jstatd -JVM Remote Monitoring(jstat daemon)

In this article we are going to elaborate the jstatd command tool which is a part of JAVA commands (comes with jdk package). This article is the continuation of this previous article.

As we know the standard format of commands in java, the jstatd command also have the format(in command prompt)
jstatd [option]

jstatd is a RMI server application that monitors creation/termination of instrumented JVMs and provides an interface to allow remote monitoring tools to attach to JVMs(running local host). That is why, jstatd server needs and RMI registry at local host. If not found, it will create in jstatd application bound(-p port/ default registry port)

jstatd option: 
-nr : Does not create an internal RMI registry within the jstatd process when an existing RMI registry is not found.
-p [port] : RMI registry port. (if not found, port will be created on, no -nr specified)
-n [rmiName] : Remote RMI object name which is bound in RMI registry(Default is JStatRemoteHost). If multiple jstatd servers are started at a host, RMI object name for each server can unique by this option (the unique server name should be included at monitoring client's hostid and vmid strings).
-J[option] : Pass option to the java launcher

Notes :
-jstatd server and monitor JVMs should be running with same user credentials(for access permissions, better to use root)
-jstatd server does not provide any authentication of remote clients. So, local security policies should be considered before starting jstatd.
-The jstatd server installs an instance of RMISecurityPolicy which requires a security policy(A file to be specified by the default policy implementation's Policy File Syntax. I will explain Java Default Security policy in separate post). To run a policy file in server
jstatd -J-Djava.security.policy=[file location]
-We can use custom policy file for strong security


Thanks...:)

jps - JVM Process Status Tool

In this article we are going to elaborate the jps command tool which is a part of JAVA commands (comes with jdk package). This article is the continuation of this previous article.

As we know the standard format of commands in java, the jps command also have the format(in command prompt)
jps [options] [hostid]

In here, hostid is a host identifier for which the process report will be generated.
The jps lists the instrumented JVM and reports(permitted info).
-If no hostid, it looks JVMs at local host.
-If started with a hostid, it looks JVMs on the specific host(with a protocol and port). A jstatd process is assumed to be running on the target host.(I will make a separate post for jstatd)

The jps reports the local VM (or lvmid, typically, but always, system's process identifier). If no option, jps lists each Java application's lvmid followed by the short form of the application's class name or jar file name. jps shows string Unknown for the class name /JAR name and for arguments to the main method when custom launcher. jps command may be limited by the permissions

jps options :
-q : Shows list of local VM identifiers(Suppress class name/JAR name/Main method arguments)
-m : Output the Main Method arguments
-l : Shows full package name for main class or full path of JAR file.
-v : Shows arguments passed to the JVM.
-V : Shows arguments passed to the JVM through the flags file (.hotspotrc or by the -XX:Flags=[filename]).
-J[option] : Pass option to the java launcher.

Note:
-The host id is same as VMI(shown in below of  jstat tool)
[protocol:][[//]hostname][:port][/servername]
-jps provides output in following format
lvmid [ [ classname | JARfilename | "Unknown"] [ arg* ] [ jvmarg* ] ]


Thanks..:)

keytool - Managing Key and Certificate in Java

In this article we are going to elaborate the keytool command tool which is a part of JAVA commands (comes with jdk package). This article is the continuation of this previous article.

As we know the standard format of commands in java, the keytool command also have the format(in command prompt)
keytool [commands]

keytool is a key and certificate management utility that manages a keystore of cryptographic keys , X.509 certificate chain, trusted certificates. Users can use their public/private key-pairs and associated certificates for authentication/data integrity or digital signatures. It allows to cache the public keys of communication pairs(as certificate). It stores the keys and certificate in a keystore.
Note :
-A certificate is a digitally signed statement from any one saying that the public key(added with some info) of some one with value. I will explain detail in separate post.
- All commands /options are started with (-) sign
- Options for each command should be provided in order
- Rules of Braces {}
1. Braces are used with an option to define that as Default(if not specified)
2. Braces are used with -v, -rfc, -J
- Brackets[] , are used with an option to define that , it will prompt to user for value if not specified.
- Items written in italic with option defined as "Must be supplied" item.
- Blank value congaing Options must be coated.

