Java Tracer reference↑
Configuration↑
You can configure the Java Tracer with JVM properties using the -D
parameter in the command line.
For instance, to specify the directory for trace writing, use the cryptosense.agent.out
parameter as follows:
java \
-Dcryptosense.agent.out=/path/to/trace-directory \
-javaagent:/path/to/cs-java-tracer.jar \
-jar /path/to/application.jar
With Java 9 and later, you can also pass these properties via the JDK_JAVA_OPTIONS
environment variable. For example:
This is more flexible as it allows you to set the properties without modifying your application startup script. However, it is not supported by all JREs.
If you’re not using the java
command to launch your application directly, you can usually set those properties where you added the javaagent:/path/to/cs-java-tracer.jar
parameter. Refer to the examples below.
Parameters↑
The supported properties are:
cryptosense.agent.out
: path to the directory where traces are written. (default iscs-tracer
). Make sure the application under test has write permissions in this directory.cryptosense.agent.compress
: on-the-fly gzip-compression of outputted JSON files (default istrue
). Note that you can upload either compressed or uncompressed traces to the analyzer.cryptosense.agent.unlimitedTraceSize
: Deprecated. Usecryptosense.agent.maxTraceSize
.cryptosense.agent.maxTraceSize
: set a maximum uncompressed trace size in MB. The default is 4096, i.e. 4GB. Setting a value of 0 means there’s no limit.cryptosense.agent.prefix
: optional custom file name prefix for traces (default iscs-trace
). The file name will consist of this prefix followed by an underscore and timestamp, and have a.cst
or.cst.gz
extension, depending on the compression. For example, if the prefix istestprefix
, the file name would betestprefix_2018-12-13-08-42-33-428_11435.cst
(depending on the trace time).cryptosense.agent.trace
: determines whether to include stack traces for each call in the report (default istrue
). Setting this tofalse
significantly reduces the trace file size, but the report will lack important information.cryptosense.agent.ignoreUpdate
: determines whether to discard the calls to variousupdate()
functions (such asMessageDigest.update
). The default isfalse
. Setting this totrue
significantly reduces the trace file size, but the report will lack important information.cryptosense.agent.excludeBuiltins
: determines whether to include the calls to certain internal crypto functions in the JRE in the trace (default isfalse
). The excluded calls consist of hash function calls to verify JAR files upon startup, and internal hash calls for certain internal PBKDFs with extensive iterations that might quickly fill up a trace. Note that this doesn’t affect the results since the calls are accounted for by the Analyzer.cryptosense.agent.tags
: comma-separated tags to include in the trace header. To include a space in the tag, uses single quotes likecryptosense.agent.tags='spaced tag 1','spaced tag 2'
. The tags are written in the trace header as a list of strings (default is an empty list).
Here are some examples with different parameters:
Limiting the trace size:↑
java \
-Dcryptosense.agent.out=/path/to/trace-directory \
-Dcryptosense.agent.maxTraceSize=200 \
-javaagent:/path/to/cs-java-tracer.jar \
-jar /path/to/application.jar
Adding a prefix to the trace name:↑
java \
-Dcryptosense.agent.out=/path/to/trace-directory \
-Dcryptosense.agent.prefix=prefix \
-javaagent:/path/to/cs-java-tracer.jar \
-jar /path/to/application.jar
Excluding stack traces from calls:↑
java \
-Dcryptosense.agent.out=/path/to/trace-directory \
-Dcryptosense.agent.trace=false \
-javaagent:/path/to/cs-java-tracer.jar \
-jar /path/to/application.jar
Trace streaming↑
By default, the Java Tracer saves a trace file to be uploaded to AQtive Guard for analysis. Alternatively, the tracer can stream the trace directly to AWS S3 while running.
Caution
Java Tracer streaming is designed for specific deployment pipelines. Before implementing trace streaming, discuss your configuration with your AQtive Guard contact. Visit our support portal if you have questions or need help.
Important
Java Tracer streaming requires AQtive Guard server version 24.09.1 or above. For version 24.09.1 you will need to enable it by setting ENABLE_STREAM_UPLOAD='true'
in your configuration file. In later versions, streaming is enabled by default.
Use↑
Refer to these steps and the following example to implement Java Tracer streaming.
- Make your AQtive Guard API key available to the JVM in the
AQG_API_KEY
environment variable. Refer to Retrieve the API key. - Make sure that the AQtive Guard server is configured to enable streaming.
- Put the tracer in streaming mode using
-Dcryptosense.agent.logger=streaming
. - Add the required and desired optional trace streaming configuration parameters.
- Run the application with the tracer attached as usual.
Example↑
The following example will run an application with the streaming tracer attached and stream the trace to the Sandbox SaaS instance in project 17 with slot name “foo.”
