start a flight recording by connecting to the running application from JDK Mission Control
9

How to trace security properties
changes?
10

Have jdk.SecurityPropertyModification enabled in JFR configuration.
$JAVA_HOME/bin/jfr configure jdk.SecurityPropertyModification#enabled=true
Start a JFR recording when launching the application.
java -XX:StartFlightRecording:settings=default,duration=60s
Inspect the recording with jcmd or JDK Mission Control.
Complete view of changes over JDK security properties

Extra tips to observe security properties
• Configure more JFR events by adding a space between each setting
$JAVA_HOME/bin/jfr configure event1#enabled=true event2#enabled=false
• Setup jdk.SecurityPropertyModification when launching the JVM
java -XX:StartFlightRecording:settings=default,duration=60s,+jdk.SecurityPropertyModification#enabled=true
• Set more JFR events when launching the JVM, separated by comma
java -XX:StartFlightRecording:settings=default,duration=60s,+event1#enabled=true,+event2#enabled=false
• Configure each JFR event from JDK Mission Control (JMC)
• Create a connection to a running JVM (-XX:StartFlightRecording is not mandatory in this scenario)
• In JMC menu, select File > Connection... > [Select one running JVM] > Start Flight Recording
• Configure each JDK Security event
• Inspect the evolution of captured events in JMC
• Event Browser > Java Development Kit > Security
12

13

Monitoring TLS Protocol
14

Confidentiality: protect sensitive data/information from unauthorized users.
encryption/decryption
Authenticity: ability to identify a user/system before communicating information.
certificate authorities/digital certificates
Message integrity: identify the unauthorized modification of data during transit.
message digests/signing
Why is SSL/TLS important?

Capture TLS protocol information
• Use a network protocol analyzer tool.
• Attach the tool to the network interface where the JVM communicates.
• Look for "Server Hello" record to determine TLS version used on a particular socket.
• A Java developer friendly way: inspect debug logs.
java -Djavax.net.debug=ssl:handshake
• Get more filtered logging via:
java -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
• Configure jdk.TLSHandshake JFR event to get essential TLS information.
16

"ServerHello": {
"server version" : "TLSv1.2",
"random" : "8B9226A071E9418850BE24838F42FDAF7422A07FDE62CB7D510FBF59E8E88F78",
"session id" : "CF0AB2C10ED94F56C8FA0214E7BD2C378352E66D29543B321AB7878A72304E47",
"cipher suite" : "TLS_AES_128_GCM_SHA256(0x1301)",
"compression methods" : "00",
"extensions" : [
"supported_versions (43)": {
"selected version": [TLSv1.3]
},
"key_share (51)": {
"server_share": {
"named group": x25519
"key_exchange": {
0000: 60 36 B3 39 35 71 9F F0 16 93 1E 96 87 FB 65 6E `6.95q........en
0010: 44 1B C6 D8 9B 67 83 52 85 D9 C0 00 FC D6 1D 24 D....g.R.......$
}
},
}
]
}
An example of a ServerHello record captured in logs

Start a recording while jdk.TLSHandshake is enabled as well.
java -XX:StartFlightRecording:settings=default,duration=60s,
+jdk.TLSHandshake#enabled=true,+jdk.TLSHandshake#stackTrace=true
Switch jdk.TLSHandshake options to true in JFR configuration file.
Run jfr configure command in a terminal window.
jfr configure jdk.TLSHandshake#enabled=true jdk.TLSHandshake#stackTrace=true
Capture protocol details by enabling jdk.TLSHandshake

Local demo setup overview
Running TicTacToe locally
Monitor with JDK tools
Spring Boot application
with JDK 22
Keystore
Truststore
Client Certificate
#local.ext file
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = springboot
IP.1 = 127.0.0.1

# start a recording
jcmd llvmid JFR.start duration=60s filename=/tmp/TLS.jfr
# use jfr print command
$JAVA_HOME/bin/jfr print --events "TLS*" /tmp/TLS.jfr
jdk.TLSHandshake {
startTime = 12:55:27.396 (2024-03-03)
peerHost = "google.com"
peerPort = 443
protocolVersion = "TLSv1.3"
cipherSuite = "TLS_AES_128_GCM_SHA256"
certificateId = 587815551
eventThread = "tomcat-handler-15" (javaThreadId = 93, virtual)
stackTrace = [
sun.security.ssl.Finished.recordEvent(SSLSessionImpl) line: 1165
sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(ServerHandshakeContext, ByteBuffer) line: 1138
...
]
}
Inspect TLS handshakes with jcmd and JFR

Analysing X.509 Certificates
21

Importance of X.509 certificates
• Bind an identity to a public key using a digital signature.
• Enable secure communication and transaction between two parties.
• Establish trust based on a series of fields:
• version
• serial number
• signature (algorithm ID and parameters)
• issuer name
• validity period
• subject name
• subject public key (and associated algorithm ID)
22

# use keytool to query certificates in JDK truststore
$JAVA_HOME/bin/keytool -cacerts -list –v
# use keytool to query certificates in a keystore
keytool -v -list -keystore /path/to/keystore
# configure the debug system properties to print verbose X.509 certificate information
java -Djava.security.debug=certpath -Djavax.net.debug=all
View certificate details