Common Options : 
-v : Signifies "verbose" mode
-J[option] : Pass option string is passed through directly to the Java interpreter.
-storetype [storetype] : To specify type of keystore to be instantiated.
-keystore [keystore] : The keystore location.(if not exist, create new file)
Note: -keystore option is passed to the KeyStore.load method. If NONE is specified as the URL, then a null stream is passed to the KeyStore.load method. NONE should be specified if the KeyStore is not file-based.
-storepass [storepass] : The password to protect the integrity of the keystore.(Min 6 char). By Default , it will be prompt and warning on not providing.
-providerName [provider_name] : Used to identify a cryptographic service provider's name when listed in the security properties file.
-providerClass [provider_class_name] : Used to specify the name of cryptographic service provider's master class file when the service provider is not listed in the security properties file.
-providerArg [provider_arg] : Used in conjunction with -providerClass to set  a string input argument for the constructor of provider_class_name(optional)
-protected [true/false]. True = Password must be given via a protected authentication path (such as a dedicated PIN reader)

Commands :

1. To create /add Data/import into Keystore

-genkeypair {-alias myAlias} {-keyalg myKeyalg} {-keysize myKeysize} {-sigalg mySigalg} [-dname myDname] [-keypass myPass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
-Generates a key pair (Combination of a public key and private key).
-Wraps the public key into an X.509 v3 self-signed certificate, which is stored as a single-element certificate chain.
-alias defines a new keystore which contains this certificate chain and the private key
-keyalg specifies the algorithm to generate the key pair
-keysize specifies the size of each key
-sigalg specifies the algorithm for self-signed certificate(this algorithm must be compatible with keyalg selected algorithm)
-dname specifies the associated X.500 Distinguished Name with alias. It is the issuer and subject fields in the self-signed certificate. As it is in brackets, so when no distinguished name , the user will be prompted for input.
-keypass defines the password used to protect the private key. As it is in brackets ,so if no password user will be prompted for it.
-validity Defines the certificate validation period in days.
-genkey and genkeypair are same.

-genseckey {-alias myAlias} {-keyalg myKeyalg} {-keysize myKeysize} [-keypass myPass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
-Generates a secret key and stores it in a new KeyStore.SecretKeyEntry identified by alias.

-importcert {-alias myAlias} {-file cert_file} [-keypass myPass] {-noprompt} {-trustcacerts} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
-Reads the certificate/certificate chain (PKCS#7 formatted reply) from cert_file, and stores it in the keystore entry identified by alias.
-alias option value will define which type of import.
keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7 formatted certificate chains consisting of certificates of that type. Certificates are imported
-To add it to the list of trusted certificates
-To import a certificate reply received from a CA as the result of submitting a Certificate Signing Request to that CA.
-If the myAlias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the myAlias should not exist in the keystore. If the myAlias exists, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate.
-If the myAlias points to a key entry, keytool assumes you are importing a certificate reply.

How import works for new Trusted Certificate?
Before adding the certificate to the keystore, keytool tries to verify it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore. -trustcacerts option specifies the certificates to be considered for chain of trust(certificates in a file named "cacerts"). If keytool fails to establish a trust path from the certificate to be imported up to a self-signed certificate (keystore/"cacerts" file), the certificate is printed to user prompted to verify it. -noprompt option sets no interaction with the user.
 
How import works for Certificate Reply?
When importing a certificate reply, it is validated using trusted certificates from the keystore( if the -trustcacerts option specified, validation will be done from "cacerts" keystore file.)
The methods to determine the trusted certificate reply :
-If the reply is a single X.509 certificate, keytool attempts to establish a trust chain, starting at the certificate reply and ending at a self-signed certificate (belonging to a root CA). The certificate reply and the hierarchy of certificates used to authenticate the certificate reply form the new certificate chain of alias. If no trust chain , the certificate reply is not imported and keytool does not print certificate but prompts user to verify.
-If the reply is a PKCS#7 certificate , it is first ordered (First User certificate, Last self-signed root CA certificate ), before keytool attempts to match the root CA certificate provided in the reply with any of the trusted certificates in the keystore or (if the -trustcacerts option was specified), the "cacerts" keystore file . If no match found, the root CA certificate info is printed to user prompted to verify. -noprompt option sets no interaction with the user.
-If the public key in the certificate reply matches the user's public key already stored with under alias, the old certificate chain is replaced with the new certificate chain in the reply(with valid private keypass, if no password / different from the keystore password, the user is prompted for it).
-importcert and import are same.

