Skip navigation.

Notes to self

Whatever I feel like writing

Posts tagged with "java"

How to grab the certificate from a website and import it with Java keytool

Monday, 2. November 2009, 16:53:03

, ,

This is another one of those things that are impossible to remember.

For the record, the OS I'm using here is Ubuntu Linux, so the commands and paths will be different if you happen to be on Windows (keep googling, I know that a page is out there for you).

Step One is obviously to go grab the certificate from the web server. We'll use openssl, the tool, to dump the security information we need:

$ openssl s_client -connect that-server.com:443 > cert


Now open the newly created "cert" file in a text editor and remove everything but the blob that looks like this, but with different data in it:

-----BEGIN CERTIFICATE-----
MIIDIjCCAougAwIBAgIQbt4NlJn3RTPdEpf8Qqk74TANBgkqhkiG9w0BAQUFA8Bn
[... etc, etc, etc ...]
byB0lP6qDtnVOyEQp2Vx+QIJza6IQ4XIglhwMO4V8z12Hi5Fprw=
-----END CERTIFICATE-----


This cleaned up file is now the certificate that you want to import.

Step Two is to find the key-store that your Java installation uses (google will tell you that this file is called "cacerts"):

$ locate cacerts
/etc/java-1.5.0-sun/security/cacerts
/etc/java-6-openjdk/security/cacerts
/etc/java-6-sun/security/cacerts


So I obviously have more than one keystore because I have more that one version of Java installed. I use the "java-6-sun" version by default. The command 
$ update-alternatives --display java
will tell you which version is your default.

Step Three is to finally install this certificate into the keystore. This command ends up doing it for me:

$ sudo keytool -importcert -keystore /etc/java-6-sun/security/cacerts -alias that-server -file cert


You will be asked for a password to access the keystore. By default, this keystore password is changeit - another thing easily forgotten.

And now your JVM should be able to create secure connections without those pesky SSL exceptions.

No comments

JDBC Connection Pools, does the world need another?

Thursday, 2. July 2009, 22:24:28

, , ,

Over the past year or so, I have on occasion been working on a project called NanoPool. It is a JDBC 2 connection pool that exposes itself as a DataSource and is released under the Apache 2 license.

I started writing it after having read Java Concurrency in Practice, because I wanted to experiment with implement something that was both simple, concurrent and lock-free.

This experiment ended up being a JDBC connection pool implementation that is really fast at connection reuse. It is lock-free so internal dead-locks are impossible. It supports hot resizing so you can adjust the pool-size during peak-hours. It has hooks for high contention callbacks so you can be notified if your pool is too small. It has no internal threads so life-cycle management is simpler (and no thread-leaks). It has a feature-full JMX interface so management is theoretically a breeze.

With all these nice things comes a number of caveats. For instance, NanoPool will, per its design, saturate the pool and try to keep all connections open at all times. Most other pools have a maximum and minimum size that bounds how many connections will be kept open at any given time. NanoPool does not do this; it has just a pool size.

Another caveat comes by virtue of not having any internal threads. This means that the only threads that can do pool maintenance work, such as reestablishing aging connections, are the client threads that call into the pool to either claim or release connections. This may be a problem if you worry a lot about latency and standard deviation in response times. That said, I have not really checked if other pools do any better in this respect, so test & check it yourself if this is a concern.

Anyway, the question that is really on my mind is this: NanoPool is almost at 1.0 state, but does it make sense to complete it and ship it? I mean, is it really add something of value and not just noise? I think that people are extremely conservative when picking connection pools so it may be a wasted effort. On the other hand, if I go through and release it then I take on the responsibility of support and maintenance nearly regardless of the user base (although I think there will be less of this work for NanoPool than what I ended up with for Fabric).

In other words: does the world need another connection pool?

9 comments

Getting finalize() right in Java is hard

Wednesday, 14. January 2009, 20:09:32

, ,

Someone posted this gem on the concurrency-interest mailing list: http://gceclub.sun.com.cn/java_one_online/2005/TS-3281/ts-3281.pdf

It is a PDF presentation by Hans Boehm (the GC guy) from JavaOne 2005. The presentation goes through a very simple example, pointing out flaws left and right - the number of pitfalls and the effort required to avoid them was surprisingly high.

No comments

Permgen: Our Workable solution.

Sunday, 31. August 2008, 00:09:51

, , , ...

