Oracle Cloud Infrastructure Documentation

Advanced Features

Advanced features help you to gain additional insights into Java workloads in the enterprise.

JMS administrators can now:

On desktops, servers, or cloud deployments covered by an Oracle Java SE subscription, Java SE Desktop subscription, or when running on an Oracle Cloud Infrastructure service that permits access to the underlying operating system.

Note

  • Use the following Java releases to execute Advanced features other than Java Runtime Lifecycle Management on Java workloads:

    • Oracle Java 8 releases; version 1.8.0_361 or later
    • All Oracle and OpenJDK releases of Java 11 and later versions
  • On Windows managed instances, Advanced Features other than Lifecycle Management will only work on Java applications, application servers, and other programs that are being run with administrator privileges.
  • To use Advanced Features, you must have the following agent versions installed on your hosts:
    • On premises: Management agent 221111.1439 or later, which is running on Java 1.8.0_361 or later
    • OCI: Oracle Cloud Agent 1.30.0 or later
  • To run crypto analysis or JDK Flight Recorder on an application that's running Oracle JDK 8, use the parameter -XX:+UnlockCommercialFeatures when you invoke the application.

Enabling Advanced Features

You can enable the advanced features while:
  1. Create Fleet

    In the Advanced features section, you can either choose all options by using the Select all advanced features checkbox or select individual options.

  2. Fleet Tabs
    • Click the Edit properties tab.
    • In the Advanced features section, you can either select all options by using the Select all advanced features checkbox or select individual options.
  3. Click Agree in the Acknowledgment dialog.
  4. JMS creates:
    In the root compartment:
    • Dynamic groups:
      • JMS_Advanced_Features_INSTANCE_PRINCIPALS_GROUP

        With Rule 1:

        ANY {instance.compartment.id='<fleet_compartment_ocid>'}
      • JMS_Advanced_Features_MACS_GROUP

        With Rule 1:

        ALL { resource.type='managementagent', resource.compartment.id='<fleet_compartment_ocid>' }
    In the compartment that contains the fleet:
    • Object storage bucket jms_<fleet_OCID>
    • Policies
      ALLOW dynamic-group JMS_Advanced_Features_INSTANCE_PRINCIPALS_GROUP to MANAGE object-family in compartment Fleet_Compartment
ALLOW dynamic-group JMS_Advanced_Features_MACS_GROUP to MANAGE objects in compartment Fleet_Compartment
ALLOW service javamanagementservice to MANAGE object-family in compartment Fleet_Compartment
    • Crypto log object <fleet_name>_Crypto_log
    Note

    The crypto log object is created only when you enable the Crypto Event Analysis.
  5. Click Save changes.

Java Runtime Lifecycle Management

To enable Java Runtime Lifecycle Management operations in your fleet, see Enabling Advanced Features. As part of Lifecycle Management, you can install and delete Java runtimes. In addition, you can configure post Java installation actions.

Lifecycle management operations aren't available for OpenJDK runtimes.

Note

You must have the management agent software version 221111.1439 or later installed on your hosts in order to use this feature.

The Lifecycle Management operations Install a Java Runtime and Remove a Java Runtime are available to you from the Java Runtimes table, and from your managed instance table.

Install a Java Runtime

You can install a Java runtime on your fleet as part of fleet maintenance.
Note

The minimum free space requirement for the installation folder is 500MB. The space is needed to support the uncompressed Java download files, including the installer file. The agent will perform the free space check before carrying out the installation and will fail the operation if there isn't enough space in the managed instance. It takes approximately 30 minutes for the new Java Runtime to be available, even though the message indicates that it's available.

Installing a Java runtime comprises of:

Select Java Runtime

Select the required Java version and install.

