Crypto Event Analysis

Using Crypto Event Analysis, administrators will get detailed information on what cryptographic algorithms from the Java Security Libraries are being used. JMS will compare the algorithms being used with the planned changes and highlight applications that might be impacted by future changes or by certificates that are about to expire.

The analysis will detect if any of the Java applications in a managed instance are using the algorithms, key lengths, or default values that will be changed and provide recommendations to avoid disruptions.

OCI Cloud Console

  1. Sign in to the OCI Console as an administrator.
  2. Open the navigation menu, click Observability & Management, and then click Fleets under Java Management.
  3. Select your fleet.
  4. Click Actions and from the menu select Crypto event analysis.
  5. Click Start.
  6. Once the work request is finished, click Crypto analysis reports.

OCI CLI

  1. Execute the following command: 
    oci jms fleet request-crypto-analyses --fleet-id $FLEET_OCID

    Note:

    Crypto analysis requires running applications, which are producing cryptographic related events, for example TLS handshakes. To execute crypto analysis only on certain managed instances, use the targets parameter as shown in the example below.

Example

We will demonstrate this functionality on two simple Spring Boot client/server applications which will be configured with short living certificate of weak algorithm SHA1withRSA and with weak 1024-bit key size. For simplicity, both applications will be running on one managed instance.

Note:

The example application can be retrieved from: https://github.com/jirkafm/spring-tls-example
#!/usr/bin/env bash
 
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
 
# start crypto analysis on specified managed instance
WORK_REQUEST_OCID=$(oci jms fleet request-crypto-analyses \
    --fleet-id "$FLEET_OCID" \
    --targets "[{\"managedInstanceId\":\"$MANAGED_INSTANCE_OCID\"}]" | jq -r '."opc-work-request-id"')
 
echo $WORK_REQUEST_OCID
 
# additionally you can add your own logic to check if work request is finished
# sleep 600
# oci jms work-request get --work-request-id "$WORK_REQUEST_OCID" | jq .data.status

Now we will execute the applications and we will make few API calls to the client application:

 
$ java -jar spring-tls-client-1.1.0.jar &!
$ java -jar spring-tls-server-1.1.0.jar &!
 
$ BOOK_ID=$(curl -kX POST -H "Content-Type: application/json" -d "{ \"title\": \"AwesomeBook\", \"author\":\"AwesomeAuthor\" }" https://localhost:7081/client/books/ | jq -r '.id')
 
$ curl -k https://localhost:7081/client/books/$BOOK_ID
{"title":"AwesomeBook","author":"AwesomeAuthor","id":"d4131bd9-76f0-48cf-9c33-9089a232c865"}

Once the work request is finished, we can check the crypto analysis result:


#!/usr/bin/env bash
 
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
WORK_REQUEST_OCID=ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq
  
ocijms crypto-analysis-result list \
    --sort-by timeCreated \
    --sort-order DESC \
    --limit 10 \
    --managed-instance-id "$MANAGED_INSTANCE_OCID" \
    --fleet-id "$FLEET_OCID" | jq ".data.items[] | select(.\"work-request-id\"==\"$WORK_REQUEST_OCID\")"
{
  "aggregation-mode": "MANAGED_INSTANCE",
  "bucket-name": "jms_ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
  "crypto-roadmap-version": "2024-10-15",
  "finding-count": 56,
  "fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
  "host-name": "jms-demo",
  "id": "ocid1.jmsreport.oc1.eu-frankfurt-1.amaaaaaalzyjypyaiaitxhgw4rwkcnjmu3tlqe67mtxdleful7znqr55bvwq",
  "managed-instance-id": "ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq",
  "namespace": "frmss8xk2qta",
  "non-compliant-finding-count": 12,
  "object-name": "JMS/ANALYSIS/CRYPTO/RESULTS/ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta/ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq/CryptoAnalysisResultMerged-20250714094729-ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq-013a1cb4-1e64-4ac9-959a-ddb057d49257.json",
  "summarized-event-count": 36,
  "time-created": "2025-07-14T09:47:29.430000+00:00",
  "time-finished": "2025-07-14T09:39:18+00:00",
  "time-first-event": "2025-07-14T09:29:52.106000+00:00",
  "time-last-event": "2025-07-14T09:30:52.709000+00:00",
  "time-started": "2025-07-14T09:28:29+00:00",
  "total-event-count": 43,
  "work-request-id": "ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq"
}

From the result, we can see there are findings in the application requiring our attention. To see more details, we can execute the following API call to download the JSON report or see the report in more human friendly form in JMS OCI Cloud console. 

# namespace, bucket-name and name parameters were taken from the report payload mentioned above
# we will filter events only for spring-tls-server-1.1.0.jar application
 
oci os object get \
    --namespace frmss8xk2qta \
    --bucket-name jms_ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta \
    --name JMS/ANALYSIS/CRYPTO/RESULTS/ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta/ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq/CryptoAnalysisResultMerged-20250714094729-ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq-013a1cb4-1e64-4ac9-959a-ddb057d49257.json --file - | jq '.applications[] | select(.applicationName == "spring-tls-server-1.1.0.jar")'
...
    {
      "summarizedCryptoEvent": {
        "eventType": "X509CertificateEvent",
        "occurrences": 1,
        "timeFirstEvent": "2025-07-14T09:30:42.203961324Z",
        "timeLastEvent": "2025-07-14T09:30:42.203961324Z",
        "event": {
          "eventType": "X509CertificateEvent",
          "startTime": "2025-07-14T09:30:42.203961324Z",
          "algorithm": "SHA1withRSA",
          "serialNumber": "2c0fb97d",
          "subject": "CN=Client, OU=Server, O=test, L=Portland, ST=OR, C=US",
          "issuer": "CN=Client, OU=Server, O=test, L=Portland, ST=OR, C=US",
          "keyType": "RSA",
          "keyLength": 1024,
          "certificateId": 3057353200,
          "validFrom": "2025-07-14T08:00:55Z",
          "validUntil": "2025-07-17T08:00:55Z"
        }
      },
      "findings": [
        {
          "detectorName": "Certificate will expire soon",
          "severity": "WARN"
        },
        {
          "detectorName": "Removed root certificates with 1024-bit keys",
          "severity": "ERROR",
          "detailsLink": "https://www.java.com/en/configure_crypto.html#RemoveRootCert"
        },
        {
          "detectorName": "SHA-1 signature",
          "severity": "WARN",
          "detailsLink": "https://www.java.com/en/configure_crypto.html#WarnWeakAlgorithms"
        },
        {
          "detectorName": "RSA recommended key size",
          "severity": "WARN",
          "detailsLink": "https://www.java.com/en/configure_crypto.html#defKeySize"
        }
      ]
    }
...