加密事件分析
管理員可以使用「加密事件分析」取得 Java 安全程式庫所使用之加密演算法的詳細資訊。JMS 將會比較目前使用的演算法與計畫的變更,並標示未來變更或即將到期的憑證可能影響的應用程式。
分析會偵測受管理執行處理中的任何 Java 應用程式是否使用將會變更的演算法、金鑰長度或預設值,並提供建議以避免中斷。
OCI 雲端主控台
- 以管理員身分登入 OCI 主控台。
- 開啟導覽功能表,按一下可觀測性與管理,然後按一下 Java 管理下的機組。
- 選取您的機組。
- 按一下動作,然後從功能表選取加密事件分析。
- 按一下開始。
- 工作要求完成後,請按一下「加密分析」報表。
OCI CLI
- 執行下列命令:
oci jms fleet request-crypto-analyses --fleet-id $FLEET_OCID附註:
加密分析需要執行產生加密相關事件的應用程式,例如 TLS 交握式確認。若要只在特定受管理執行處理上執行加密分析,請使用目標參數,如下方範例所示。
範例
我們將在兩個簡單的 Spring Boot 用戶端 / 伺服器應用程式上示範此功能,這些應用程式將設定弱演算法 SHA1withRSA 的短存憑證,且金鑰大小較弱的 1024 位元。為了簡化,兩個應用程式都會在一個受管理的執行處理上執行。
附註:
範例應用程式可從以下位置擷取:https://github.com/jirkafm/spring-tls-example#!/usr/bin/env bash
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
# start crypto analysis on specified managed instance
WORK_REQUEST_OCID=$(oci jms fleet request-crypto-analyses \
--fleet-id "$FLEET_OCID" \
--targets "[{\"managedInstanceId\":\"$MANAGED_INSTANCE_OCID\"}]" | jq -r '."opc-work-request-id"')
echo $WORK_REQUEST_OCID
# additionally you can add your own logic to check if work request is finished
# sleep 600
# oci jms work-request get --work-request-id "$WORK_REQUEST_OCID" | jq .data.status現在我們將執行應用程式,並會對用戶端應用程式進行一些 API 呼叫:
$ java -jar spring-tls-client-1.1.0.jar &!
$ java -jar spring-tls-server-1.1.0.jar &!
$ BOOK_ID=$(curl -kX POST -H "Content-Type: application/json" -d "{ \"title\": \"AwesomeBook\", \"author\":\"AwesomeAuthor\" }" https://localhost:7081/client/books/ | jq -r '.id')
$ curl -k https://localhost:7081/client/books/$BOOK_ID
{"title":"AwesomeBook","author":"AwesomeAuthor","id":"d4131bd9-76f0-48cf-9c33-9089a232c865"}工作要求完成後,我們可以檢查密碼編譯分析結果:
#!/usr/bin/env bash
# configuration variables
FLEET_OCID=ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta
MANAGED_INSTANCE_OCID=ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq
WORK_REQUEST_OCID=ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq
ocijms crypto-analysis-result list \
--sort-by timeCreated \
--sort-order DESC \
--limit 10 \
--managed-instance-id "$MANAGED_INSTANCE_OCID" \
--fleet-id "$FLEET_OCID" | jq ".data.items[] | select(.\"work-request-id\"==\"$WORK_REQUEST_OCID\")"
{
"aggregation-mode": "MANAGED_INSTANCE",
"bucket-name": "jms_ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
"crypto-roadmap-version": "2024-10-15",
"finding-count": 56,
"fleet-id": "ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta",
"host-name": "jms-demo",
"id": "ocid1.jmsreport.oc1.eu-frankfurt-1.amaaaaaalzyjypyaiaitxhgw4rwkcnjmu3tlqe67mtxdleful7znqr55bvwq",
"managed-instance-id": "ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq",
"namespace": "frmss8xk2qta",
"non-compliant-finding-count": 12,
"object-name": "JMS/ANALYSIS/CRYPTO/RESULTS/ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta/ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq/CryptoAnalysisResultMerged-20250714094729-ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq-013a1cb4-1e64-4ac9-959a-ddb057d49257.json",
"summarized-event-count": 36,
"time-created": "2025-07-14T09:47:29.430000+00:00",
"time-finished": "2025-07-14T09:39:18+00:00",
"time-first-event": "2025-07-14T09:29:52.106000+00:00",
"time-last-event": "2025-07-14T09:30:52.709000+00:00",
"time-started": "2025-07-14T09:28:29+00:00",
"total-event-count": 43,
"work-request-id": "ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq"
}因此,我們可以在應用程式中看到需要注意的發現項目。若要查看更多詳細資訊,我們可以執行下列 API 呼叫來下載 JSON 報表,或在 JMS OCI Cloud 主控台中以更方便使用的形式查看報表。
# namespace, bucket-name and name parameters were taken from the report payload mentioned above
# we will filter events only for spring-tls-server-1.1.0.jar application
oci os object get \
--namespace frmss8xk2qta \
--bucket-name jms_ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta \
--name JMS/ANALYSIS/CRYPTO/RESULTS/ocid1.jmsfleet.oc1.eu-frankfurt-1.amaaaaaaptiaquqa2qxxkco6hrguz7nyug2hcpgikhe5gz4d7uy6j6ilbtta/ocid1.instance.oc1.eu-frankfurt-1.antheljtptiaquqcrjmnu7mxbjthm2jm5qzryu7xy4w27rfo56nxf4uwv6pq/CryptoAnalysisResultMerged-20250714094729-ocid1.jmsworkrequest.oc1.eu-frankfurt-1.aaaaaaaa7lxtmzmv2nt72fcnfwbo67xvffvuypnj4ca5hhky7kko2d4flvxq-013a1cb4-1e64-4ac9-959a-ddb057d49257.json --file - | jq '.applications[] | select(.applicationName == "spring-tls-server-1.1.0.jar")'
...
{
"summarizedCryptoEvent": {
"eventType": "X509CertificateEvent",
"occurrences": 1,
"timeFirstEvent": "2025-07-14T09:30:42.203961324Z",
"timeLastEvent": "2025-07-14T09:30:42.203961324Z",
"event": {
"eventType": "X509CertificateEvent",
"startTime": "2025-07-14T09:30:42.203961324Z",
"algorithm": "SHA1withRSA",
"serialNumber": "2c0fb97d",
"subject": "CN=Client, OU=Server, O=test, L=Portland, ST=OR, C=US",
"issuer": "CN=Client, OU=Server, O=test, L=Portland, ST=OR, C=US",
"keyType": "RSA",
"keyLength": 1024,
"certificateId": 3057353200,
"validFrom": "2025-07-14T08:00:55Z",
"validUntil": "2025-07-17T08:00:55Z"
}
},
"findings": [
{
"detectorName": "Certificate will expire soon",
"severity": "WARN"
},
{
"detectorName": "Removed root certificates with 1024-bit keys",
"severity": "ERROR",
"detailsLink": "https://www.java.com/en/configure_crypto.html#RemoveRootCert"
},
{
"detectorName": "SHA-1 signature",
"severity": "WARN",
"detailsLink": "https://www.java.com/en/configure_crypto.html#WarnWeakAlgorithms"
},
{
"detectorName": "RSA recommended key size",
"severity": "WARN",
"detailsLink": "https://www.java.com/en/configure_crypto.html#defKeySize"
}
]
}
...