IBM SDK for Java version 5.0: Current news

The documentation to support IBM SDK for Java version 5.0 is available in an IBM Information Center. Supplementary information is available for the following service refresh levels:

See updates for Java 5.0 service refresh 16 fix pack 2

See updates for Java 5.0 service refresh 16

See updates for Java 5.0 service refresh 15

See updates for Java 5.0 service refresh 14

See updates for Java 5.0 service refresh 13 fix pack 1

See updates for Java 5.0 service refresh 13

See updates for Java 5.0 service refresh 9

---

Information for Java 5.0 service refresh 16 fix pack 2:

This fix pack includes a change to the default value for the RMI property java.rmi.server.useCodebaseOnly from false to true, which might cause unexpected errors for applications that use RMI. For more information, see http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/enhancements-7.html.

On Windows, improvements are made to the way that Runtime.exec decodes command strings. However, applications specifying commands that contain spaces in the program name, or that use quotation marks incorrectly, might fail to start. For more information, including guidance on resolving problems, see http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html#jaruntime.

This fix pack also contains a security fix for the Oracle security vulnerability, CVE-2013-0169, which affects Transport Layer Services (TLS) 1.1 and 1.2.

For further information about security fixes in this release, see Security Alerts.

The SDK and JRE includes the Olson timezone update tzdata2013b. For information about the daylight saving time changes included in this update, see Olson time zone updates in the IBM SDK for Java.

Go back to the top

---

Information for Java 5.0 service refresh 16:

A new set of unlimited jurisdiction policy files are available for download. Although the old policy files continue to work with all current releases, after installing service refresh 16, you should plan to update to the new policy files before 2014. This activity is necessary ahead of the expiry of the certificates that sign these policy files. For more information, see IBM SDK Policy files.

For any security fixes provided in this service refresh, see the list of Security alerts.

Daylight saving time data
Time zone update tzdata2012j contains daylight saving time changes for the time zone regions shown in the following table: Olson time zone updates in the IBM SDK for Java.

Go back to the top

---

Information for Java 5.0 service refresh 15:
The following hardware and operating systems are tested with service refresh 15:

• IBM zEnterprise EC12
• Microsoft Windows 8
• Microsoft Windows Server 2012

Daylight saving time data
Time zone update tzdata2012f contains daylight saving time changes for the time zone regions shown in the following table: Olson time zone updates in the IBM SDK for Java.

Go back to the top

---

Information for Java 5.0 service refresh 14:

The following changes are made for service refresh 14:

• There are performance improvements to hashing algorithms for hashed data structures.
• The IBM GBK converter can use Unicode 2.0 standards.
• The IBM PKCS11 security provider supports additional cryptographic adapters.
• Updates to daylight saving time data

For any security fixes provided in this service refresh, see the list of Security alerts.

Improved hashing algorithm
Improvements are made to hashing algorithms for IBM SDK for Java V5.0.
An improved hashing algorithm is available for string keys stored in hashed data structures. You can adjust the threshold that invokes the algorithm with the following system property:
-Djdk.map.althashing.threshold=value
where value defines the capacity of the hashed data structure. This algorithm can change the iteration order of items returned from hashed maps. Before enabling this property in a production environment you should test your applications thoroughly.
A value of 1 ensures that this algorithm is always used, regardless of the hashed map capacity. A value of -1 prevents the use of this algorithm, which is the default.
The hashed map structures affected by this threshold are: java.util.HashMap, java.util.Hashtable, java.util.LinkedHashMap, java.util.WeakHashMap, and java.util.concurrent.ConcurrentHashMap.
The capacity of a hashed map is related to the number of entries in the map, multiplied by the load factor. Because the capacity of a hashed map is rounded up to the next power of two, setting the threshold to intermediate values has no affect on behavior. For example, threshold values of 600, 700, and 1000 have the same effect. However, values of 1023 and 1024 cause a difference in behavior. For a more detailed description of the capacity and load factor, see http://docs.oracle.com/javase/7/docs/api/java/util/HashMap.html.
When entries are removed from a hashed map the capacity does not shrink. Therefore, if the map ever exceeds the threshold to use alternative hashing for Strings, the map always uses alternative hashing for Strings. This behavior does not change, even if entries are later removed or the map is emptied using clear().

An enhanced hashing algorithm is also used for javax.xml.namespace.QName.hashCode(). This algorithm can change the iteration order of items returned from hashed maps. For compatibility, you can restore the earlier hashing algorithm by setting the system property

-Djavax.xml.namespace.QName.useCompatibleHashCodeAlgorithm=1.0

IBM GBK converter
By default the IBM GBK converter follows Unicode 3.0 standards. A new system property value is available to force the IBM GBK converter to follow Unicode 2.0 standards.
To force the IBM GBK converter to follow Unicode 2.0 standards, use:
-Dfile.encoding=bestfit396

IBM PKCS11 supported devices
The following cryptographic adapters are now supported by the IBM PKCS#11 security provider:

• SafeNet Luna 4.0
• SafeNet Luna 5.0
• Thales nShield Edge
• Thales nShield Connect 1500.

The following cards are also supported:

• Thales nShield Connect 500
• Thales nShield Connect 6000

These models have not been tested by IBM, but support is assumed because other cards in the same family have been tested successfully.

The SafeNet Luna 3.0 is no longer supported.

The SafeNet Luna 4.0 and 5.0 adapters have the following observations:

• Private software keys cannot be translated using this card. Set publickeyimportonly = true in the PKCS#11 configuration file to ensure that the provider does not attempt to translate private software keys.
• Key wrapping does not work with the default configuration of the device.
• Setting a seed for the random number generator is not allowed.
• This device throws a ShortBufferException for buffers that are too small.
• The Blowfish and MD5 mechanisms are not supported.

