Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Enabling the Enhanced Heap Dump Feature

Introduction

  • JVM provides the capability of dumping process heap data. If sensitive information is stored in the Java process memory, dumping heap files may cause information leakage.
  • The enhanced heap dump feature masks the sensitive information while maintaining the heap dump fault locating capability. This feature is of great significance to protect data security and privacy, especially for confidential projects.

Application Scenario

Heap dump files are required for fault locating or performance analysis, and sensitive information in the files needs to be protected from leakage.

Restrictions

  • The Java version must match the JDK package that supports this feature.
  • Download and install the BiSheng JDK acceleration software package based on Installing the BiSheng JDK Acceleration Library and move the software package to the /usr/lib64 directory. Modify the permission to ensure that the Java process owner can read and execute the software package.

How to Use

You can enable the enhanced heap dump feature in either of the following ways:

  • Using VM parameters:
    java -Xmx10M -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpRedact=full -XX:RedactMapFile=/home/heapmap.txt -XX:RedactMap="password:abc,encrypt:cde" MyClass
  • Using jmap command parameters:
    jmap -dump:HeapDumpRedact=<names/basic/full/annotation/diyrules/off>,RedactMap="<key1:value1;key2:value2;...>",RedactMapFile=<file path> <pid>

For parameter details, see Table 1.

Table 1 Command parameters

Parameter

Description

-XX:HeapDumpRedact

Specifies the anonymization mode.

  • names: masks sensitive symbols. You need to specify a mapping table in a file using the RedactMapFile parameter or directly in the command line using the RedactMap parameter.
  • basic: masks int/char/byte arrays by clearing them.
  • full: names + basic
  • annotation: masks sensitive field values. You need to specify an annotation class (containing classPath).
  • diyrules: masks sensitive field values. You need to specify classes and field values to be masked in a file using the RedactMapFile parameter or directly in the command line using the RedactMap parameter.
  • off: disables heap dump anonymization. This is the default mode.

-XX:RedactMap
  • Specifies sensitive name mapping pairs to be masked. Use semicolons (;) to separate multiple pairs and a colon (:) to separate the key and value in a pair. Example: key1:value1;key2:value2...

-XX:RedactMapFile

Obtains the mapping of sensitive names to be masked from the specified file.

-XX:RedactClassPath

Specifies annotation classes for sensitive value replacement.