I see previous versions of the JDK posted at the Adobe link below, but I was wondering approximately how long it takes them to make the new version available?
Adobe ColdFusion https://www.adobe.com/support/coldfusion/downloads.html
Related security issues fixed https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA
Copy link to clipboard
It usually takes some days, perhaps a week or two.
Joe, are you asking because you are reluctant to get them directly from Oracle, and prefer only to use them as offered by Adobe on that page? I have seen some contend that. Maybe you have read that.
I have contended to the contraray that there's no NEED to wait for them to put it there, if you want to move to the new JVM sooner. [Update: see a response from Rakshith, the CF Product Manager, on why he still recommends people still download the JVM from Adobe rather than Oracle. I leave the rest here for the sake of context and background. Here's a link to his comment below, and I have a reply after that.]
You can go to the Oracle site, and logging in with a free account, you can download it from there. Yes, you will see there a warning that you must license Java to use it for production, but we CF folks are covered for that, according to this Jan 2019 blog post from Adobe.
To those who feel that only downloaders offered by Adobe on that CF downloads page would cover them, I will repeat (as I've said elsewhere here) that I have compared the installers there with what's at the Oracle site, and they are binary the same.
And since the installer includes as a first step your agreement to the license, it's clearly the same license, since it's the same installer. So no, it should NOT matter WHERE we get the installers. (I realize some may still be reluctant to get an account from Oracle and download from there. Such folks can then of course await Adobe putting the files on their site.)
Finally, no, "I am not a lawyer", and yes I am stating here my opinion. I welcome anyone to offer a refutation, whether technical or a technicality. To be clear, I've never seen where Adobe has said that we MUST download them from them, to be covered. Instead, it seems to be a mere assertion some have made or an inference they have drawn, and I would argue against each.
Joe, if none of that was your concern, sorry. Since this is a public forum, and others will generally come along later to offer thoughts, I try to address more than just the direct question asked. 🙂
Thank you for your lightning fast answer. I guess I wasn't sure if I needed to wait for Adobe to post it to their page for licensing and support reasons. The licensing issue is addressed (thank you for the details), and its a hotfix.
Thank you very much!
Great to hear, and to hear back. Glad to have helped.
Let's now see what others may well have to say about what I wrote. 🙂
Copy link to clipboard
I have an Oracle account, but now they want to "connect your user account to a Support Identifier" to proceed, unless I'm in the wrong area. Did you have to do that?
I have never had that requirement when downloading a JVM. I have only had it when viewing a support technote. Can you clarify what URL you were visiting before you got that prompt?
I've been getting the JDKs from this page, but when I try to download it asks me to login:
However, I Googled and found a better page now, which does not require login:
We recommend that you download the installers from the Adobe site and not directly from Oracle though your use is associated with ColdFusion, even if the installers are exactly the same. This is the very reason we have provided an Adobe site that has installers procured from Oracle via a proper support contract.
If you do not find a particualr version on available on the Adobe site, please send an email to email@example.com and we will take care of this.
Ah, ok. So that's where people have gotten that idea. 🙂 And perhaps you have more reasons than you're letting on. I won't press you to reveal them, but I will add some thoughts on this, for others who may wonder or would want to press the point.
First, I notice you say here that you "recommend" people get them from your site, so one could read that as a preference rather than a requirement. Indeed, I know many have assumed that you provided the downloads simply so that folks would NOT NEED to obtain an Oracle account to download them. And for that, thanks, of course.
(Though to clarify, as Chris confirmed above today, one really does only need a free Oracle account, to download the files at https://www.oracle.com/java/technologies/javase-downloads.html. We don't need a support contract to proceed with such a download, as some have argued.)
We can at least regard that as a backup, but thanks for indicating here how one can press Adobe if they find that a new JDK is not there when they seek it. That said, I doubt many will see this.
But then you say "this is the very reason we have provided an Adobe site that has installers procured from Oracle via a proper support contract." Let me add some context, for those not following things closely in late 2018/early 2019. Oracle did indeed change their stance then. Whereas before, anyone was free to use Oracle Java in production, after early 2019, anyone using in production a) Java 8 updates released after then, or b) versions of Java beyond 8, would have to have licensed Java from Oracle to use it in production.
The link I shared above was Rakshith's post then, indicating how Adobe had reached a deal with Oracle to allow CF users to continue to use it, in production, and for subsequent Java releases, without need to pay. Again, thanks for that. (And while yes, there are openjdk and other free alternatives, CF currently does not support them. Perhaps that's another unspoken part of this deal.)
Indeed, maybe another issue is that they are tracking the numbers and kinds of downloads on that page (perhaps related to that agreement), and they may not want to acknowledge that.
Or maybe the deal included a stipulation that they wanted Adobe to offload the burden of downloads from their site, for folks using it with CF. Or maybe they didn't want people signing up for the free Oracle account, if they were "only" going to use it to download the JVM for use with CF. I can't imagine that the numbers of these are really enough to worry mighty Oracle, but if that's what the deal entailed, so be it.