The majority of the visitors to this blog, I just noticed, come here because they are interested in my permgen saga:

  1. Good Riddance, PermGen OutOfMemoryError!
  2. PermGen Strikes Back!
  3. Return of the PermGen


The last installment concluded with newfound hope in the JDK6 profiling tools and a promise to post back as more knowledge was uncovered. Well... that was a while ago.

So, why haven't I spent time blogging about all of the exciting findings I must have made along my quest to solve this problem, since the 29th of September, 2007? The answer is simple: I have not spent any time at all on this problem. The reason for this lack of effort is simple: permgens have not been a problem to me since about that time.

To properly explain what has happened, let me draw a parallel to writing code - multi-threaded code, to be presice: What is the primary concern in multi-threaded/concurrent code? Shared mutable state. The easiest way to solve this problem? Do not share state, or make shared state immutable.

Neither of these proposed solutions actually solve the problem of shared mutable state. Instead they remove it; make the problem moot - a non-issue.

I have not solved the permgen problem; I have made it moot. Well, the operations department have made it moot and I have been cheering from the side-line.

The Moot Permgen:

Recall the original problem: every so often we redeploy a Java web application on our application servers, without restarting said servers. An intricate object graph prevents the old class files from being unloaded, this equates to a memory leak in the permanent generation of the JVM that eventually causes the server to die with an OutOfMemoryError.

The thing that gets the hair ball rolling here, is the deployment without restarting the server. To make this problem moot, all we have to do is to always restart the server every time we deploy an application.

Simple, right?

It's like when you go to the doctor and say "It hurts when I do this" and the doctor says "Well, don't do that." Same exact thing. Deployment without a restart: Just stop it!

The Other Way around the problem:

We basically changed the way we deploy applications. Not in a big way, just some small adjustments.

First and foremost, we don't deploy anything without restarting the server - but you already knew that.

Second, we deploy less stuff on our servers - the fewer apps you run on a server, the faster it'll restart. Preferably, we would only run one application per JVM- this way, the restartes would only affect a single application.

Lastly, we're moving our production systems to load-balanced setups. When an application is running on two (or more) servers behind a load-balancer, then restarting a server won't incur any down-time.

It's not rocket science. It's a practical and workable way to simply avoid having to deal with the dreaded OutOfMemoryError: permgen.

6 comments

Stripes 1.5

Monday, 18. August 2008, 23:24:52

, ,

The guys behind the Stripes web framework shoved a version 1.5 out the door today (well, yesterday - it's past midnight here).

Here's the link: http://www.stripesframework.org/

So, this is where one usually talk about why this is cool, but truth is; I only just started creating anything with Stripes today/yesterday, and that is even with the previous version 1.4.3. Still, I'de like to get my initial judgment across, because I think that this framework is undervalued and dosn't get the talking-about it deserves.

The thing about Stripes is how it combines simplicity and flexibility. You can configure and customize a ton of things - but you don't have to, because almost everything has a reasonable default. The only required configuration is that you need to tell it where you controllers, or ActionBeans, as they're called, live. From then on, Stripes is pretty much just a request dispatch mechanism and a tag library.

This brings me to my second nice observation: Stripes is all about the presentation layer, and Stripes is only about the presentation layer. It dosn't care about how you talk to a database or if you even have one. It is also isn't particulary picky about how you organise you controllers - it uses annotations to figure out who does what and when. These annotations can also be used for input validation on forms, it seems, but I have yet to try out that feature.

The requests are dispatched to your action beans, and by default the URL is based on the fully qualified class-name of that bean. However, this can be overwriten with a UrlBinding annotation on the class. The methods on the class may then be annotated as handlers of some sort. You usually annotate a DefaultHandler, and then annotate the other methods to match the names of submit buttons on forms, or stripes:link tags. To communicate state from request parameters to your ActionBean, and from your ActionBean to you JSP or other view file, you use getter and setter methods on you ActionBean - this makes them non-thread safe, but that dosn't matter because they're created on a per request basis.

At first you might run into problems getting Stripes to find the right ActionBeans for the right URLs - especially if you use the UrlBinding annotation, but fret not. Just leave your JSP files in their default place, make sure you have configured the proper packages for the ActionResolver.Packages init-param in your web.xml, and finally check that the URL that you specified in your annotation will actually be hit by the Stripes DispatcherServlet and then you should be on your way.

