Friday, July 29, 2016

How to view your JVM default settings


cat Test.java 

public class Test {
   public static void main(String[] args) {
        for (;;) {
        }

   } 

}


javac Test.java
java -XX:+PrintCommandLineFlags Test
you should get something like this:
-XX:InitialHeapSize=67108864 -XX:MaxHeapSize=1073741824 -XX:+PrintCommandLineFlags -XX:+UseParallelGC

Monday, July 25, 2016

TLS v1.2 support in Java 6

According to Oracle Doc:
JDK 6 release supports TLS v1. See:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
JDK 6 supports TLS 1.1 as well since JDK 6u111.
http://www.oracle.com/technetwork/java/javase/overview-156328.html#R160_111
JDK 7 release supports TLS v1, TLS v1.1 and TLS v1.2. See:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

In fact, TLS 1.2 is available in Java 6: "TLS v1.2 is now a TLS protocol option with the release of JDK 6u121" or maybe even in 6u115 b32 (copy and paste issue?)
http://www.oracle.com/technetwork/java/javase/overview-156328.html
enabled with -Djdk.tls.client.protocols="TLSv1.2"

To test if you have TLSv1.2 support:
public class TLSTest  {
        public static void main(String[] args) throws Exception {
                System.out.println("before TLSv1.1");
                SSLContext ctx = SSLContext.getInstance("TLSv1.1");
                System.out.println("before TLSv1.2");
                ctx = SSLContext.getInstance("TLSv1.2");
                System.out.println("after");
        }

}

and run with
java -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" TLSTest

if you get "Exception in thread "main" java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available" then you are screwed.


which Cipher Suites your JVM supports

"SunJSSE supports a large number of ciphersuites" http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
1) WLS 11g (WLS 10.3.6) uses JSSE and runs on Java SE 6
2) JSSE java 6  http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
3) WLS 10.3.6 ciphers: http://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#BABBDACC

The classification of the different bits (TLS_DHE_RSA_WITH_AES_128_CBC_SHA) is as follows:
TLS vs SSL
RSA vs ECDH vs ECDHE vs DHE vs KRB5
ECDSA vs RSA
RC4 vs 3DES vs DES vs AES
EDE vs CBC
SHA vs MD5

Set "-Dssl.debug=true -Djavax.net.debug=ssl -Dweblogic.log.StdoutSeverity=Debug" then search for the statement
SSLEngine.setEnabledCipherSuites
to see which Ciphers are actually ENABLED (not only supported).
See also http://stackoverflow.com/questions/10487962/java-cipher-suites
There is a property https.cipherSuites , and a SSLSocket.setEnabledCipherSuites()/SSLEngine.setEnabledCipherSuites() method.
See also MOS document "How to Verify the Sun JSSE Cipher Suites Available to WebLogic Server (11g/12c) (Doc ID 2052237.1)"
suggesting to enable these flags
 -Dweblogic.debug.DebugSecuritySSL=true
 -Djavax.net.SSL=true
 -Djava.debug=SSL
 -Djavax.net.debug=all
 -Dssl.debug=true
 -Dweblogic.StdoutDebugEnabled=true
 -Dweblogic.log.LogSeverity=Debug
 -Dweblogic.log.LoggerSeverity=Debug


Sunday, July 24, 2016

SSL TLS renegotiation, RFC 5746

Generalities:
https://devcentral.f5.com/articles/ssl-profiles-part-6-ssl-renegotiation

Oracle technical details on the famous RFC 5746, here the mythical JSEE Ref Guide (something every human should read) :
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#tlsRenegotiation

More explanations
http://security.stackexchange.com/a/24569/118343



Other tags: no_renegotiation handshake_failure

Saturday, July 23, 2016

EJB Timer stops working in WLS 12.1.3 after an exception occurs

On Version: WebLogic Server 12.1.3.0.0, Java 1.7.0_51

package com.pierre.timertest;

import javax.ejb.Schedule;
import javax.ejb.Stateless;
import javax.ejb.Timer;