# switch the jdk.X509Certificate and jdk.X509Validation options to true in your JFR configuration file
<event name="jdk.X509Certificate">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
<event name="jdk.X509Validation">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
# or run jfr configure command in a terminal window
$JAVA_HOME/bin/jfr configure jdk.X509Certificate#enabled=true jdk.X509Validation#enabled=true
# or enable the options on application launch
java -XX:StartFlightRecording:settings=default,jdk.X509Certificate#enabled=true,+jdk.X509Validation#enabled=true
Enable relevant details about X.509 certificates in JFR

Show recorded details about X.509 Certificates.
$JAVA_HOME/bin/jfr print --events jdk.X509Certificate /tmp/cert.jfr
Run your application with -XX:StartFlightRecording flag and have
jdk.X509Certificate and jdk.X509Validation options enabled.
Execute a diagnostic command via jcmd.
jcmd llvmid JFR.start duration=60s filename=/tmp/cert.jfr
Capture details on X.509 certificates with jcmd and JFR

$JAVA_HOME/bin/jfr print --events “jdk.X509Certificate” /tmp/cert.jfr
jdk.X509Certificate {
startTime = 09:59:25.672 (2022-11-10)
algorithm = "SHA1withRSA"
serialNumber = "18dad19e267de8bb4a2158cdcc6b3b4a"
subject = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For
authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US"
issuer = "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For
authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US"
keyType = "RSA"
keyLength = 2048
certificateId = 303010488
validFrom = 00:00:00.000 (2006-11-08)
validUntil = 23:59:59.000 (2036-07-16)
eventThread = "main" (javaThreadId = 1)
stackTrace = [
sun.security.jca.JCAUtil.tryCommitCertEvent(Certificate) line: 126
java.security.cert.CertificateFactory.generateCertificate(InputStream) line: 356
...
]
}
Example output of recorded details

Continuous Monitoring in the Cloud
27

JDK Flight Recorder provides rich, structured data, and API support to event streams.
Until JDK 16, developers could monitor a Java process on a remote host and control
what is recorded via JDK Mission Control.
Since JDK 16, you can transfer recorded events programmatically, as they occur, over
the network using javax.management.MBeanServerConnection.
Streaming JFR events

String host = "com.example";
int port = 7091;
String url = "service:jmx:rmi:///jndi/rmi://" + host + ":" + port + "/jmxrmi";
JMXServiceURL u = new JMXServiceURL(url);
JMXConnector c = JMXConnectorFactory.connect(u);
MBeanServerConnection connection = c.getMBeanServerConnection();
try (RemoteRecordingStream stream = new RemoteRecordingStream(connection)) {
stream.enabled("jdk.X509Certificate").withStackTrace();
stream.onEvent("jdk.X509Certificate", System.out::println),
stream.start();
}
Monitor a remote host using a MBeanServerConnection

CompositeMeterRegistry metricsRegistry = Metrics.globalRegistry;
try (var es = EventStream.openRepository()) {
es.onEvent("jdk.X509Validation", recordedEvent -> {
Gauge.builder("jdk.X509Validation", recordedEvent, e -> e.getLong("validationCounter"))
.description("X509 Certificate Validation Counter").register(metricsRegistry);
});
es.start();
} catch (IOException e) {
throw new RuntimeException("Couldn't process event", e);
}
Stream JFR events actively and within process

Evolving the demo setup
Oracle Cloud
Run podman compose with TicTacToe in Oracle Cloud Instance
Monitor with JDK tools
Spring Boot application
with JDK 22 Keystore
Player
Monitoring tool
(Prometheus) Configuration
Volume
Volume
Java Management Service

Oracle Cloud service that helps manage and reduce total cost of ownership of Java deployments
running on-premise (desktop, laptop, server) or in the cloud (OCI and non-OCI clouds).
Visibility
Discover, manage and patch
your Java deployments
across the enterprise
Insight
Telemetry data from the
JVM to analyze
configuration, security,
performance, compliance,
and efficiency
Automation
Security Analysis
Migration Analysis
Optimizing JVM tuning
Java Management Service (JMS)

Let’s play and observe!
33

Stay tuned for more!
34
Inside.java
Dev.java youtube.com/java

Useful links
• Monitoring Java Application Security with JDK tools and JFR Events: https://dev.java/learn/security/monitor/
• Stack Walker ep 2 on JFR https://inside.java/2023/05/14/stackwalker-02/
• Continuous monitoring with JDK Flight Recorder: https://www.infoq.com/presentations/monitoring-jdk-jfr/
• Code used during demo: https://github.com/ammbra/tictactoe
• OCI Instance installation: https://www.anamihalceanu.com/post/building-a-cloud-compute-instance-with-java-concepts
• Compose files in OCI: https://docs.oracle.com/en/learn/podman-compose/index.html#confirm-podman-compose-is-working
• More articles on Java Management Service: https://inside.java/tag/cloud
• Gunnar Morling’s article on custom JFR events: https://www.morling.dev/blog/rest-api-monitoring-with-custom-jdk-flight-
recorder-events/
35

Monitoring Java Application Security with JDK Tools and JFR Events.pdf

More Related Content

Similar to Monitoring Java Application Security with JDK Tools and JFR Events.pdf (20)

More from Ana-Maria Mihalceanu (20)

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events.pdf