Why make the change?

In the rapidly evolving world of Java, staying current is crucial to keep up with technological advancements.  There are significant changes from IBM® SDK for z/OS, Java™ Technology Edition, Version 8 (IBM SDK 8) to IBM® Semeru Runtime Certified Edition for z/OS®, version 11 (Semeru 11), IBM® Semeru Runtime Certified Edition for z/OS® version 17 (Semeru 17), and IBM® Semeru Runtime Certified Edition for z/OS® version 21 (Semeru 21). Semeru 11/17/21 provides a significant upgrade from IBM SDK 8, offering many compelling reasons to make the transition. This article will explain a few reasons that make this upgrade essential for future development.

Operating on an older Java version exposes your software to potential security vulnerabilities. As time goes on, IBM SDK 8 will eventually reach the End of Service (EOS) date for smaller bug fixes. By transitioning to Semeru 11/17/21, you ensure that your software remains secure with ongoing maintenance and the latest security patches. Moreover, using an old software stack can severely limit your selection of useful third-party libraries and tools. A vital library might require a more recent Java version, leaving you stuck with an outdated software version that could be missing important bug fixes.

The newer Semeru 11/17/21, incorporates enhanced optimizations, particularly in just-in-time (JIT) compilation and garbage collection. These optimizations can significantly enhance the performance of your applications on existing hardware, resulting in improved user experiences and potential cost savings in cloud computing environments. Semeru 11/17/21 also introduces support for the Transport Layer Security (TLS) elliptic curve groups named X25519 and X448; IBM SDK 8 does not currently offer these curves for key exchange. By leveraging these modern technologies, you can improve the security of your data and applications.

Migrating to Semeru 11 lays a solid foundation for future transitions to subsequent versions, such as IBM® Semeru Runtime Certified Edition for z/OS® version 17 (Semeru 17), and IBM® Semeru Runtime Certified Edition for z/OS® version 21 (Semeru 21). An early migration to Semeru 11 allows for a more seamless upgrade to Semeru 17/21 once available. This incremental upgrade allows you to keep up to date with Java's advancements without facing major disruptions or compatibility challenges.

For users of IBM SDK 8 on the z/OS 64-bit platform, the End of Service (EOS) date is September 2026, with an Extended Service date of September 2029, meaning that IBM's upstream/OpenJDK maintenance for SDK 8 will end at that time. Semeru 11 on z/OS EOS date is moving from November 2024 to November 2025, with an extended service date of November 2027). 

What version of Semeru Java should I upgrade to?

When migrating from IBM SDK 8, consider upgrading directly to IBM Semeru Runtime Certified Edition for z/OS version 17 (Semeru 17), skipping Semeru 11. While Semeru 11 is a solid option, there is no substantial difference in migration effort between moving to version 11 or version 17. By choosing Semeru 17, you can leverage a more modern Java platform with extended support and advanced features, while avoiding additional complexity and minimizing the need for another migration in the near future.

If the goal is to upgrade to the latest Semeru Java version, IBM Semeru Runtime Certified Edition for z/OS version 21 (Semeru 21) is now available. However, it is recommended to first test with Semeru 17, as migrating from version 8 to 17 involves non-trivial considerations. Additionally, Java 21 introduces JEP 400 (UTF-8 by default), which is not present in Java 17 and may require further attention.

What is the difference?

Semeru 11/17/21 brings significant improvements in performance and security compared to previous versions. In addition to these benefits, there are several other compelling reasons to upgrade.

One notable update in Semeru 11 is the replacement of the IBM Security Implementation with the OpenJDK security implementation, OpenJDK is an open source implementation of the Java Platform, Standard Edition (SE). The OpenJDK security implementation receives regular updates and bug fixes to address security vulnerabilities, contributing to the overall security enhancements of applications when using OpenJDK with Semeru 11/17/21. Semeru 11/17/21's compatibility with OpenJDK ensures that the Java standard Class library implementation, widely used by various Java SDK distributions, offers customers a consistent experience and functionality across different platforms and vendors.

By upgrading to Semeru 11/17/21, users can leverage the security and performance benefits of open source Java technology from the OpenJDK project and the Eclipse OpenJ9 project, with IBM extensions added. OpenJ9 is a high performance, scalable, Java virtual machine (VM) implementation. This latest version offers significant improvements over earlier iterations, such as better diagnostic tools and bug fixes.

Semeru 11/17/21 are the next long-term support (LTS) releases after IBM SDK 8, guaranteeing regular updates and bug fixes for an extended period. This LTS status ensures the stability and reliability of your applications. To stay up-to-date, quarterly refreshes of the SDK are available on the Java SDK Products on z/OS support page. These updates may include new features, serviceability improvements, and fixes from OpenJDK, OpenJ9, and IBM.

More details on the changes to the SDK and runtime environment can be found for Semeru 11, Semeru 17, and Semeru 21.

Benefits of Migrating

IBM Semeru Runtime Certified Edition for z/OS (Java) is optimized with the hardware and software stack to maximize benefits of IBM Z hardware and middleware. Semeru encompasses many options for building business solutions, and continues to play an integral part in resolving challenging business issues.

Migrate to the latest Semeru version to:

• Leverage new Java language features, OpenJDK class libraries, and the Eclipse J9 virtual machine.
• Secure applications with cryptographic operations in Java security providers.
• Use Java APIs, libraries, and frameworks to provide a consistent hybrid cloud experience.
• Accelerate performance with the latest performance improvements and hardware exploitations.

Upgrading to Semeru 11/17/21 guarantees continued support and active maintenance.

What to keep in mind?