AQG_API_KEY=your-api-key \
java \
-Dcryptosense.agent.logger=streaming \
-Dcryptosense.agent.streamingApiBaseUrl=https://aqtiveguard.sandboxaq.com \
-Dcryptosense.agent.streamingCaFile=/path/to/cacert.pem \
-Dcryptosense.agent.streamingProjectId=17 \
-Dcryptosense.agent.streamingSlotName=foo \
-javaagent:/path/to/cs-java-tracer.jar \
-jar /path/to/application.jar
Trace streaming parameters↑
cryptosense.agent.logger
: Determines whether to save the trace to a file or stream it directly to an AQtive Guard instance. Allowed values arefile
orstreaming
. Default isfile
. Iffile
is selected (either explicitly or by default), then the remaining parameters withstreaming
in their names will be ignored.cryptosense.agent.streamingApiBaseUrl
: URL for the server (e.g.https://aqtiveguard.internal:8443
). For SaaS, usehttps://aqtiveguard.sandboxaq.com
. If this parameter is provided, the other required streaming parameters must also be provided.cryptosense.agent.streamingCaFile
(optional): Path to a CA certificate bundle (concatenated PEM elements) to validate the server certificate(s). This includes the object storage service, if it is validated by a different CA.cryptosense.agent.streamingProjectId
: Numeric ID of the project to use for looking up and creating slots. (Note: This is the project number from the Web UI, not the Base64 GraphQL opaque ID.)cryptosense.agent.streamingSlotName
: Name of the slot where the trace will be created. If a slot with the given name doesn’t exist, it will be created.cryptosense.agent.streamingCallMode
(optional): Determines how the application handles full streaming buffers. The acceptable values are:blocking
(default): When buffers are full, the application blocks execution until space is available. The application exits if the buffers can’t be emptied (e.g., due to server unavailability).nonblocking
: Calls are dropped when buffers are full. Streaming will stop if the buffers can’t be emptied (e.g., due to server unavailability).
cryptosense.agent.streamingBufferSize
(optional): Advanced. Size of buffers in the internal pool in MB. The default is5
, i.e. 5MB. Allowed values are5
to2047
.cryptosense.agent.streamingMaxBufferCount
(optional): Advanced. Maximum number of buffers in the internal pool. The default value is8
and the minimum is2
.
Proxy usage↑
To use a proxy for trace streaming, add the following JVM properties:
https.proxyHost
: The proxy server’s hostname.https.proxyPort
: The proxy server’s port number. The default port is80
.
Example↑
AQG_API_KEY=your-api-key \
java \
-Dhttps.proxyHost=proxy.example.com \
-Dhttps.proxyPort=8080 \
-Dcryptosense.agent.logger=streaming \
-Dcryptosense.agent.streamingApiBaseUrl=https://aqtiveguard.sandboxaq.com \
-Dcryptosense.agent.streamingProjectId=17 \
-Dcryptosense.agent.streamingSlotName=foo \
-javaagent:/path/to/cs-java-tracer.jar \
-jar /path/to/application.jar
Using the Tracer with Build Systems↑
Gradle↑
Gradle 5.6.3 or higher is required.
Gradle can pass arguments to the JVM that runs the test suite. To trace your tests, add the following to your build.gradle
file:
if (project.hasProperty('with-cryptosense')) {
test.jvmArgs = ['-javaagent:/path/to/cs-java-tracer.jar']
}
If you use subprojects, you’ll need to apply this configuration to each one that you want to get traces for.
To configure this for all subprojects, enclose the previous snippet in a subprojects { ... }
block. You can find more details about the test task in the Gradle documentation.
You can then get a trace by running the following command:
You can also use our Gradle plugin.
Maven↑
Maven 3.3.9 or higher is required.
Maven integration is provided by our Maven plugin.
Using the Tracer in Application Frameworks↑
Java applications are often launched from within application servers. In this case, you’ll need to add the necessary parameters to a config file:
Tomcat↑
The bin/setenv.sh
file should be created or edited to contain:
CATALINA_OPTS="$CATALINA_OPTS -javaagent:/path/to/cs-java-tracer.jar -Dcryptosense.agent.<PARAM>=<VALUE>"
JBoss↑
For JBoss, you need to whitelist the cryptosense package in standalone.conf
:
You can then add:
WebLogic↑
Before calling Java, edit the startWebLogic.sh
file to include:
export JAVA_OPTIONS="$JAVA_OPTIONS -javaagent:/path/to/cs-java-tracer.jar -Dcryptosense.agent.<PARAM>=<VALUE>"
Other frameworks↑
Our Java Tracer works with several other frameworks, including WebSphere and Firefly. Visit our support portal if you have questions or need help.
Renaming the tracer JAR file↑
Renaming the JAR file is not recommended because the boot class path in the JAR manifest must match the file name exactly.
If you do rename the JAR file, you need to modify the manifest accordingly. Otherwise, you’ll encounter java.lang.NoClassDefFoundError
during runtime. While your application may not crash, the tracer won’t function correctly.
To rename the JAR file to new-name.jar
, extract the META-INF/MANIFEST.MF
file from the JAR, and edit it by changing the boot class path line to:
Then, update the JAR file and replace the old META-INF/MANIFEST.MF
file with the modified version.
Supported operations↑
The Java Tracer covers methods from the following classes for any cryptographic providers conforming to the Java Cryptography Architecture (JCA), for example, Bouncy Castle Java, conscrypt and other provider implementations. This coverage is at the JCA/JCE level, but there are some algorithm implementation specific parameters, from for example Bouncy Castle, that we also capture.
java.security.KeyPairGenerator
java.security.KeyStore
java.security.MessageDigest
java.security.Signature
javax.crypto.Cipher
javax.crypto.KeyAgreement
javax.crypto.KeyGenerator
javax.crypto.Mac
javax.crypto.SecretKeyFactory
From the Java Generic Security Services (Java GSS-API) we cover the following class:
javax.net.ssl.SSLServerSocket
The Java Tracer also covers methods from the following classes from vendor-specific APIs: