Enabling SSL Tracing in Java Applications

groundcover offers eBPF-based tracing for all frameworks and protocols, including encrypted traffic. This is done by attaching probes to key points in popular encryption libraries, such as LibSSL.

There is one exception to the out-of-the-box coverage with eBPF - Java. The Java runtime uses encryption libraries which are written in pure Java, providing a challenge to trace with the machine-level primitives that eBPF offers.

groundcover's approach to bridge this gap is by using a more traditional approach to Java observability - using a Java agent. This agent runs alongside your applications, tracing key functions in the Java encryption libraries to provide visibility into the APIs being handled.

How does it work?

groundcover's sensor comes pre-packed with the Java agent binaries. When detecting Java processes running alongside it, the sensor will use an injection method to dynamically execute the groundcover Java agent in the detected process.

No configuration changes are needed, and new processes will be monitored automatically.

Can the Java agent affect my processes?

groundcover's core approach to tracing relies on eBPF, which has built-in safety guarantees that make sure our tracing can not affect the services being monitored in any significant way.

Java agents are somewhat different in that regard - they run alongside your code, and have more potential to interfere with the standard operation of the process. For this reason, our development cycle for the Java agent is extremely strict, and includes testing with many common Java use cases. The agent has and continues to run safely in a large number of customer environments, providing the high standard of frictionless coverage groundcover provides.

Configuring the Java agent deployment

Use the following configuration values to turn on the Java agent deployment:

agent:
  sensor:
    env:
      - name: FLORA_NETWORKTRACER_JAVASSLTRACER_TRACINGENABLED
        value: "true"