TBD
https://docs.oracle.com/en/java/javase/17/docs/specs/man/java.html
https://docs.oracle.com/en/java/javase/11/tools/java.html#GUID-3B1CE181-CD30-4178-9602-230B800D4FAE
'-XX:+PrintFlagsFinal' is reserved for debugging and local development environments, not for containerized production deployments.
'-XX:+UseTransparentHugePages' reduces TLB misses, improves throughput on Linux but not recommended in AWS ECS Fargate
-XX:+ExitOnOutOfMemoryError – kill the container on OOM so the orchestrator can restart it
-XX:+UseZGC – generational ZGC: sub-ms pauses, ideal for virtual threads + DB pools
-XX:+UseCompactObjectHeaders – Project Lilliput (JDK 25): 64→32-bit headers, ~10-15% less heap
-XX:MaxMetaspaceSize=200m – cap class metadata to prevent unbounded native memory growth
-XX:MaxRAMPercentage=75.0 – use up to 75% of container memory for heap
-XX:MinRAMPercentage=50 – at least 50% even if less than ~256MB is detected
-XX:InitialRAMPercentage=75.0 – start with full target heap to avoid runtime resizing
-XX:-OmitStackTraceInFastThrow – always produce full stack traces (never elide repeated NPEs etc.)
Setting initial heap size and max heap the same will incur lower Garbage Collection pause times.
‘-XX:+UseContainerSupport’ is passed by default argument in the JVM. So, you don’t need to configure it explicitly.
-XX:+ExitOnOutOfMemoryError -XX:MaxMetaspaceSize=200m -XX:MaxRAMPercentage=70.0 -XX:MinRAMPercentage=50.0 -XX:InitialRAMPercentage=70.0 -XX:+PrintFlagsFinal -XX:-OmitStackTraceInFastThrow
-XX:+ExitOnOutOfMemoryError -XX:MaxMetaspaceSize=200m -XX:MaxRAMPercentage=50.0 -XX:MinRAMPercentage=50.0 -XX:+PrintFlagsFinal -XX:+UseContainerSupport
-XX:+ExitOnOutOfMemoryError -XX:MaxMetaspaceSize=200m -XX:MaxRAMPercentage=50.0 -XX:MinRAMPercentage=50.0 -XX:+PrintFlagsFinal -XX:+UseContainerSupport
Sample JBoss w/ Java 1.7 running in a 2048 MB machine:
-Xmx1024m -Xms512m -XX:MaxPermSize=512m -XX:OnOutOfMemoryError=\"kill -9 %p\"
eg: thirds
Potential "Gotcha": The TrustStore
If POINTING javax.net.ssl.trustStore to your custom truststore, Java will only trust the certificates in that file.
It will no longer trust standard internet authorities (like those needed to talk to Google, AWS, or Maven).
For trusting the standard internet authorities, you can import the Java default truststore which default password is 'changeit' (tested w/ Ubuntu 24.04.3 LTS):
keytool -importkeystore \
-srckeystore ${JAVA_HOME}/lib/security/cacerts \
-srcstoretype PKCS12 \
-srcstorepass changeit \
-destkeystore docker/truststore.p12 \
-deststorepass THE_TRUST_STORE_PASS \
-noprompt
TBD
Habilitar logs de depuración SSL
-Djavax.net.debug=ssl,handshake
Oracle Java 1.7.0_45 supported protocols and ciphers
Note With TLSv1.2 explicitly enabled.
Protocolos habilitados:
- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
Cipher Suites habilitados:
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- SSL_RSA_WITH_RC4_128_SHA
- TLS_ECDH_ECDSA_WITH_RC4_128_SHA
- TLS_ECDH_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_WITH_RC4_128_MD5
- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
----------------------------------