加密货币事件分析
使用加密事件分析,管理员将获得有关正在使用 Java 安全库中的加密算法的详细信息。JMS 将比较正在使用的算法与计划的更改,并突出显示可能受将来更改或即将到期的证书影响的应用程序。
分析将检测托管实例中的任一 Java 应用是否在使用将更改的算法、密钥长度或默认值,并提供建议以避免中断。
OCI 云控制台
- 以管理员身份登录 OCI 控制台。
- 打开导航菜单,单击可观察性和管理,然后单击 Java 管理下的组。
- 选择您的组。
- 单击操作,然后从菜单中选择加密事件分析。
- 单击启动。
- 完成工作请求后,单击“Crypto analysis reports(加密分析报告)”。
OCI CLI
- 执行以下命令:
oci jms fleet request-crypto-analyses --fleet-id $FLEET_OCID注意:
加密分析需要正在运行的应用程序,这些应用程序正在生成与加密相关的事件,例如 TLS 握手。要仅对某些托管实例执行加密分析,请使用目标参数,如下例所示。
范例
我们将在两个简单的 Spring Boot 客户端/服务器应用程序上演示此功能,这些应用程序将配置弱算法 SHA1withRSA 的短活证书和弱 1024 位密钥大小。为了简单起见,两个应用都将在一个托管实例上运行。
注意:
可从以下位置检索示例应用程序:https://github.com/jirkafm/spring-tls-example#!/usr/bin/env bash
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
# start crypto analysis on specified managed instance
WORK_REQUEST_OCID=$(oci jms fleet request-crypto-analyses \
--fleet-id "$FLEET_OCID" \
--targets "[{\"managedInstanceId\":\"$MANAGED_INSTANCE_OCID\"}]" | jq -r '."opc-work-request-id"')
echo $WORK_REQUEST_OCID
# additionally you can add your own logic to check if work request is finished
# sleep 600
# oci jms work-request get --work-request-id "$WORK_REQUEST_OCID" | jq .data.status现在,我们将执行应用程序,我们将对客户端应用程序进行一些 API 调用:
$ java -jar spring-tls-client-1.1.0.jar &!
$ java -jar spring-tls-server-1.1.0.jar &!
$ BOOK_ID=$(curl -kX POST -H "Content-Type: application/json" -d "{ \"title\": \"AwesomeBook\", \"author\":\"AwesomeAuthor\" }" https://localhost:7081/client/books/ | jq -r '.id')
$ curl -k https://localhost:7081/client/books/$BOOK_ID
{"title":"AwesomeBook","author":"AwesomeAuthor","id":"d4131bd9-76f0-48cf-9c33-9089a232c865"}一旦工作请求完成,我们可以检查加密分析结果:
#!/usr/bin/env bash
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
WORK_REQUEST_OCID=ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq
ocijms crypto-analysis-result list \
--sort-by timeCreated \
--sort-order DESC \
--limit 10 \
--managed-instance-id "$MANAGED_INSTANCE_OCID" \
--fleet-id "$FLEET_OCID" | jq ".data.items[] | select(.\"work-request-id\"==\"$WORK_REQUEST_OCID\")"
{
"aggregation-mode": "MANAGED_INSTANCE",
"bucket-name": "jms_ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
"crypto-roadmap-version": "2024-10-15",
"finding-count": 56,
"fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
"host-name": "jms-demo",
"id": "ocid1.jmsreport.oc1.eu-frankfurt-1.amaaaaaalzyjypyaiaitxhgw4rwkcnjmu3tlqe67mtxdleful7znqr55bvwq",
"managed-instance-id": "ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq",
"namespace": "frmss8xk2qta",
"non-compliant-finding-count": 12,
"object-name": "JMS/ANALYSIS/CRYPTO/RESULTS/ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta/ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq/CryptoAnalysisResultMerged-20250714094729-ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq-013a1cb4-1e64-4ac9-959a-ddb057d49257.json",
"summarized-event-count": 36,
"time-created": "2025-07-14T09:47:29.430000+00:00",
"time-finished": "2025-07-14T09:39:18+00:00",
"time-first-event": "2025-07-14T09:29:52.106000+00:00",
"time-last-event": "2025-07-14T09:30:52.709000+00:00",
"time-started": "2025-07-14T09:28:29+00:00",
"total-event-count": 43,
"work-request-id": "ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq"
}从结果中,我们可以看到应用程序中有一些发现需要我们注意。要查看更多详细信息,我们可以执行以下 API 调用来下载 JSON 报告,或在 JMS OCI 云控制台中以更人性化的形式查看报告。
# namespace, bucket-name and name parameters were taken from the report payload mentioned above
# we will filter events only for spring-tls-server-1.1.0.jar application
oci os object get \
--namespace frmss8xk2qta \
--bucket-name jms_ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta \
--name JMS/ANALYSIS/CRYPTO/RESULTS/ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta/ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq/CryptoAnalysisResultMerged-20250714094729-ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq-013a1cb4-1e64-4ac9-959a-ddb057d49257.json --file - | jq '.applications[] | select(.applicationName == "spring-tls-server-1.1.0.jar")'
...
{
"summarizedCryptoEvent": {
"eventType": "X509CertificateEvent",
"occurrences": 1,
"timeFirstEvent": "2025-07-14T09:30:42.203961324Z",
"timeLastEvent": "2025-07-14T09:30:42.203961324Z",
"event": {
"eventType": "X509CertificateEvent",
"startTime": "2025-07-14T09:30:42.203961324Z",
"algorithm": "SHA1withRSA",
"serialNumber": "2c0fb97d",
"subject": "CN=Client, OU=Server, O=test, L=Portland, ST=OR, C=US",
"issuer": "CN=Client, OU=Server, O=test, L=Portland, ST=OR, C=US",
"keyType": "RSA",
"keyLength": 1024,
"certificateId": 3057353200,
"validFrom": "2025-07-14T08:00:55Z",
"validUntil": "2025-07-17T08:00:55Z"
}
},
"findings": [
{
"detectorName": "Certificate will expire soon",
"severity": "WARN"
},
{
"detectorName": "Removed root certificates with 1024-bit keys",
"severity": "ERROR",
"detailsLink": "https://www.java.com/en/configure_crypto.html#RemoveRootCert"
},
{
"detectorName": "SHA-1 signature",
"severity": "WARN",
"detailsLink": "https://www.java.com/en/configure_crypto.html#WarnWeakAlgorithms"
},
{
"detectorName": "RSA recommended key size",
"severity": "WARN",
"detailsLink": "https://www.java.com/en/configure_crypto.html#defKeySize"
}
]
}
...