Update the Server Side Version of Java
Overview
Percussion CM1 and Percussion Rhythmyx use Java technologies on the server for the application server and on client desktops to run features like the Desktop Content Explorer. For consistency in customer experience, Percussion server products have historically shipped with a bundled Java Runtime. Oracle's many licensing changes for Java over the last several years have made this deployment model for Java not tenable. Effective with the 732_20190510 Patch level of Percussion Rhythmyx and the 5315_20190520 patch for Percussion CM1 we will no longer ship a JRE with future Patches or releases. This article describes our recommended strategy and best practice for customers in meeting the JRE 1.8 pre-requisite.
Percussion - Server Java Version History
Product | Version | JRE Version | Recommendation |
Percussion CMS | 8.0* | JRE 1.8 Latest Update |
|
CM1 | 5.4* | JRE 1.8 Latest Update |
|
Rhythmyx | 7.3.2 | JRE 1.8 Latest Update |
|
CM1 | 5.3 SR1 | JRE 1.7 Latest Update |
|
Rhythmyx | 7.2.0 | JRE 1.6 |
|
Rhythmyx | 7.1.0 | JRE 1.6 |
|
Rhythmyx | 7.0.3 | JRE 1.6 |
|
Rhythmyx | 6.7 | JRE 1.6 |
|
Rhythmyx | 6.5.2 | JRE 1.5 |
|
Rhythmyx | 5.71 | JRE 1.4.2 |
|
* Not released or available at the current time.
JRE versus JDK
Percussion does not require a Java Development Kit (JDK) to be installed in order for it to run. Customers that are developing Java Extensions to Percussion will need a JDK installed to compile and build those extensions, so it may be common to have a JDK installed on a Development instance of Percusion, but it is not required. Percussion currently requires a 1.8 Java standard compliant Java Runtime Environment (JRE) in order for it to run. We have tested Percussion with Open JRE and Oracle JRE. IBMs JRE has not been tested, but may work fine as it is 1.8 standards compliant. Developers building custom Java Extensions on their machines will require a 1.8 JDK, or a JDK capable of generating 1.8 compliant byte code, on their Development machines.
Simplifying Server Side Java Security Updates
Percussion CM1/Rhythmyx is supported in mixed environments including Linux, Windows, and Solaris. From a System Administrator and Security Specialist perspective, it is ideal to rely on the Operating System update mechanism when possible for keeping system libraries such as Java up to date. Distributions and Vendors push security updates to the Operating System on a regular basis and the Admin can rely on System updates to keep systems secure.
All versions of Windows and Linux currently support Symbolic Links. A Symbolic Link is essentially a file or directory that links to a file, directory, or device at a different location on the file system. Documentation on Symbolic Links for Windows can be found here. For Linux or Solaris a good overview can be found here.
Percussion will look for a JRE64 and JRE folder under the installation root folder when it runs. To simplify Java updates, the JRE and JRE64 folders originally shipped by Percussion can be removed. This removes the version of Java originally shipped with Percussion (and will likely be required to mitigate a security finding of an old or dated Java). Symbolic Links to the 64-bit and 32-bit 1.8 JRE provided by the Operating System or JRE vendor can then be created in place of those folders. On Linux systems this will most commonly be the 1.8 JRE provided by the OpenJDK project. On Windows and Solaris, it will most commonly be the long term support the license Java 1.8 purchased from Oracle for the server.
How to Update the Shipped JRE Using Symbolic Links
Updating the JRE is relatively easy for a System Administrator. Essentially you install the latest JRE 1.8 via operating system or vendor. Then follow these steps based on your operating system:
NOTE: With the CM1 5.4 Release and the 8.0 upgrade, you will select a JRE location during the upgrade process. These steps are a measure to get you current NOW.
Windows How To
Linux / Solaris How To
Private LDAP Certificates and cacerts
Frequent Questions
Can I use any JRE version, like OpenJDK or do I have to use Oracle’s?
Yes, OpenJDK's JRE has been validated along with Oracle's JRE. The supported version is 1.8 - latest update.
Will this affect the Java applet or Desktop Content Explorer?
No. The updates described in this article only affect the Percussion Server.
Can I use JRE 1.9, 10 or greater?
Not at this time. Java 1.8 is the highest version of Java that Percussion supports.
Percussion CM1/Rhythmyx is getting flagged by an I.T. security scan on my network for a Java version vulnerability, is there a patch?
Follow the steps described in the How to Update the Shipped JRE Using Symbolic Links section.
How can it support 64 bit if the binaries like RhythmyxDaemon are still 32-bit?
The binaries shipped are very lightweight launcher scripts responsible for spawning batch files and shell scripts that fork and manage the actual Java server. As a result, 32-bit executables can launch the 64-bit java process.
Why do I need a JRE and JRE64?
Some of Percussion's binary tools still require a native 32-bit JRE. These will be phased out over time.
Percussion CM1/Rhythmyx is getting flagged by an I.T. security scan on my network for a JBOSS version vulnerability, is there a patch?
There is an upgrade and a patch. After upgrading to 7.3.2 and patching, see this page on removing JBOSS from your installation.
A security scan is reporting bad versions of Java in a bunch of Patch/<patch number>/backups locations. Can these be deleted?
Yes. In fact, as a best practice, you can delete all of those old Patch folders except the previous one. Every Percussion patch backs up every file it will update to the patches backup directory. For patches that updated the JRE, the JRE and JRE64 directories would have been included in the backup in case the patch was uninstalled. That is why they are showing up on your scans.