-importkeystore -srckeystore srckeystore -destkeystore destkeystore {-srcstoretype srcstoretype} {-deststoretype deststoretype} [-srcstorepass srcstorepass] [-deststorepass deststorepass] {-srcprotected} {-destprotected} {-srcalias srcalias {-destalias destalias} [-srckeypass srckeypass] [-destkeypass destkeypass] } {-noprompt} {-srcProviderName src_provider_name} {-destProviderName dest_provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}

Imports a single entry /all entries from a source keystore to a destination keystore.
-srcalias Imports the single entry identified by the alias to the destination keystore.
-If no destalias, the srcalias is used as destination alias.
-If the source entry is protected by a password, srckeypass will be used to recover the entry.
-If srckeypass is not provided, then keytool will attempt to use srcstorepass to recover the entry.
-If srcstorepass  not provided/wrong the user will be prompted for the password.
-destkeypass protects the destination entry
-If destkeypass is not provided, the destination entry will be protected with the source entry password(srcstorepass)
-If no srcalias, all entries in the source keystore are imported into the destination keystore.
-If the source entry is protected by a password, srcstorepass will be used to recover the entry.
-If srcstorepass is not provided/wrong, user will be prompted for a password.
-If a source keystore entry type is not supported /error on storing an entry into the destination keystore, user will be prompted to skip or quit.
-If the destination alias already exists in the destination keystore, the user is prompted to either overwrite the entry, or to create a new entry under a different alias name.
-If -noprompt is provided, user will not be prompted and existing entries will be overwritten with the destination alias name for new.

2. To Export Data :

-certreq {-alias alias} {-sigalg sigalg} {-file certreq_file} [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
-Generates a Certificate Signing Request (CSR), using the PKCS#10 format to a certificate authority (CA). The private key and X.500 Distinguished Name with alias are used to create the PKCS#10 certificate request.
-To access the private key, correct password must be provided(if needed, but if not provided user will be prompted for it.)
-sigalg specifies the algorithm to sign the CSR.
-The CSR is stored in the file certreq_file.
-If no file is given, the CSR is output to stdout.
-importcert : Imports the response from the CA.

-exportcert {-alias alias} {-file cert_file} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-rfc} {-v} {-protected} {-J[option]}
-Reads (from keystore) certificate associated with alias, and stores it in cert_file.
-If no file , the certificate is output to stdout.
-if the -rfc option is specified, the certificate will be printable in Internet RFC 1421 standard(not in default binary format).
-If alias refers to a trusted certificate, that certificate is output.
-If not , alias refers to a key entry with an associated certificate chain(first certificate in the chain will be returned). This certificate authenticates the public key of the entity addressed by alias.
-export and exportcert  are same as function
 
3. To Show Data :
 
-list {-alias alias} {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v | -rfc} {-protected} {-J[option]}
-Prints the contents of the keystore entry identified by alias to stdout.
-If no alias , the contents of the entire keystore are printed.
-This command by default prints the MD5 fingerprint of a certificate.
-If the -v option is specified, the certificate is printed in human-readable format, with more info (owner, issuer, serial number, and any extensions)
-If the -rfc option is specified, certificate contents are printed with Internet RFC 1421 standard encoding.

-printcert {-file cert_file} {-v} {-J[option]}
-Reads the certificate from cert_file, and prints its contents in a human-readable format.
-If no file is given, the certificate is read from stdin.

4. To Manage(Save/Edit/Delete) Keystore :

-storepasswd [-new new_storepass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-J[option]}
-Changes the password of the keystore contents.

-keypasswd {-alias alias} [-keypass old_keypass] [-new new_keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-J[option]}
-Changes the password under which the private/secret key identified by alias is protected, from old_keypass to new_keypass.
-If the -keypass is not provided /incorrect (from keystore password), user is prompted for it.
-If the -new is not provided, user is prompted for it.