@Stateless
public class TimerTestEJB {
 public static int count = 0;

    /**
     * Default constructor. 
     */
    public TimerTestEJB() {
        // TODO Auto-generated constructor stub
    }
 
 @SuppressWarnings("unused")
 @Schedule(second="*/10", minute="*", hour="*", dayOfWeek="*",
      dayOfMonth="*", month="*", year="*", info="MyTimer")
    private void scheduledTimeout(final Timer t) {
  count++;
        System.out.println("@Schedule called at: " + new java.util.Date() + " count=" + count);
        if (count == 5) {
         System.out.println("@Schedule count = 5, throwing Exception");
         throw new Error("@Schedule count = 5");
        }
    }
}



This funnily will still work for count=6, then stop.

Luckily the bug has been fixed (god bless oracle engineers), see

Oracle WebLogic Server Patch Set Update 12.1.3.0.160719 Fixed Bugs List (Doc ID 2162294.1)

19689036 12.1.3.0.160719 Timer EJB will stop when timer expiration is success and previous timer expiration is failed.

Patch 19689036: NON-PERSISTENT CALENDAR-BASED TIMER IS CANCELED IF CALLBACK METHOD THROWS SYSTEM

In reality even PERSISTENT timers fail...in fact by default @Schedule creates a persistent timer, and also adding persistent=true doesn't fix the issue.
I download p19689036_121300_Generic.zip, extract the weblogic\ejb\container\timer\TimerImpl.class, put in a JAR that I prepend to the WLS classpath, and now the timer keeps working even after the Error occurs.... awesome ! (PS I am too lazy to properly apply the patch with opatch...)


Here http://docs.oracle.com/cd/E14571_01/web.1111/e13719/implementing.htm#EJBPG213 they mention: weblogic.ejb.WLTimerInfo (there is a maxRetryAttempts) and "Configuring Automatic Retry of Container-Managed Transactions" ... this could keep you going even without applying the patch...



Sunday, July 17, 2016

JVM Parameters made easy

I have dreaming for many years of setting up such a tool:
http://jvmmemory.com/
to provide a guided wizard to configure all aspects of JVM.... good to see that it's already there! Great job!


Saturday, July 16, 2016

Learning Java Security and JCA

Excellent working examples here http://www.java2s.com/Code/Java/Security/CatalogSecurity.htm

JCA Tutorial http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html



Debugging http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

Read the content of the D:\Program Files\Java\jdk1.8.0_31\jre\lib\security\java.security file, it's very educational.
important properties:
-Djava.security.properties=


Read more:
https://en.wikipedia.org/wiki/X.509
https://en.wikipedia.org/wiki/Certification_path_validation_algorithm
https://en.wikipedia.org/wiki/Root_certificate
https://en.wikipedia.org/wiki/Public_key_certificate
https://en.wikipedia.org/wiki/Certificate_authority



How to educate yourself to be a Java Performance Engineer

Here is some articles that I found interesting and relevant:

https://en.wikipedia.org/wiki/Software_performance_testing
https://en.wikipedia.org/wiki/Stress_testing_(software)
https://en.wikipedia.org/wiki/Software_testing
 
http://www.slideshare.net/guru__123/loadrunner-presentation-5204243

http://www.correlsense.com/java-bytecode-instrumentation-an-introduction/
https://docs.oracle.com/javase/7/docs/api/java/lang/instrument/Instrumentation.html
https://docs.oracle.com/javase/7/docs/api/java/lang/instrument/package-summary.html

https://docs.oracle.com/javase/specs/jvms/se7/html/index.html
http://www.artima.com/insidejvm/ed2/jvm2.html
http://blog.jamesdbloom.com/JVMInternals.html

https://en.wikipedia.org/wiki/Java_class_file

https://docs.oracle.com/javase/8/docs/technotes/guides/vm/gctuning/

http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/gc01/index.html