With this, I'm starting to like Stripes; the simplicity and reasonable default configuration let me see some fireworks in short order, and yet it allows me to configure and tweak and customize the parts I need. Simple on the surface, flexible underneath - that should be their slogan. They put it like this on their home page:

Stripes aims to provide an experience similar to owning Apple hardware, Sony TVs and luxury German cars (without the price premium); things just work, they feel right and every now and again you get that "oh, it does that too? awesome!" feeling.



And I'm thinking they're getting close to home on that one. So even though I've only been working with this framework for a few hours, I have a feeling I'll be sticking to it.

No comments

Eclipse crashes on 64-bit Linux

Monday, 7. July 2008, 14:45:58

,

It seems that lots of people are experiencing their Eclipse IDE crashing more or less randomly on thei 64-bit Linux systems.

However, it seems that adding this:

-XX:CompileCommand=exclude,org/eclipse/core/internal/dtree/DataTreeNode,forwardDeltaWith


To your eclipse.ini fixes the issue, for some reason.

EDIT:

After installing some plugins, my Eclipse started crashing again. That's the bad part. The good part is that you can see in the generated hs_err_* file exactly which method the JIT compiler was groking when HotSpot crashed. This lead me to add another line to my eclipse.ini:

-XX:CompileCommand=exclude,org/eclipse/jdt/internal/compiler/lookup/ParameterizedMethodBinding,<init>


And that seems to have solved the crashes... again.

5 comments

Return of the PermGen

Saturday, 29. September 2007, 22:38:18

,

This appears to be the third installment in the saga of my PermGen problems.

For good measure, here are the previous posts:


The newsflash this time is that I stumbled upon some guy Thompson's blog post about this very problem - by itself nothing new; concluding by recommending a JVM with infinite perm-space (BEA or IBM).

The interesting part, however, is stoney's comment where he links to two posts on a blog by Frank Kieviet.

The first of Franks posts is concerned with what the PermGen error is really all about, namely how these leaks in the reloading classloaders in our application servers happen. His second post is a bit more involved and shows how you can use new profiling tools in Java 6 to track down classloader leaks.

So the good news is that we now have the knowledge and tools required to kill this bug.
The bad news is that we've also learned that walking the walk will probably be a lot tougher than talking the talk.

We have to scrutinize our dependency tree, and think really, really, REALLY hard before we put a jar in our servers indorsed directory.

In fact, I think I'll try an experiment tomorrow (today, actually, after I've slept) where I strip down a Tomcat instance (JBoss is probably too intertwined with itself to really strip down) and create some web applications who's only runtime dependencies are the servlet-api and the JRE!

I should really think that classloader leaks are really hard to create with something as simple as the servlet-api, and if you use your JRE with care, then it should damn well be possible to avoid classloader leaks with that dependency as well.

Man, I'm really excited about the idea that there's actually hope for us lay-coders to actually rid ourselves of this nasty ghost-bug-thing/issue.

I'll be sure to report back when I've done some experiments with this new knowledge!

3 comments

PermGen Strikes Back!

Thursday, 15. March 2007, 15:34:58

,

Bugger, bugger, bugger!

Just as I thought that the issue with the PermGen OutOfMemoryError was over, it turns out: it's not.

Here's why: by setting the -XX:MaxPermSize=128m, I was only postponing the eventual death of my app server. This postponing was apparently so good, that I didn't incounter the PermGen issue during my, ahem, "tests".

In fact, my "test" was not only manual, it was also naïve. What I did was to run the app server without the GC tuning parameters, and make redeployments until it crashed. Turns out I could make 5 redeployments with an app called Payout (named after my current project). Then I applied the parameters and redeployed again and again until I felt confident it worked. Apparently, I felt confident after 10 redeployments.

My failure was that I didn't do any actual measuring of the state of the memory in the JVM. :clown:

Nervous sysadmin

My sysadmin contacted me today and said that he was worried that the memory usage pattern hadn't changed significantly. The JVM was still, slowly but surely, eating up all its memory. I pointet out that the MaxPermSize had been increased, and the GC probably didn't bother to reclaim memory because there was still plenty of it available. My rationale was, that once the JVM got closer to the max, it would start to do more garbage collection.

And then, I started to feel like testing my claims.

I wrote a small web application that used the MemoryMXBean to plot the NonHeap memory stats to an array list every minute, and then print the list, CSV formattet, on a JSP file. I then followed the memory usage as I start to redeploy again and a again, to see what would happen when I reached the max. As you figured, I got PermGens.
Then I snatched the memory statistics from my little plotter app, and importedd it into Excel to generate this graph:


What have we learned?