  1. To install a new Java runtime:
    1. In fleet details page, click Install Java runtime. This will install Java runtimes in all managed instances of the fleet.
    2. From the managed instances table, select one or more managed instances and click Install Java runtime. This will install Java runtimes in the selected managed instances.
      Note

      If you haven't enabled JMS advanced features in your fleet, then enable the advanced features to complete the operation. To enable advanced features in your fleet, select Edit properties from fleet details page, and select Enable advance features.
  2. View the Java runtime window, which has two sections, Current releases and Archive releases. The Archive releases section shows the non-current versions of JRE and JDK to help you debug issues in older systems. Non-current versions aren’t updated with the latest security patches, and you shouldn't use them in production. Both sections provide the following information:
    • Release version
    • Security state
    • Release date
    • End of service life
    • Release notes
  3. From the Current releases or Archive sections, select a version to install.
    Note

    The Oracle Java runtimes downloaded for you by the JMS advanced features are downloaded under your Java SE subscription terms when running on systems covered by an Oracle Java SE Subscription or Java SE Desktop Subscription. When running on an Oracle Cloud Infrastructure service that permits access to the underlying operation system, the Oracle Java runtimes are downloaded under the terms of your Oracle Cloud Infrastructure Cloud Service agreement.
  4. Click Next.

The Select post-installation actions panel is enabled.

Select Java Post Installation Actions

Select the post installation actions and modify, if required. The post Java installation actions get executed ONLY when the Java installation is successful.

Note

Post installation actions are executed as a separate command after a successful Java installation. Hence, there will be a delay in applying post installation actions to the Java installation. This delay depends on the Agent polling interval in Management Agent Settings.

To execute Java post installation actions:

  1. You can review the Action(s) that you had configured in Post Installation Actions.
  2. Click Install Java runtime. A Work Request is created for JMS by this operation. The progress or status of this operation can be viewed from the Work Request module.

After successful installation, you can view your new Java installation from the Java runtime table.

Remove a Java Runtime

You can delete Java runtimes from a fleet as part of your fleet maintenance.

Note

JMS removes the entire JDK or JRE folder when you delete a Java runtime. Back up any files that you need to keep before you start the delete process.

JMS displays applications that were launched during the time-frame selected. There could be running applications still using the runtime at the time of initiating a delete operation.

Follow either of the steps to delete a Java runtime:
  1. Select one or more Java runtime from the Java runtimes panel.

    The Delete button is enabled only if one or more eligible runtimes are selected. Checkboxes aren't enabled for OpenJDK runtimes.

    1. Click Delete and the Delete Java runtimes summary window opens. You'll see a message with an archives link to the Oracle Java Runtime Download. You'll also see a Summary table that lists the affected resources, including:
      • Applications: By default, it's sorted by applications, so that the runtimes are presented in the order of least invoked to most invoked in the timeframe selected.
      • Runtime version: Click to open the Details page in a new window.
      • Managed Instances
      • Installations
    2. If you don't want to proceed with the delete operation, click the Cancel button.
    3. Click Delete to proceed with the deletion of the selected runtimes. A work request will be created by JMS for this operation. The progress or status of the operation can be viewed from the Work Request module.
  2. Click Managed instances panel.
    1. Select the required managed instance.
    2. In the Java runtimes installations table, select the Java runtime paths and click Delete.
    3. In the Delete Java runtime installations panel, review the Summary and click Delete.

Advanced Usage Tracking

To enable Advanced Usage Tracking operations in your fleet, see Enabling Advanced Features. Advanced usage tracking allows you to monitor the usage of Java servers, Open JDK, and Java libraries in a fleet.

Advanced usage tracking enables you to:

  • View details about the Java servers associated with a fleet. This includes the applications deployed on the Java server, and the managed server and managed instances on which the Java server is deployed.
  • Detect libraries and its associated Common Vulnerability Scoring System (CVSS) score as reported by National Vulnerability Database.

Enabling Advanced usage tracking will activate:

When you initiate the scans, the agent will find the Java servers and Java libraries in the fleet respectively. JMS will report the servers and libraries used by managed instances when their respective management agents receive the scan request.

