Connect to Azul Vulnerability Detection via the Forwarder

Table of Contents

Configure Runtimes
- Connect with Command Line Arguments
Identifying Successful Connection
Configuring JVMs at Scale
Disabling Azul Vulnerability Detection
- Environment Variable
Reference Documentation

Need help?

Schedule a consultation with an Azul performance expert.

Talk about OpenJDK?

Discuss with the community on the Foojay Forum.

The default connection mode for JVMs is auto, where they will determine if/where they should connect through the environment. JVMs will connect when they detect the right conditions.

Configure Runtimes

There are different ways to control your connection to Azul Vulnerability Detection:

Command Line Arguments
Environment Variables
Properties file

These methods can be further extended with optional settings and are fully described in Configuration Options. Here only the method via Command Line Arguments is described.

Once enabled, advanced users can utilize DNS to control connections at scale without touching individual systems or containers.

Connect with Command Line Arguments

Apply the following arguments to your Java command line, substituting your forwarder_endpoint if known.

Note	The Forwarder endpoint must be in URL format, e.g. `https://FORWARDER_IP:443`.

 java -XX:+UnlockExperimentalVMOptions \
    -XX:AzCRSMode=on \
    -XX:AzCRSArguments=api.url={forwarder_endpoint} \
    MyApp

Once applied, you will see your JVM ID printed at startup. Other configuration options are not required.

Identifying Successful Connection

By default, the JRE will not emit log messages. To control the log level and see connectivity messages, use the following AZ_CRS_ARGUMENTS: log=info.

Once in place, your JRE will produce a message about its JVM Instance ID:

 [CRS.id][info] CRS authenticated: YOUR_UUID

Configuring JVMs at Scale

If all JVMs share a common network, IT administrators can set up the DNS on the network so that all Java VMs can connect to the Forwarder that exchanges the data with Azul Vulnerability Detection. Rather than configuring each JRE individually, each enabled JRE will look up a DNS entry for the required property. You still can override the connection parameters for individual JVM instances via command line arguments or environment variables.

To set up service discovery via DNS, create the following DNS record:

Name Type Description

Name	Type	Description
`az-crs-endpoint`	CNAME	The IP address or FQDN of the Forwarder.

az-crs-endpoint

CNAME

The IP address or FQDN of the Forwarder.

When your DNS is configured, start the application with AzCRSMode set to either auto (default) or on:

 java -XX:+UnlockExperimentalVMOptions \
    -XX:AzCRSMode=on \
    MyApp

Disabling Azul Vulnerability Detection

Application owners can disable features by setting the mode to off with -XX:AzCRSMode=off.

Environment Variable

In your AZ_CRS_ARGUMENTS, set enable=false.

This change will only be used for new launches and restarts.

Reference Documentation

Consult Configuration Options for complete documentation about arguments and variables.