This notice is being sent to alert you that Broadcom/CA software products will be migrating to support open-source implementations of Java.
For Layer7 products, primary support will shift from Oracle Java to AdoptOpenJDK, a popular free version of Java that derives its source from OpenJDK.
What is AdoptOpenJDK?
"AdoptOpenJDK uses infrastructure, build and test scripts to produce prebuilt binaries from OpenJDK™ class libraries and a choice of either the OpenJDK HotSpot or Eclipse OpenJ9 VM.
All AdoptOpenJDK binaries and scripts are open-source licensed and available for free." (source: https://adoptopenjdk.net/)
How does this change affect Layer7 API Management Products?
This document describes the consequences of the shift to AdoptOpenJDK as they pertain to the Layer7 API Management products and components, including the Layer7 API Gateway, Layer7 Mobile API Gateway, Layer7 OAuth Toolkit, and Layer7 Rapid App Security. Our goal is to provide users with information to ensure that product deployment(s) can continue to be supported by Broadcom/CA in the future:
- The initial releases to include the embedded AdoptOpenJDK libraries are:
- API Gateway 9.3 CR5
- API Gateway 9.4 CR3
- The version embedded in these initial releases is: AdoptOpenJDK 1.8 update 222
- All future releases (fixes, cumulative releases, major and minor version releases) of Layer7 API Gateway, Layer7 OAuth ToolKit, Layer7 Mobile API Gateway, Layer7 Rapid App Security will be built and tested with AdoptOpenJDK libraries.
- After August 18th, 2019, no new Oracle Java critical patch updates will be provided on the support site.
- Java Web Start functionality will not be available to the users in any future Layer7 API Gateway release.
- Layer7 OAuth ToolKit, Layer7 Mobile API Gateway, Layer7 Rapid App Security will be certified with the AdoptOpenJDK based versions of Layer7 API Gateway
Questions and Answers
- Question: I am running an earlier version of the Layer7 API Gateway that uses Oracle Java libraries. Do I need to upgrade Layer7 API Gateway to AdoptOpenJDK based releases as soon as possible? Do I need to change libraries?
Answer: No. The shift of Layer7 products to AdoptOpenJDK does not necessitate immediate upgrade of older releases, however you should consider the following statements and we highly recommend you plan to upgrade soon:
- If a vulnerability is reported in Java that can be exploited in Layer 7 API Gateway, Broadcom will test and support fixes to this vulnerability via builds supplied from AdoptOpenJDK in the Layer7 API Gateway 9.3 or later releases.
- All releases from Broadcom of any form (major/minor version, patch, or CR) occurring on or after August 18th, 2019 will be tested exclusively on systems that are deployed with AdoptOpenJDK.
- Question: I am running the Layer7 API Gateway which is using Oracle Java supplied by me. Do I need to switch to OpenJDK?
Answer: It is not essential that you switch immediately, but we highly recommend you plan to use AdoptOpenJDK as outlined in Q1 (above).
- Question: I am running an earlier version of the Layer7 API Gateway that uses Oracle Java libraries. Will I keep getting the Oracle Java critical patch updates from Broadcom?
Answer: No, after August 18, 2019, Oracle Java fixes will no longer be available, with Layer7 API Gateway patches on the support website. Future Layer7 API Gateway releases will only be built and tested with AdoptOpenJDK. You should plan to upgrade to the latest Layer7 API Gateway 9.3 or above releases in the near future to keep getting Java fixes.
- Question: My organization has a license to Oracle Java that we have purchased directly from Oracle. Will I be able to continue to use Oracle Java with API Gateway?
Answer: Oracle Java is a derivative of OpenJDK. It is therefore presumed that Oracle Java releases should not impact the functioning of API Gateway. For API Gateway, we will offer support for use of Oracle Java under CA's Reasonable Commercial Effort Statement as mentioned below. However, from August 18th onward our testing environment will be based on AdoptOpenJDK and we highly recommend you plan to use AdoptOpenJDK as outlined in Q1 (above).
- Question: I have Layer7 OAuth ToolKit and Layer7 Mobile API Gateway, I am planning to upgrade to Layer7 API Gateway 9.4 CR3 or Layer7 API Gateway 9.3 CR5. Do I need to upgrade OAuth ToolKit and Layer7 Mobile API Gateway at the same time?
Answer: No. As long as you are running versions that are compatible with your Layer7 API Gateway version, no upgrade of the OAuth Toolkit or Layer7 Mobile API Gateway is required.
Reasonable Commercial Effort Statement:
CA Technical Support makes a reasonable commercial effort to troubleshoot and/or resolve customer support requests that involve the use of currently supported versions of CA Products on or with "unsupported" platforms as follows:
CA Technical Support accepts support incidents (support requests) involving a software platform or a combination of software platforms that is not officially supported per the then-current CA published platform support matrices. CA troubleshoots the issue up to the point that CA has reason to believe that the problem is related to the use of software that is not specified in a then-current platform supported matrix. At such point, CA requires that the customer reproduces the problem on a fully supported combination of platforms before CA proceeds in troubleshooting the incident.