Scan for Java Servers

Advanced usage tracking detects WebLogic, JBoss, and Tomcat Java servers in the fleet. JMS can detect the following versions of Java servers:
  • WebLogic versions 14.1.1.0.0, 12.2.1.4.0
  • JBoss versions 7.0 to 7.4
  • Tomcat versions 8.5 to 10

To optimize resources, the agent performs the scan only when initiated. The agents will detect the Java servers and their versions in each managed instance at the time when it receives this request, and report them to JMS.

You can initiate the scan from either:

  • Fleet details page: In the Fleet details panel, click More actions and then Scan for Java servers. Click Scan in the Scan for Java servers dialog. JMS will initiate the scan for Java servers in all managed instances that are part of that fleet.

    OR

  • Managed instances table: In the Resources section in Fleet details page, click Managed instances. Select the managed instances for which you need the Java server usage information. Click Actions and then Scan for Java servers. Click Scan in the Scan for Java servers dialog. JMS will initiate the scan for Java servers in the selected managed instances.

You can view the progress or status of the operation from the Work request module.

See Java Servers panel and Java Server Details to review the results of the Scan for Java servers.

Scan for Java Libraries

Advanced usage tracking detects libraries associated with both Application and Deployed Application in the fleet, and provides security vulnerability information, if any. It can detect usage associated with both Oracle JDK and OpenJDK distributions.

The Java libraries are scanned using static analysis and does not identify dynamically loaded libraries. The static scan:

  1. Gets all the jars from the class path (obtained from system properties). The class path scanning depends on the include and exclude path that is configured in agent settings.
  2. Reads the manifests of all jars in the class path to load all possible dependencies
  3. Reads the pom file to get the first level dependencies
  4. Scans all dependencies within a war or ear package in case of application server deployments
Note

For shaded jars, only pom file, if any, is scanned. As details about the dependent jar files are not available, JMS does not provide details of JAR manifest.
A library scan can also provide details of all applications associated with each library, along with vulnerability information. The vulnerability information and the Common Vulnerability Scoring System (CVSS) scores are provided by the National Vulnerability Database. CVSS 2.0 base score is displayed for the detected Common Vulnerabilities and Exposures (CVEs). The information and the scores are identified by matching the names of the library.

Caution:

  • JMS might not have identified all library dependencies of the application.
  • Analysis might not have identified all vulnerabilities.
  • There might be new vulnerabilities affecting your application since JMS refreshes data from the National Vulnerability Database on a weekly basis. To detect new vulnerabilities, we recommend you to perform the scan for Java libraries frequently.

The results of the analysis aren't to be treated as absolute. You might need to perform additional analysis or investigation.

You can initiate the scan from either:

  • Fleet details page: In the Fleet details panel, click Scan for Java libraries. Click Scan in the Scan for Java libraries dialog. The agent will scan for Java libraries that are part of that fleet.

    OR

  • Managed instances table: In the Resources section in fleet details page, click Managed instances. Select the managed instances for which you need the Java library information. Click Actions and then Scan for Java libraries. Click Scan in the Scan for Java libraries dialog. The agent will scan for Java libraries in the selected managed instances.
Note

The scan may cause high CPU and memory utilization in managed instances.

You can view the progress or status of the operation from the Work request module.

See Java Libraries panel and Java Library Details to review the results of the scan for Java libraries.

Crypto Event Analysis

Oracle's plan for changes to the security algorithms and associated policies/settings in the Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK) are published on the Oracle JRE and JDK Cryptographic Roadmap.

To enable Crypto event analysis operations in your fleet, see Enabling Advanced Features. Using Crypto Event Analysis, administrators will get detailed information on what cryptographic algorithms from the Java Security Libraries are being used. JMS will compare the algorithms being used with the planned changes, and highlight applications that might be impacted by future changes or by certificates that are about to expire. The analysis will detect if any of the Java applications in a managed instance are using the algorithms, key lengths, or default values that will be changed and provide recommendations to avoid disruptions.

