Java - HOAB

Introscope & SAML (saml.jsp)

Rédigé par gorki 18 septembre 2022 Aucun commentaire

Problem :

I tried to connect Broadcom Introscope 10.7 and SAML given by Keycloak.

Based on these documents :

Well not enough to make it works.

Solution :

Thanks to remote debug mode, the key is that the callback URL is :

https://<webview url>/saml.jsp

Search for saml.jsp + introscope on google. Good luck.

Here are the steps (assuming that you already have a keycloak realm up and ready) :

Step 1 : IntroscopeEnteprise.properties

introscope.saml.enable=true
introscope.saml.request.binding=POST
introscope.saml.idpUrl=<URL_KEYCLOAK>/realms/<your realm>/protocol/saml
introscope.saml.issuer=com.ca.apm.webview.serviceprovider
introscope.saml.webstart.issuer=com.ca.apm.webstart.serviceprovider
introscope.saml.em.issuer=com.ca.apm.em.serviceprovider
introscope.saml.principalAttributeName=principalName
introscope.saml.groupsAttributeName=groups
introscope.saml.webstart.tokenTimeoutInSeconds=60
introscope.saml.internalIdp.enable=false
# introscope.saml.internalIdpUrl=http://localhost:8080/idp/profile/SAML2/POST/SSO

Step 2 : Keycloak configuration

Create a client named as introscope.saml.issuer so in our case : com.ca.apm.webstart.serviceprovider
Enter the callback URL in Master SAML Processing URL : https://<webview url>/saml.jsp

Step 3 : Certificates

You should secure you communication between Introscope and Keycloak :

Provide HTTPS for Keycloak
Provide HTTPS for Introscope
Sign information in Keycloak client
Import Keycloak key in a JKS truststore for Java (Webview part). Keycloak client certificate are in the client definition, tab “Keys”.
1. Follow Official guide to create the JKS
Point to this truststore (example : spprivatekey.jks) - next steps.

Step 4 : IntroscopeWebview.properties:

apm.webview.saml.sp.truststore=/path/to/spprivatekey.jks

Introscope & Unsupported major.minor version 52.0

Rédigé par gorki 23 août 2022 Aucun commentaire

Problem :

Launching a JVM with Introscope agent on a old JVM 1.7 result in :

A problem occurred while attempting to create the delegate agent
[IntroscopeAgent] Agent Unavailable

Well, as the agent is heavily customized, removing customization was the first step. It starts.
OK, a few lambda removing alter, I recompiled everything with Java 1.7 target.. And still the same message.

Solution :

After a hours ...

Step 1 :

Decompile
- com.wily.introscope.agent.AgentShim
Add more logs, it confirms this is a class loading problem with major/minor version. I finally get the class name

Step 2 :

After checking X times my maven settings, I finally used : *
- javap -v | grep version
- to check if it was ok or not.
and surprisingly, the generated class was OK !
but I used also assembly plugin

Step 3 :

The cause was that I recompile some classes of an old jar and rebuild it
I tracked the faulty classes version in the different repositories The root cause was that I installed in a local repository the old jar without the modified classes with the command :

plaintext mvn install:install-file -DcreateChecksum=true -Dfile=./agent/wily/Agent.jar -DgroupId=com.ca.agent -DartifactId=javaagent -Dversion=10.0.7SP3 -Dpackaging=jar -DlocalRepositoryPath=local-maven-repo

which install it also after build in the global repository...

And assembly plugin use in priority the global repository.

Well I didn't take time to understand why maven do not use only my local repository for this jar.

I just add : rm -rf ~/.m2/repository/com/ca/agent/sqlagent in the beginning of my install script !

Well a few hours lost again here...

Cannot create GC thread but a lot of memory

Rédigé par gorki 23 mars 2022 Aucun commentaire

Problem :

Launching a JVM I have the message : "Cannot create GC thread. Out of system resources"

Enough memory
Enough swap
Enough ulimit
Enough threads-max
Enough CPU

Event extend the PID limit...

Important (at the end) : debian version = 10.11

Solution :

After a hours of googling, I found :

https://stackoverflow.com/questions/18078859/java-run-out-of-memory-issue
- Fix the number of CPU for GC (in case of many CPU available ... greater than 8)
https://serverfault.com/questions/662992/java-on-linux-insufficient-memory-even-though-there-is-plenty-of-available-memor
- Check ulimit -u
- Check ulimit -Hu
- Check open files (https://shaarli.hoab.fr/?8yFkBw)
https://www.cyberciti.biz/tips/howto-linux-increase-pid-limits.html
- Extend PID max : cat /proc/sys/kernel/pid_max

But none of these solutions works and none was matching the number I had :

number of open files < ulimit -n
maximum process/tasks < ulimit -u

But in a thread, I found something that was working : UserTasksMax.
I'm running SystemD, I have around 10805 task running for my user.
And from : https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html

UserTasksMax=

Sets the maximum number of OS tasks each user may run concurrently. This controls the TasksMax= setting of the per-user slice unit, see systemd.resource-control(5) for details. If assigned the special value "infinity", no tasks limit is applied. Defaults to 33%, which equals 10813 with the kernel's defaults on the host, but might be smaller in OS containers.

