Red Hat SummitChapter 3. Red Hat build of OpenJDK 8.0.392 release notes
The latest Red Hat build of OpenJDK 8 release might include new features. Additionally, the latest release might enhance, deprecate, or remove features that originated from previous Red Hat build of OpenJDK 8 releases.
For all the other changes and security fixes, see OpenJDK 8u392 Released.
3.1. Red Hat build of OpenJDK new features and enhancements
Review the following release notes to understand new features and feature enhancements that Red Hat build of OpenJDK 8.0.392 provides:
Improved communication in CORBA
The Common Object Request Broker Architecture (CORBA) implementation in Red Hat build of OpenJDK now provides the option to limit serialization in stub objects to objects containing the IOR: prefix.
Consider the following guidelines:
For the following ORB-contrained stub classes, this feature is enabled by default:
-
_DynArrayStub -
_DynEnumStub -
_DynFixedStub -
_DynSequenceStub -
_DynStructStub -
_DynUnionStub -
_DynValueStub -
_DynAnyStub _DynAnyFactoryStubYou can disable this feature for ORB-constrained stub classes by setting the
org.omg.DynamicAny.disableIORChecksystem property totrue.
-
For the following remote service stub classes, this feature is disabled by default:
-
_NamingContextStub -
_BindingIteratorStub -
_NamingContextExtStub -
_ServantActivatorStub -
_ServantLocatorStub -
_ServerManagerStub -
_ActivatorStub -
_RepositoryStub -
_InitialNameServiceStub -
_LocatorStub _ServerStubYou can enable this feature for remote service stub classes by setting the
org.omg.CORBA.IDL.Stubs.enableIORChecksystem property totrue.
-
JDK bug system reference ID: JDK-8303384.
Default native GSS-API library added on Windows
Red Hat build of OpenJDK 8.0.392 adds a native Generic Security Service Application Programming Interface (GSS-API) library, sspi_bridge.dll, on the Windows platform. Similar to the provision of native GSS-API libraries on other operating systems, Red Hat build of OpenJDK loads the sspi_bridge.dll library only when the sun.security.jgss.native system property is set to true. Alternatively, you can still instruct the JDK to load a third-party native GSS-API library by setting the sun.security.jgss.lib system property to the appropriate path.
The sspi_bridge.dll library is for client-side use only and uses the default credentials. Because native GSS support automatically uses cached credentials from the underlying operating system, ensure that you set the javax.security.auth.useSubjectCredsOnly system property to false.
Also, because com.sun.security.auth.module.Krb5LoginModule does not call the native Java GSS (JGSS), avoid using Krb5LoginModule in your Java Authentication and Authorization Service (JAAS) configuration.
See JDK-6722928 (JDK Bug System).
Certigna root CA certificate added
In Red Hat build of OpenJDK 8.0.392, the cacerts truststore includes the Certigna root certificate:
- Name: Certigna (Dhimyotis)
- Alias name: certignarootca
- Distinguished name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
See JDK-8314960 (JDK Bug System).
Arrays cloned in several JAAS callback classes
In previous releases, in the ChoiceCallback and ConfirmationCallback JAAS classes, when arrays were passed into a constructor or returned, these arrays were not cloned. This behavior allowed an external program to gain access to the internal fields of these classes.
In Red Hat build of OpenJDK 8.0.392, the JAAS classes return cloned arrays.
3.2. Red Hat build of OpenJDK deprecated features
Review the following release notes to understand pre-existing features that have been either deprecated or removed in Red Hat build of OpenJDK 8.0.392:
3DES and RC4 disabled in Kerberos
Red Hat build of OpenJDK 8.0.392 deprecates and disables the des3-hmac-sha1 and rc4-hmac Kerberos encryption types by default.
If you want to re-enable these encryption types, complete either of the following actions:
-
Enable all weak cryptography, including
des-cbc-crcand anddes-cbc-md5, by settingallow_weak_crypto = truein thekrb5.confconfiguration file. -
Explicitly list all preferred encryption types by using the
default_tkt_enctypes,default_tgs_enctypes, orpermitted_enctypessettings.
See JDK-8139348 (JDK Bug System).
SECOM Trust Systems root CA1 certificate removed
From Red Hat build of OpenJDK 8.0.392 onward, the cacerts truststore no longer includes the SECOM Trust Systems root certificate:
- Alias name: secomscrootca1 [jdk]
- Distinguished name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}