Two things:
  1. The PermGen issue is harder to crack than I first thought.
  2. One should properly test one's claims before bragging about it on blogs and dzone and whatnot.

So I guess it's back to the drawing board! :furious:

17 comments

Good Riddance, PermGen OutOfMemoryError !

Tuesday, 13. March 2007, 20:44:47

, , , ...

Hi, you're probably here because you are hot-deploying some Java web applications and you have problems with some PermGen: OutOfMemoryErrors. Then you somehow found a link to an article that claimed to solve this very problem.

Well, that article was wrong. So I put up a big red note, but people still link to it.

So, in an attempt to set things straight again, I present a short list of facts that I have collected since I wrote the original article:

  • Bugs in the Sun garbage collector is one source of this problem.
  • There are (were? can't be arsed to check) more than one bug, hence confusion.
  • Your app failing to undeploy completely will leak all classes in your app, every time you redeploy - this is another source of the problem.
  • None of these sources can be fixed with GC flags.
  • The JRocket JVM does NOT fix this problem - it simply lets the permgen grow unbounded, until something bad happens, like swap-thrashing or the OS kills it.

The only solution I have found that is feasible, reliable and portable is this: reboot your servers!

P.S. Don't bother giving me links to other articles on this issue. Even if you happen to find something I haven't already read, chances are that it is simply rehashing stuff I already know.

Thanks!


Bellow this line is the original article with all it's faulty conclusions.
-----------------------------------------------------------------------------------------------------------------------
I did it!

Yes, lads & lasses! If you've been annoyed with having JBoss or Tomcat die with an OutOfMemoryError every fifth time you redeploy your beloved brainchild of a web application, then this is your lucky day! Because I found a fix! It's true! Yay! ....!!!!!11one (can you tell this has been a pain to me?)

Boring but Serious Theory and Hypothesis part:
The "PermGen" error happens, when the Java virtual machine runs out of memory in the permanent generation. Recall that Java has a generational garbage collector, with four generations: eden, young, old and permanent.

In the eden generation, objects are very short lived and garbage collection is swift and often.

The young generation consists of objects that survived the eden generation (or was pushed down to young because the eden generation was full at the time of allocation), garbage collection in the young generation is less frequent but still happens at quite regular intervals (provided that your application actually does something and allocates objects every now and then).

The old generation, well, you figured it. It contains objects that survived the young generation, or have been pushed down, and garbage collection is even less infrequent but can still happen.

And finally, the permanent generation. This is for objects that the virtual machine has decided to endorse with eternal life - which is precicely the core of the problem. Objects in the permanent generation are never garbage collected; that is, under normal circumstances when the jvm is started with normal command line parameters.

So what happens when you redeploy your web application is, that your WAR file is unpacked and its class files loaded into the jvm. And here's the thing: almost always ends up in the permanent generation... Because, seriously, who wants to garbage collect their classes?!? Well, apparently application servers do, and here's how we make that happen;

PermGen, The Fix:
The standard garbage collector can't collect in the permanent generation, but the concurrent collector can. So the first thing we need to do is to make sure that the jvm uses the concurrent garbage collector. This is done by putting this:

> -XX:+UseConcMarkSweepGC

In java's command line arguments. But this is not enough. We must also specifically tell it to collect in the permanent generation, and this is done with this command line argument:

> -XX:+CMSPermGenSweepingEnabled

Good, now the concurrent collector will take the permantent generation under its wings. But wait! Classes are special, and the jvm is reluctant to let go of them, so we must also explicitly allow classes to be unloaded:

> -XX:+CMSClassUnloadingEnabled

Now we're certain that the permanent generation will be properly cleaned. But this raises another issue: what if the jvm unloads classes that might still be needed? I imagine it can be hard for a collector to tell whether or not a class might still be needed with the amount of reflection that goes on in an application server. Therefor, we might want to tweak the amount of memory allocated for the permanent generation, and this is done with this command line parameter:

> -XX:MaxPermSize=128m

Which will set the maximum size of our permanent generation to 128 megabytes - tweak it to fit your needs.

With these parameters properly applied to the jvm that runs your application server, your chances of running into a PermGen OutOfMemoryError will be considerably lessened.

Take care!

27 comments

A03 Look And Feel

Thursday, 22. February 2007, 09:21:17

In case you've missed it: the A03 LAF - to describe it in one word: awesome!

No comments

1 2 Next »

Showing posts 1 - 10 of 12.