IBM Semeru Runtime Certified Edition for z/OS 11: Supplementary documentation

Content

The supplementary documentation is updated only if there are notable changes, such as special advisories, in a particular release. This document was last updated during the 11.0.22.0 release.

The documentation to support this version is available in IBM Documentation. For links to downloads, fixes, time zone updates, and a table of OpenJDK versions on which this release is based, see IBM Semeru Runtime Certified Edition for z/OS refreshes.

InstallAnywhere packages of IBM Semeru Runtime Certified Edition are discontinued starting with the 11.0.22.0 release. For more information, see Withdrawal of InstallAnywhere packages for IBM SDK, Java Technology Edition and IBM Semeru Runtimes.

Supplementary information is available for the following code refreshes:

• 11.0.20.1
• 11.0.19.0
• 11.0.18.0
• 11.0.17.0
• 11.0.16.0
• 11.0.14.1
• First release

11.0.20.1 (October 2023)

Exceptions might be thrown during the handling of the Jar/Zip files in 11.0.20.1 because of the improved ZIP64 extra field validation (JDK-8302483)

Checks were added in JDK 11.0.20+ in response to a CVE to validate the integrity of extra fields in Jar / Zip files. As a consequence, a ZipException: Invalid CEN header is thrown during the handling of the Jar/Zip files with problematic extra fields. The Jar/Zip files that have this problem have to be fixed by the respective owners. If necessary, you can disable the additional validation by setting the system property jdk.util.zip.disableZip64ExtraFieldValidation to true. 

Connection failure when using the TLS 1.3 protocol and the IBMJCECCA provider with keys that were generated by using the GENCERT command is now resolved

The limitation is resolved by allowing the generation of RACF RSA(PKDS) certificates, even when the SIGATTR parameter is omitted. This ensures that all PKDS entries are properly read and translated as RSASSA-PSS entries. Additionally, the update allows RSA keys generated by using hwkeytool command without the sigAlg argument to automatically default to RSASSA-PSS. This works if the key size is greater than 2048 and the key is protected by an ECC primary key with AES.

11.0.19.0 (June 2023)

Interoperability updates for IBMJCECCA RSA-PSS with JSSE and RACF

The RSA-PSS support offered by the IBMJCECCA provider is now interoperable with SunJSSE and RACF based keystores.

Connection failures when using the TLS 1.3 protocol and the IBMJCECCA provider with keys that were generated by using the GENCERT command

TLS protocol version 1.3 requires handshake messages to be signed with an RSASSA-PSS signature. In this release of the IBM SDK, a change was introduced that causes the rejection of some RSA keys as invalid for use with TLS 1.3 even if they are actually valid. The affected keys are RSA keys that are generated by using the RACDCERT GENCERT command in RACF, where the key size is not 2048 bits or greater and the key is not protected by an ECC primary key that uses the AES algorithm. The message that is output for these keys is java.security.InvalidKeyException: Key is not RSASSA-PSS compatible. To avoid this problem, generate RSA keys by using one of the following methods, which ensure that the key is signed with an RSASSA-PSS signature:

• Use the hwkeytool command with the -sigAlg RSAPSS parameter
• Use the z/OS GENCERT command with the SIGATTR/SIGATTR(RSAPSS) keyword (this keyword is new in z/OS 2.4)

If you encounter this problem with an existing RSA key, you can recreate it using one of these methods or you can translate it as described in Translate and replace an RSA key for RSA PSS.

Note: TLS version 1.3 is the default level of TLS in Java 11.

11.0.18.0 (February 2023)

IBMJCECCA RSA-PSS not interoperable with JSSE and RACF

Interoperability issues exist in the RSA-PSS support added for the IBMJCECCA provider when using SunJSSE and RACF based keystores.

11.0.17.0 (November 2022)

OpenJDK header file sizecalc.h not to be used

An extra file, J11.0_64\include\sizecalc.h, is added accidentally by the OpenJDK project, and is packaged with 11.0.17.0. Do not use this header file because it will not be available in future releases.

11.0.16.0 (September 2022)

Command-line argument files now supported

You can pass argument files that contain arguments such as JVM options and class names to the java command by using the @ prefix. For example, list the arguments to be passed in an argument file called myargfile, then specify that file when you run the java command, as follows: java @myargfile. On z/OS, these argument files must be encoded and tagged as ISO8859-1 or UTF-8. For more information, see java command-line argument files. This support lifts a restriction that was documented for the first release.

Using secure PKCS#11 keys with the IBMJCECCA provider

This release contains the OpenJDK provider, SunPKCS11, to provide the PKCS#11 capability that was provided by the IBMPKCS11Impl component in version 8. In version 8, you could use IBMPKCS11Impl keys with the IBMJCECCCA provider. In version 11, you cannot currently use SunPKCS11 keys with the IBMJCECCA provider.

AES/GCM Ciphers disabled in SunPKCS11

In this release, all AES/GCM ciphers are disabled due to a difference between how SunPKCS11 and ICSF handle data storage during encrypt/decrypt operations.

11.0.14.1 (March 2022)

Instrumentation.appendToBootstrapClassLoaderSearch() issue fixed

The issue with the Instrumentation.appendToBootstrapClassLoaderSearch() method that existed in the first release is now fixed.

JTZU tool support now available

The IBM? Time Zone Update Utility for Java (JTZU), which is used to update a Java installation for changes to Daylight Saving Time (DST), now supports IBM? Semeru Runtime Certified Edition for z/OS?, Version 11.

First release (November 2021)

Instrumentation.appendToBootstrapClassLoaderSearch() might cause a JVM crash

Use of the Instrumentation.appendToBootstrapClassLoaderSearch() method might result in an assert or crash of the JVM. This problem has already been fixed and the fix will be available in a future release.

JTZU tool support not yet available

The IBM? Time Zone Update Utility for Java (JTZU), which is used to update a Java installation for changes to Daylight Saving Time (DST), does not currently support IBM? Semeru Runtime Certified Edition for z/OS?, Version 11. This support will be added soon.

Command-line argument files not supported

Argument files (which contain arguments such as JVM options and class names) passed to the java command line using the @ prefix (for example, java @myargfile) are currently not supported on z/OS.

Future of security components

The following security providers and components are not in the first release:

• You have a Java application that uses one of the IBM implementations of the URLStreamHandlerProvider API (for example, com.ibm.crypto.hdwrCCA.provider.safkeyring.Provider) to create a URLStreamHandler instance by using any of the supported SAF key ring URLs (safkeyring, safkeyringjce, safkeyringjcehybrid, or safkeyringjcecca).
• You run the Java application with a security manager enabled (for example, by specifying -Djava.security.manager on the Java command line).
  • IBMJCECCA provider (added in 11.0.15.0)
  • IBMJCEHYBRID provider (added in 11.0.15.0)
  • JCERACFKS keystore implementation (replaced by IBMZSecurity provider in 11.0.15.0)
  • JAAS z/OS extensions (added in 11.0.15.0)
  • IBM PKCS11Impl provider (replaced by SunPKCS11 in 11.0.16.0)
  • ZERTJSSE provider (added in 11.0.16.0)
  • iKeyman utility
  • IBM Key Certificate Management utility