When upgrading from IBM SDK 8 to Semeru 11/17/21, it's important to keep in mind that innovation often comes with its share of challenges and pain points. While the benefits of upgrading are significant, there may be compatibility issues or code changes required to adapt to the new features and changes in Semeru 11/17/21.

It is essential to thoroughly test your existing applications, libraries, and frameworks to ensure smooth migration. Additionally, it's crucial to review the documentation and release notes provided by Oracle to understand any potential backward compatibility issues or deprecated features. By being aware of the potential challenges and planning accordingly, you can navigate the upgrade process more effectively and fully leverage the advancements offered by Semeru 11/17/21.

Here is a list of notable differences that customers should be aware of:

(The following differences are also applicable to Semeru 17 and Semeru 21).

1. Where are the .jar files in the Semeru Java installation? 

In IBM SDK 8, the class files were kept in .jar files. In Semeru 11/17/21, the class files are now kept in .jmod files.

The JAR (Java Archive) file is a ZIP file format for bundling classes and resources into the classpath at run time. While the JMOD file is a new format for encapsulating modules, it is based on the ZIP file format for bundling the same contents that a JAR can contain, but with support for additional files other than .class files, metadata, and resources. The JMOD files can be used at both compile time and link time, but not at run time. Notably, the jlink tool can be used with the JMOD files to assemble and optimize a specific set of modules to create a custom JRE  that contains only relevant standard library and external dependencies for their applications. This modular approach used for JMODs emphasizes the significance of Java modularity overall.

The jmod files can be found in the <path>/J11.0_64/jmods directory for Semeru 11 and the corresponding Semeru 17/21 directory. With respect to the JZOS classes, these can be found in the jmods: <path>/J11.0_64/ibm.jzos.jmod  and <path>/J11.0_64/ibm.zosrrs.jmod. These two JMOD files also correlated to two JZOS JAR files in IBM SDK 8: ibmjzos.jar and zosrrs.jar.

You can see the contents of the ibm.jzos.jmod file using the jmod command: 

<path>/J11.0_64/bin/jmod list <path>/J11.0_64/ibm.jzos.jmod

There is a similar mapping for the other SDK jar to Semeru jmods files.

2. How can we use JCERACFKS in Semeru Java? 

The IBMZSecurity provider is the default number 2 provider in the Semeru 11/17/21 z/OS provider list, see file <install directory>/J11.0_64/conf/security/java.security and the line: 

security.provider.1=OpenJCEPlus
security.provider.2=IBMZSecurity

With IBM SDK 8, the keytool command was used for JCERACFKS keystore. However, to do this in Semeru 11/17/21 you use the keytool command zseckeytool for RACF.  In Semeru 11/17/21 the URL for a JCERACFKS keystore now supports both safkeyring and safkeyringjce.

The Semeru 11/17/21 keytool command is: 

# If using safkeyringjce
$JAVA_HOME/bin/zseckeytool -debug -list \
-storetype JCERACFKS \
-keystore safkeyringjce://<myId>/<keyring>
 
# If using safkeyring
$JAVA_HOME/bin/zseckeytool -debug -list \
-storetype JCERACFKS \
-keystore safkeyring://<myId>/<keyring> \
-J-Djava.protocol.handler.pkgs=com.ibm.crypto.zsecurity.provider

Users can also set the JCERACFKS keystore programmatically. The IBMJCE provider is no longer supported in Semeru 11/17/21,  the JCERACFKS functionality has been taken over by the IBMZSecurity provider. To implement this change the package name needs to be updated.

In your code you can make the IBM SDK 8 to Semeru 11/17/21 line replacement by modifying this import line:

import com.ibm.crypto.provider.RACFInputStream;

Replace the import with: 

import com.ibm.crypto.zsecurity.provider.RACFInputStream;

3. How can we use TLSv1.3 in Semeru Java with RSA keys? 

In Semeru 11/17/21, when you specify TLS with SSLContext.getInstance("TLS"), TLS will now default to TLS version 1.3 (TLSv1.3). 

TLSv1.3 has the following restrictions:

• In TLSv1.3 key exchange, legacy RSA and all static (non-PFS) cipher suites have been removed.
• If an RSA Key is being used, TLSv1.3 protocol requires TLS handshake messages to be signed with an RSASSA-PSS signature, no other signature scheme will work. 

The Semeru 11/17/21 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). TLSv1.3 is the latest iteration (August 2018) of the Transport Layer Security (TLS) protocol and is enabled by default in Semeru 11/17. This version not only focuses on a faster TLS handshake, but also updates the overall security of the protocol by disallowing outdated or weak crypto algorithms. For example, RSA key exchange and plain DSA signature algorithms are no longer supported. The cipher suites have also been updated, TLSv1.3 uses TLS_AES_128_GCM_SHA256 versus TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for TLSv1.2 and earlier.

The TLS 1.3 protocol can be implemented with a backward-compatibility mode, but there are additional issues to be aware of.  One aspect to consider is the policy used is different for the versions, TLS 1.3 uses a half-close policy, while TLS 1.2 and earlier use a duplex-close policy.

JSSE provider differences can be found here.

Conclusion

Upgrading from IBM SDK 8 to Semeru 11/17/21 is essential for keeping up with the ever-changing Java landscape. By making this transition, you benefit from ongoing security updates, expanded library compatibility, performance enhancements, support for modern technology, and a smoother upgrade path to future Java versions. Don't wait until it's too late—embrace Semeru 11/17/21's new features and improved stability for your software development projects.

In summary, upgrading to Semeru 11/17/21 brings not only performance and security improvements but also benefits such as the OpenJDK security implementation, the IBMZSecurity provider, enhanced TLS 1.3 support, LTS status, and access to regular SDK refreshes.

----------------------------------------------------------------------------------------