The Thales nShield Edge and nShield Connect adapters have the following observations:

• RSA keys can wrap a DES or DESede key, but DES and DESede key cannot wrap an RSA key.
• Public keys cannot be wrapped.
• Translation of plain RSA keys is not supported. RSA CRT keys can be translated.
• Random number seeding is not supported.
• Hardware private key, the DERIVE, and SIGN value cannot be configured to true at the same time. Therefore, one private key cannot be used for both signing and key agreement.
• The Thales nShield Connect 1500 was tested with version 2.38.7 of the firmware, and with version 2.47.13 of the Thales client software. These version numbers can be found by running the enquiry command, which is part of the Thales client software. Users of the Thales nShield Connect 500 and Thales nShield Connect 6000 should ensure that the same, or later, firmware and client software versions are being used.

Daylight saving time data
Time zone update tzdata2012e contains daylight saving time changes for the time zone regions shown in the following table: Olson time zone updates in the IBM SDK for Java.

Go back to the top

---

Information for Java 5.0 service refresh 13 fix pack 1:

The following significant changes are included with fix pack 1:

Browser Exploit Against SSL/TLS (BEAST)
This change relates to Oracle security vulnerability CVE-2011-3389, which describes a potential security vulnerability with Secure Socket Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols.
IBM's Java Secure Socket Extension (IBMJSSE2) has been modified. A JVM system property can be specified on the client side software that adds sufficient randomness to the TLS 1.0 and SSL 3.0 Cipher in Cipher-Block Chaining (CBC) mode to remediate a threat like BEAST. For more information about these changes see Security vulnerability fixes: IBM Java Secure Socket Extension (IBMJSSE2).

SocketFactory
This change relates to Oracle security vulnerability CVE-2011-3560.
If you have Java applications or applets with a legitimate need to set a particular SSLSocketFactory, you must make the following change after applying the fix:

• Update the Java security java.policy file to include the "setFactory" permission, if it is not already there. Use java.lang.RuntimePermission("setFactory").

KeyboardFocusManager implementation
This change relates to Oracle security vulnerability CVE-2012-0502.
The KeyboardFocusManager specification explicitly allows a single, global KeyboardFocusManager for all applets. Some public methods are unsafe for such implementations.
As a result of the fix, the following methods now throw a java.lang.SecurityException if they are invoked on a java.awt.KeyboardFocusManager that is not the current java.awt.KeyboardFocusManager for the calling thread's context:

• java.awt.KeyboardFocusManager.setGlobalFocusOwner(Component focusOwner)
• java.awt.KeyboardFocusManager.clearGlobalFocusOwner()
• java.awt.KeyboardFocusManager.setGlobalPermanentFocusOwner(Component permanentFocusOwner)
• java.awt.KeyboardFocusManager.setGlobalFocusedWindow(Window focusedWindow)
• java.awt.KeyboardFocusManager.setGlobalActiveWindow(Window activeWindow)
• java.awt.KeyboardFocusManager.setGlobalCurrentFocusCycleRoot(Container newFocusCycleRoot)

IBM SDK for Java 5.0 SR13 fix pack 1 includes the following update to daylight saving time data:

tzdata2011n
Time zone update tzdata2011n contains daylight saving time changes for the time zone regions shown in the following table: Olson time zone updates in the IBM SDK for Java.

Go back to the top

---

Information for Java 5 service refresh 13:

Security fixes
There are a number of security fixes in this service refresh. For more details, see the list of Security alerts.

IBM zEnterprise 196 toleration
For Service Refresh 13, IBM SDK for Java version 5.0 is supported on the IBM zEnterprise 196 System z platform.

Browser support
Mozilla Firefox 3.6 or newer, on any platform, is not supported.
Microsoft Internet Explorer 9 is not supported.

z/OS 1.13 support
For Service Refresh 13, z/OS 1.13 is supported.

Chinese characters or symbols encoded with GBK are incorrectly stored as ?
A problem was identified with an Oracle database created with ZHS16GBK (GBK) encoding. If you used a character defined in the Unicode Private Use Area (PUA), you might see some characters converted to "?" in the database, even when using GBK encoding.
From Service Refresh 13, a new codepage MS936A has been added. This solves the problem.

Prevent dumps being written to /tmp
When a dump is requested or forced, and the primary and secondary dump locations are unavailable, the JVM defaults to writing to /tmp.
From Service Refresh 13, this default behavior is prevented by using the option:

-Xdump:nofailover

Hardware cryptographic provider configuration files must use a fully qualified path
Hardware cryptographic providers can be specified using a configuration file. Here is an example:

name = HWtype_x
library=C:/WINNT/system32/HWtype_x.dll
description=the HWType_x hardware device config.
slotListIndex = 0

From Service Refresh 13, you must use a fully qualified path in the configuration file.
For more information about using the IBM hardware cryptographic providers, see https://www.ibm.com/developerworks/java/jdk/security/50/.

Go back to the top

---

Information for Java 5.0 service refresh 9:

The following command-line option is available from service refresh 9:

JVM command-line option: -Xloaminimum
You can use the following command-line option to manage the size of the large object area:
-Xloaminimum<percentage>

• Specifies the minimum percentage (between 0 and 0.95) of the current tenure space allocated to the large object area (LOA). The LOA does not shrink below this value. The default value is 0, which is 0%.

Go back to the top