For my suspect PID (a lot of files) :

cat /proc/21890/status | grep Thread => 1 thread
ls /proc/21890/task | wc
confirmed by the usual command : ps -eLf | grep calrisk | wc

I have around 10805 threads running for a given JVM very close to the limit.

Complete guide :

https://www.journaldufreenaute.fr/nombre-maximal-de-threads-par-processus-sous-linux/

Parameters not present in all man page, it could grown up to 12288 on latest version.

To be check !

Swing application freeze

Rédigé par gorki 24 août 2021 Aucun commentaire

Problème :

J'ai une application en client lourd java qui fonctionnait bien. Depuis quelques jours, elle freeze quand j'ouvre une série de popup ce qu'elle ne faisait pas avant (ou que je n'avais pas remarqué).

Précision : je suis sous Linux, Gnome.

Solution :

J'ai désactivé les agents que j'avais en même temps, supprimer les options inutiles de la JVM, toujours rien.

La stacktrace me dit ceci :

"pool-19-thread-1" #175 prio=5 os_prio=0 tid=0x00007fe2b4055000 nid=0x5ee3 waiting for monitor entry [0x00007fe3d2efd000]
   java.lang.Thread.State: BLOCKED (on object monitor)
        at java.awt.KeyboardFocusManager.clearMostRecentFocusOwner(KeyboardFocusManager.java:1882)
        - waiting to lock <0x00000000e081d6e0> (a java.awt.Component$AWTTreeLock)
        at java.awt.Component.disable(Component.java:1526)
        at javax.swing.JComponent.disable(JComponent.java:3639)
        at java.awt.Component.enable(Component.java:1515)
        at java.awt.Component.setEnabled(Component.java:1478)
        at javax.swing.JComponent.setEnabled(JComponent.java:2680)
        at javax.swing.JComboBox.setEnabled(JComboBox.java:1391)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

"SwingWorker-pool-4-thread-7" #171 daemon prio=5 os_prio=0 tid=0x00007fe33c6ff000 nid=0x5edf waiting on condition [0x00007fe3bbefb000]
   java.lang.Thread.State: WAITING (parking)
        at sun.misc.Unsafe.park(Native Method)
        - parking to wait for  <0x00000000fb81e808> (a java.util.concurrent.FutureTask)
        at java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
        at java.util.concurrent.FutureTask.awaitDone(FutureTask.java:429)
        at java.util.concurrent.FutureTask.get(FutureTask.java:191)
        at org.GNOME.Accessibility.AtkUtil.invokeInSwing(AtkUtil.java:68)
        at org.GNOME.Accessibility.AtkObject.hashCode(AtkObject.java:234)
        at org.GNOME.Accessibility.AtkWrapper.emitSignal(Native Method)
        at org.GNOME.Accessibility.AtkWrapper$5.propertyChange(AtkWrapper.java:545)
        at java.beans.PropertyChangeSupport.fire(PropertyChangeSupport.java:335)
        at java.beans.PropertyChangeSupport.firePropertyChange(PropertyChangeSupport.java:327)
        at java.beans.PropertyChangeSupport.firePropertyChange(PropertyChangeSupport.java:263)

Au final, ce lien j'ai trouvé ce lien et j'ai ajouté l'option Java sur la ligne de commande. Tout est OK.

-Djavax.accessibility.assistive_technologies=

Pour plus d'informations :

https://docs.oracle.com/javase/8/docs/technotes/guides/access/new-features.html

IE11 et cache-control rules

Rédigé par gorki 29 novembre 2020 Aucun commentaire

Problem :

I had a problem, nearly simple : on an angular 11 application, font was not displayed on IE11 on customer site.

After a few tests :

I reproduce it on my demo site
I do not reproduce in dev mode

Solution :

Well, I search for a while, and here is a summary.

IE11 has a problem if header "Cache-Control: nostore" is set for fonts... Not easy to find but there is some reference here
On my dev, it's working, after a check, I'm not setting Cache-Control: nostore
On my demo site, I have this header, but I have a Nginx as a reverse proxy. Ok, that's why
On customer site, I do not have control on network elements. One must add it also

I made the assumption that if I set a Cache directive, intermediate server won't modify it.

It works on my demo site. I'll check next on my customer site.

To add cache control on springboot, thanks Baeldung !

        registry.addResourceHandler("/assets/**").addResourceLocations("classpath:/static/hpa-portal/assets/")
                .setCacheControl(CacheControl.maxAge(1, TimeUnit.DAYS));