Note

  • JMS might not have identified all crypto event analysis of the application.
  • Analysis might not have identified all crypto events in JMS.
  • There might be new crypto events since JMS analyzed your apps.

The results of the analysis aren't to be treated as absolute. You might need to perform additional analysis or investigation.

Note

To run crypto analysis on an application that's running Oracle JDK 8, use the parameter XX:+UnlockCommercialFeatures when you invoke the application.

Running Crypto Event Analysis

Crypto event analysis is available from the managed instances table in the Fleet details page.

To run a crypto event analysis:
  1. Managed instances table: In the Resources section of Fleet details page, click Managed instances. Select the managed instances for which you need to perform the Crypto event analysis. Click Actions and then Crypto event analysis. The Crypto event analysis screen opens.
  2. Review the Object storage bucket name and Crypto log object.
  3. Specify the duration for the recording. Default recording duration - 1 hour, Minimum - 5 minutes, Maximum - 24 hours.

    The time period until which JMS will monitor managed instance(s) for application invocations will be mentioned in the console. This time period is computed based on the recording duration specified in Step 3 and the polling interval specified in the agent settings. The duration is calculated as the set recording duration times two plus the polling interval. The start time of monitoring depends on the polling interval of the management agent in the managed instance(s). For each application invocation detected, JMS will attempt to capture recordings of duration up to the recording duration specified by you. When the recording reaches the end time, the agent stops initiating new recordings. But any ongoing recording will continue until it reaches the specified duration, or the JVM exits.

    When the agent receives the work request, it immediately starts attaching to the currently running apps and watches for a new JVM to start. It attaches to them until the end time is reached.
    Note

    If the agent is down for awhile, there's a chance that when the agent received the work request, the end time has already passed.
  4. Click Start to run the analysis. If the analysis is successful, you'll see a confirmation message. A Work Request is created for this operation. The progress or status of this operation can be viewed from the Work request module.

See Analysis Reports Details to review the results of the crypto event analysis.

Run JDK Flight Recorder

JDK Flight Recorder collects diagnostic and profiling data from running Java applications. JMS will initiate the recording and upload the resulting JFR file to the customer’s tenancy, enabling you to do your own analysis of the recordings.

To enable Run JDK Flight Recorder operations in your fleet, see Enabling Advanced Features. The Run JDK Flight Recorder operation is available for the applications running in a managed instance. Learn more about JDK Flight Recorder.

To run JDK Flight Recorder:

  1. From your fleet, select a managed instance to view.
  2. Select Applications from the Resources section.
  3. Select one or more applications from the Applications table of your managed instance and select Run JDK Flight Recorder from the Actions menu. The configuration window opens. You can review the applications involved in this operation and view the object storage bucket to which the recordings will be uploaded after the operation.
  4. For recording options, you can either:
    • Select from default profiles: choose an pre-defined option from the drop-down menu

      OR

    • Provide Custom flight recorder configuration: the flight recorder configuration has a different format for Java releases prior to JDK 9 and choosing this option will enable you to provide flight recorder configuration for release prior to and after JDK 9.
  5. Provide maximum recording duration of the JFR. The default recording duration is 15 minutes. The minimum value is 1 minute while the maximum is 24 hours.
  6. Click Start. A Work Request is created for this operation. The progress or status of this operation can be viewed from the Work request module.
Note

  • If the application isn't running during this operation, you'll see a message No events to capture or No reports are available. You'll get a recording only if the application is already running or started during the JFR recording period.
  • JFR generates a recording for the events captured while the application was running.
  • The JFR files are uploaded to the Object storage bucket.
  • To run JDK Flight Recorder on an application that's running Oracle JDK 8, use the parameter XX:+UnlockCommercialFeatures when you invoke the application.