As outlined in CA’s recent general notice regarding Java, CA software products will be migrating to support open-source implementations of Java.
For Layer7 products, primary support will shift from Oracle Java to AdoptOpenJDK, a popular free version of Java that derives its source from OpenJDK.
What is AdoptOpenJDK?
"AdoptOpenJDK uses infrastructure, build and test scripts to produce prebuilt binaries from OpenJDK™ class libraries and a choice of either the OpenJDK HotSpot or Eclipse OpenJ9 VM.
All AdoptOpenJDK binaries and scripts are open source licensed and available for free." (source: https://adoptopenjdk.net/)
This document will discuss details of the change as they pertain to the Layer7 Privileged Access Management products, and provide users with information that will help ensure that their product deployment(s) can continue to be supported by Broadcom/CA in the future.
The summary level progression of our shift to use of AdoptOpenJDK
- The following components of Layer7 Privileged Access Management embed Java libraries:
- CA Privileged Access Manager
- CA Privileged Access Manager Server Control
- CA Shared Account Manager
- CA Privileged Identity Manager
- CA Threat Analytics (for PAM)
- We currently plan that any and all future code releases (fixes, services packs, dot releases, version releases) that have a dependency on Java libraries will be replaced with AdoptOpenJDK
- We currently plan to introduce patches for each of the Layer7 Privileged Access Management products that will include AdoptOpenJDK components. The following patches will be available for each of the supported products:
|
Product
|
Version
|
Delivery
|
Expected Delivery Date
|
|
CA Privileged Access Manager
|
v3.2
|
V3.2.6
|
August 31, 2019
|
|
CA Privileged Access Manager
|
v3.3
|
V3.3.1
|
September 30, 2019
|
|
CA Privileged Access Manager Server Control
|
v14.0
|
Java Migration Patcher
|
August 31, 2019
|
|
CA Privileged Access Manager Server Control
|
v14.1
|
Java Migration Patcher
|
August 31, 2019
|
|
CA Shared Account Manager
|
v12.8 CF3
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Shared Account Manager
|
v12.9 SP2
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Shared Account Manager
|
v14.0
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Privileged Identity Manager
|
v12.8 CF3
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Privileged Identity Manager
|
v12.9 SP2
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Privileged Identity Manager
|
v14.0
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Threat Analytics (for PAM)
|
V2.2.0
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Threat Analytics (for PAM)
|
V2.2.1
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Threat Analytics (for PAM)
|
V2.2.2
|
Java Migration Patcher
|
August 19, 2019
|
|
CA Threat Analytics (for PAM)
|
V2.2.3
|
Java Migration Patcher
|
August 19, 2019
|
FAQ
Q1: I am running a release of Layer7 Privileged Access Manager that is prior to version v3.2, what do I need to do?
A1: You can continue to use that product as long as it’s still under current support. However, we encourage you to upgrade to v3.2 or newer as they will include embedded AdoptOpenJDK libraries in place of Oracle Java libraries.
Q2: For Layer7 Privileged Access Manager, do I need to also update the Workstation Client, App2App clients or PAM Windows Proxy Agent?
A2: For the App2App clients and PAM Windows Proxy, there is no need to update but any vulnerability fix in the JRE will require the component to be replaced with the AdoptOpenJDK version. In the case of the PAM Workstation Client, updating to PAM 3.2.6 or 3.3.1 will provide a new Client update replacing the Oracle JRE. Note that the delivery of the PAM client will also shift to a download directly from the PAM Server rather than a Content Delivery Network (CDN) URL.