-delete [-alias alias] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
-Deletes the entry from the keystore (defined by alias).
-The user is prompted if no alias is provided.

-changealias {-alias alias} [-destalias destalias] [-keypass keypass] {-storetype storetype} {-keystore keystore} [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-J[option]}
-Move an existing keystore entry from the specified alias to a new alias, destalias.
-If no destination alias is provided, the command will prompt for one.
-If the original entry has an entry password, it should be supplied by -keypass.
-If no key password , the storepass (if given) will be used first and if fail , user will be prompted for a password.

Sorry, it's a very long post because of different commands. I will provide different post to clarify about what is a certificate and what is keystore very soon.

 Thanks...:)

jstat - Tool for JVM Statistics Monitoring

In this article we are going to elaborate the jstat command tool which is a part of JAVA commands (comes with jdk package). This article is the continuation of this previous article.

As we know the standard format of commands in java, the jstat command also have the format(in command prompt)
jstat [ generalOption | outputOptions vmid [interval[s|ms] [count]] ]

In here,
generalOption : Options commons for all commands, I will define in bottom.
outputOptions : Output specific options consisting a single stateOption and any of -t/-h/-J
vmid : Virtual machine identifier, a string indicating the target JVM. I will explain in bottom.
interval[s|ms] : Interval time seconds (s) / milliseconds (ms). jstat will produce its output at each interval.
count : Number of samples to display.

jstat shows performance statistics for an  JVM(Instrumented HotSpot). jstat use a identifier to get the JVM info.

jstat Options : 
General Options :
-help : Shows help message. (same as other commands)
-version : Shows version information.(same as other commands)
-options : Shows list of statistics options

Output Options :  Determines the content and the format of jstat's output. It has two part, stateOption and any of -t/-h/-J.
-Output formatted as table (columns are in space)

-t n : Shows time stamp(in second) as 1st column.
-h n : Sets the frequency of displaying header. 
-J[option] : Pass java option to the java app launcher.

-stateOption: Defines the statistics info of jstat . It has following options 
class : Statistics on the class loader. Details of shown columns are
Loaded : Number of loaded classes
Bytes : Number loaded memory in Kb.
Unloaded : Number of classes unloaded.
Bytes : Number of Kbytes unloaded.
Time : Time spent for class load and unload operations.

compiler : Statistics of the HotSpot Just-in-Time compiler. Columns details are

Compiled : Number of compilation tasks.
Failed : Number of compilation failed tasks.
Invalid : Number of compilation invalidated tasks.
Time : Time for compilation .
FailedType : Last failed Compile type.
FailedMethod : Last compile failed Class name and method.

gc : Statistics of garbage collected(GC) heap.Columns details are
S0C : Current survivor space 0 (KB).
S1C : Current survivor space 1 (KB).
S0U : Survivor space 0 (KB).
S1U : Survivor space 1 (KB).
EC : Current Eden space (KB).
EU : Eden space utilization (KB).
OC : Current old space (KB).
OU : Old space (KB).
PC : Current permanent space (KB).
PU : Permanent space (KB).
YGC : Number of young generation GC Events.
YGCT : Young generation GC Time.
FGC : Number of full GC events.
FGCT : Full garbage collection time.
GCT : Total garbage collection time.

gccapacity : Statistics of generations and their corresponding spaces.Columns details are
NGCMN : Min New generation capacity (KB).
NGCMX : Max New generation capacity (KB).
NGC : Current new generation capacity (KB).
S0C : Current survivor space 0 capacity (KB).
S1C : Current survivor space 1 capacity (KB).
EC :  Current eden space capacity (KB).
OGCMN : Minimum old generation capacity (KB).
OGCMX : Maximum old generation capacity (KB).
OGC : Current old generation capacity (KB).
OC : Current old space capacity (KB).
PGCMN : Minimum permanent generation capacity (KB).
PGCMX : Maximum Permanent generation capacity (KB).
PGC : Current Permanent generation capacity (KB).
PC : Current Permanent space capacity (KB).
YGC : Number of Young generation GC Events.
FGC : Number of Full GC Events.

gccause : Summary of garbage collection statistics (same to -gcutil but including last and current GC events). Additional columns other than gcutil are
LGCC :Cause of last Garbage Collection.
GCC : Cause of current Garbage Collection.

