NewsCurity and Java
A forthcoming version of the Curity Identity Server will include a supported Java Virtual Machine (JVM) from Azul Systems, alleviating customers' concerns about the changes to the Oracle JVM licensing model, support terms, and release cycle.
One of the few dependencies of the Curity Identity Server is Java. Currently, the only supported Java Runtime Environment (JRE) is Oracle's, but this is about to change! As you may know, Oracle has altered:
- The releases of Java
- The length of time which they'll offer free commercial support they'll offer free commercial support for each release
The increased release cadence affects the security of our customers' deployments since free security patches will only be available from Oracle for six months. After this, you will need a support agreement with them to continue receiving security updates.
We recognize that this is hard to understand and deal with. We also do not want our technology choices to become operational and economic problems for our customers. For this reason, version 3.2 will include a supported JRE out of the box! No other version of Java will be needed (or even supported). This JRE will be Zulu from Azul Systems, a leading supplier within the Java ecosystem, trusted by organizations the world over. From this release onward, Java will be supported by Curity with the backing and help of Azul Systems. This should alleviate any concerns or issues related to the changes taking place in the Java ecosystem. It will also ensure timely fixes to any issues that may arise in the platform on which the Curity Identity Server runs.
The version of the JRE that we will ship, called Zulu, is based on the OpenJDK. This runtime is open source and will be provided according to the terms of the GPL version 2 with Classpath Exception. This open source license has no usage restrictions and the distribution requirements are the familiar ones of the ubiquitous GNU license. The ramifications of this are that building Docker containers, Virtual Machines, Amazon Machine Images, etc. are easier to automate and the terms are better understood by IT managers and lawyers. In fact, our plan is to eventually providing the Curity Identity Server in some of these form factors, especially Docker.
FAQ
When will this release be available?
Very soon. The plan is to have it ready by late October.
What version will include this new, supported version of Java?
3.2 only; there are no plans to backport this update.
What is the easiest way to prepare for this update?
It is recommended that you migrate to the latest release ASAP. The only changes between 3.1 and 3.2 will be the inclusion of the new JRE. This will help isolate any unexpected changes that may arise from the use of the new platform, and provide an easy downgrade path if unforeseen issues do arise.
Will my plug-ins need to be recompiled?
Not if you've limited your use of Java to the public API of the Curity Identity Server SDK and Java SE. You can check to be sure by obtaining a copy of OpenJDK ahead of our release; if your plug-in compiles with this, it should be fine.
What version of Java will be included in 3.2?
Version 8. 11 will come in a subsequent release and info for plug-in developers will be provided at that time.
What if I'm not able to upgrade to 3.2 at this time?
Oracle will stop providing public updates to Java 8 in January 2019. After this time, you have three choices:
- Run the Curity Identity Server on an unsupported JRE (i.e., the last publicly available JRE v. 8 from Oracle)
- Obtain extended support directly from Oracle for JRE v. 8
- Upgrade your installation of the Curity Identity Server to version 3.2 which will include a supported JRE
- Obtain extended support directly from Oracle for JRE v. 8
Does this mean that I can use Zulu with my own Java apps?
No. Curity will only support the use of Zulu with the Curity Identity Server and only for as long as you are a licensed customer.
Where can I find more information about the changes to Java?
The most accurate and complete source of information that we have found in this open letter: [Java is Still Free](a href="https://docs.google.com/document/d/1nFGazvrCvHMZJgFstlbzoHjpAVwv5DEdnaBr_5pKuHo/edit#heading=h.p3qt2oh5eczi)
We hope that this update will make it easier to use the Curity Identity Server going forward. We also hope that this will alleviate any concerns about our use of Java and the changes that are confronting the Java ecosystem. If you have questions or concerns, please don't hesitate to contact us
