Layer 7 Access Management

Tech Tip :  How to choose between using the pure java or JNI implementation of the CA SSO SMSDK Java client. 

03-12-2019 08:08 PM

The java SMSDK client has two implementations  : 


  1. JNI - where the library is thin java layer that then calls native C++ functions. (smjavaagentapi.jar)
  2. Pure java - where all the functions of the agent are implemented in java.  (smagentapi.jar)



Programming in Java - CA Single Sign-On - 12.7 - CA Technologies Documentation 



1. Which should I use ? 

The pure java version has some advantages, a) you can enable some nice logging b) no native .so / .dll library dependencies.   c) java has better error handing (no core dumps).



There were performance differences in the first few releases, where the JNI one performed better, but those days are long past, I have not seen any performance issues with the pure java version in recent years. Most of the time in the agent is spent waiting for a response over the socket.   


The pure java agent is much simpler to deploy, since it is just .jar files, and you don't need to deploy platform dependent .so / .dll files, and thier dependancies as well (right c lib, and c++lib versions). 


And when there is a problem it is good to be able to capture some trace logging, or jstack, which is not available (in the case of logging) or as easily available (in reading optimized pstack) in the JNI native calls. 


The default in the CA SSO SDK is the JNI version, that is more from historical reasons, but some tend to use that as it is the default. 


My personal preference is the pure java version, and it is used quite heavily now, but as usual it is best to run some testing.



The java build and files are fairly simple and they are easy to change.  The directory is SSO SDK/examples/smjavaagentapi/ : 


2. Compiling (JNI or PureJava) ?


For compiling it does not really matter which implementation you use, we are only compiling the classes, so it just checks the interface.


Nevertheless you can change it, the default file uses the JNI version : 



javac -classpath ..\..\properties;..\..\java\smjavasdk2.jar;..\..\java\smjavaagentapi.jar


To change that to compile against the pure java version just requires change of the .jar file :  



javac -classpath ..\..\properties;..\..\java\smjavasdk2.jar;..\..\java\smagentapi.jar


But the change is a bit academic. 


3. Runtime using the JNI version of the SSO Agent (default)


The default run script already uses the JNI implementation : The commands in the java_run.bat file is: 



java -Djava.library.path=..\..\bin -classpath .;..\..\properties;..\..\java\smjavasdk2.jar;..\..\java\smjavaagentapi.jar JavaTestClient


The smjavaagentapi.jar is the JNI implementation. 


And the -Djava.library.path gives the path where the native .so or .dll files can be found. 




4. Runtime using the pure java version of the SSO Agent


To use the pure java implementation ,The commands in the java_run.bat file is : 

java -Djava.library.path=..\..\bin -classpath .;..\..\properties;..\..\java\smjavasdk2.jar;..\..\java\smjavaagentapi.jar JavaTestClient


And we need to change that to :  

java -classpath .;..\..\properties;..\..\java\smjavasdk2.jar;..\..\java\smagentapi.jar;..\..\java\cryptoj.jar;..\..\java\SmJavaApi.jar JavaTestClient

(all on one line) 


The smagentapi.jar is the pure java implementation. 

The SmJavaApi.jar, is needed with library implementation.

The cryptoj.jar is needed for the RSA (pure java) cryptographic functions. 


The enables the detailed trace logging for the agent. 


Generally when running in container, say tomcat websphere or other system, you need to make the same changes there. 

Deploy those additional jar files and if you want tracing then set the runtime parameter. 



**Note**:   If you copy both smjavaagentapi.jar and smagentapi.jar to a deployment directory where all the .jar files are loaded (such as lib directory in tomcat).  Then you can't really be sure which implementation you are goign to load.  So it is best to only deploy one of those two files - or if you are switching between the two implementations rename the other one so it is not recognizable as a .jar file  eg, smjavaagentapi-jar-disabled. 



Cheers - Mark

0 Favorited
0 Files

Tags and Keywords


Related Entries and Links

No Related Resource entered.