gcnew :Statistics of the behavior of new generation(in memory heap). Columns details are
S0C : Current survivor space 0 capacity (KB).
S1C : Current survivor space 1 capacity (KB).
S0U : Survivor space 0 utilization (KB).
S1U : Survivor space 1 utilization (KB).
TT : Tenuring threshold.
MTT : Maximum tenuring threshold.
DSS : Desired survivor size (KB).
EC : Current eden space capacity (KB).
EU : Eden space utilization (KB).
YGC : Number of young generation GC events.
YGCT : Young generation garbage collection time.

gcnewcapacity : Statistics of the sizes of the new generations and its corresponding spaces. Columns details are
NGCMN :Minimum New Generation Capacity (KB).
NGCMX : Maximum New Generation Capacity (KB).
NGC : Current New Generation Capacity (KB).
S0CMX : Maximum survivor space 0 capacity (KB).
S0C : Current survivor space 0 capacity (KB).
S1CMX : Maximum survivor space 1 capacity (KB).
S1C : Current survivor space 1 capacity (KB).
ECMX : Maximum eden space capacity (KB).
EC : Current eden space capacity (KB).
YGC : Number of young generation GC events.
FGC : Number of Full GC Events.

gcold : Statistics of the behavior of the old and permanent generations(in memory heap). Columns details are
PC : Current permanent space capacity (KB).
PU : Permanent space utilization (KB).
OC : Current old space capacity (KB).
OU : Old space utilization (KB).
YGC : Number of young generation GC events.
FGC : Number of full GC events.
FGCT : Full garbage collection time.
GCT : Total garbage collection time.

gcoldcapacity : Statistics of the sizes of the old generation. Columns details are
OGCMN : Minimum Old generation capacity (KB).
OGCMX : Maximum Old generation capacity (KB).
OGC : Current old generation capacity (KB).
OC : Current old space capacity (KB).
YGC : Number of young generation GC events.
FGC : Number of full GC events.
FGCT : Full garbage collection time.
GCT : Total garbage collection time.

gcpermcapacity : Statistics of the sizes of the Permanent Generation. Columns details are
PGCMN : Minimum permanent generation capacity (KB).
PGCMX : Maximum permanent generation capacity (KB).
PGC : Current permanent generation capacity (KB).
PC : Current permanent space capacity (KB).
YGC : Number of young generation GC events.
FGC : Number of full GC events.
FGCT : Full garbage collection time.
GCT : Total garbage collection time.

gcutil : Summary of garbage collection(GC) statistics. Columns details are
S0 : Survivor space 0 utilization as a percentage of the space's current capacity.
S1 : Survivor space 1 utilization as a percentage of the space's current capacity.
E : Eden space utilization as a percentage of the space's current capacity.
O : Old space utilization as a percentage of the space's current capacity.
P : Permanent space utilization as a percentage of the space's current capacity.
YGC : Number of young generation GC events.
YGCT : Young generation garbage collection time.
FGC : Number of full GC events.
FGCT : Full garbage collection time.
GCT : Total garbage collection time.

printcompilation : HotSpot compilation method statistics. Columns details are
Compiled : Number of compiled tasks .
Size : Number of bytes of bytecode for the method.
Type : Compilation type.
Method : Class name and method name identifying the compiled method.

So, now VMI, the virtual machine Identifier, in shortcut vmid. It's a simple way to specify a vm. The syntax of a vmid string is
[protocol:][//]lvmid[@hostname][:port][/servername]
protocol : Communication protocol.
lvmid : The local virtual machine identifier for the target JVM.(kind of pid of a OS)
hostname :A hostname or IP address.
port :The default port for communicating with the remote server. For the default rmi protocol, the port indicates the port number for the rmiregistry on the remote host.
servername : It depends on implementation. Like as ,
For the optimized local protocol, this field is ignored.
For the rmi protocol, it represents the name of the RMI remote object on the remote host.

Example :


I ran jconsole application to get its PID and monitor jconsole is self for statistics. I use this command where my PID(of jconsole)= 7972, interval time 250ms and 7 time recording. 
jstat -gcutil 7972 250 7

Thanks...:)