And so with that, I will continue to point people to the CF downloads page to get the Java installers (as I have been doing about weekly with clients for the past year+). And now we have the explanation "straight from the top" that Adobe prefers we use that download page, for whatever reasons, even if they are binary the same. And we now know that we can report the need to them, if they are not there.
Finally, I have to report that the ones from last week are still not there. It's not clear if Rakshith was going to take care of that. I just sent a note to the address he offered, to ask them. Until then, folks who want it and can't wait have the info they need to decide how to proceed. (And perhaps there may be more to come on this discussion. We shall see.)
Copy link to clipboard
The April 2020 jvm updates are now on the CF downloads page. (For those wanting more context, see the other comments here.)
One thing not clear when upgrading from JDK 11.0.6 (CF2018) to JDK 11.0.7 (or JDK 12) is what needs to happen within the CFAdministrator for the instances. When we upgraded to 11.0.6 we were required to point the Java setting in the CFAdmin to the new location, which included the folder named /Java/jdk-11.0.6 . Assuming that the new 11.0.7 JDK is now going to be in a folder /Java/jdk-11.0.7 ... will all of our CF2018 instances need to be pointed to the new folder name? Have not seen any instructions for this. Same goes with this moving forward... does every update of the JDK involve re-pointing CF (and any instances) ?
First, let me say that there is nothing about your question (or my answer) which is really specific to this jvm 11.0.7. I appreciate that it seems somehow to be so for you, but it's not.
So about where you install it, you decide when you install it. And then yes, you tell CF to use it, either by using the CF Admin "java and jvm" page and its "java home" field, or just be editing the underlying jvm.config file that holds changes made to that page, where its java.home points to the jvm to use. (If you do the latter, note that you must use / rather than \ if it's a windows file system path, or you can use \\. CF will not start if you use the default \.)
You also mention having multiple instances. While in CF9 and earlier, all CF instances shared one jvm.config (unless you took steps manually to change that), since CF10, each instance has its own jvm.config. And as such, they can either all point to the same jvm or point to different ones. It does not matter.
All that matters is that the java home points to a valid jvm. (FWIW, in Java 8 and earlier, even the JDK installer would create a jre folder under the jdk, and you needed to point to THAT. With Java 11, you would indeed just point to that /Java/jdk-11.0.7 folder you refer to, if that's where it is.)
Hope that helps. Let us know if you still have questions.
Hey Charlie - thanks for chiming in. CFSupport has verified that it will put the new JVM into a new folder (jdk-11.0.7) and that we do need to re-point each instance to that location (and restart). That alone seems a bit untidy given how frequently Java updates are coming out now, but the bigger problem we ran into while doing this is that the new location has a new CACerts file. So immediately, those things relying on the keystore (like the communication with datasources requiring SSL) failed. Fortunately, we found that simply copying the previous CACerts file into the new location immedatiately fixed that issue.
Thanks again for your input!
To be clear, I offer my reply here to help, not to be critical. Again you speak as if you (and they) feel that there's something new and different about "the new jvm", as if things are different from prevous jvm upgrades, but there is not. Maybe instead this is simply the first JVM update for CF that you've done, and fair enough. Many people never get around to doing it, though they should (for security and other reasons, and Adobe not only supports but recommends it).
But yes, it's always been that when you install the jvm, it will place itself into a new folder (unless you tell it otherwise). Now, some people have TRIED to instead force the java installer to put itself into the existing CF jre folder, and I would NOT recommend that, because if you want to revert back to it, you would have lost the old version.
Granted, this does mean that when you have multiple instances, you have to change the jvm.config in all of them--but this is not at all unique to JVM changes: it's true for all CF admin settings. (We could wish that Adobe would come up with some means to have central, shared settings. for either all instances or even for instances across machines. I don't ever see either happening, myself. But I will note there is a new cli-based config feature coming in CF2020, called cfsetup, and then there is the long-existing cfconfig tool from the Commandbox team, either of which can help in managing the config of multiple instances.)
Finally, you mention the keystore (cacerts). And dealing with it is again not a problem unique to this jvm, but indeed an issue for whenever anyone would change CF from using one jvm to another. I always warn people (when I help them do that) that we should at least look at and confirm if the keystore/cacerts in the previous JVM HAS been updated since it was installed. If it has not, then we don't need to worry about it.
But in your case, you confirmed that it DID need to change (because your https requests failed), and you needed update the keystore, and you did that by copying it from the old to the new jvm. I would recommend against that, because in doing that you just lost all the UPDATED certs (root and otherwise) that came bundled with the new jvm. Instead, the better thing would be to leave that new cacerts in its place, and instead IMPORT into it (with the jdk's keytool) whatever certs you felt you needed to import. But I know that's work.
Further to that (and for others, reading this far), note that sometimes you do NOT need to even bring ANY "old" certs into the new jvm, because instead the mere fact that the new jvm has new certs (root and otherwise) can be enough to negate the need (with the old jvm) to have had to import certs. I know that may be confusing to some. This isn't a blog post, so I will leave it at that.
Anyway, I know your https calls did not work so you had to do SOMETHING. I'm simply saying the BETTER thing generally would be to import whatever certs you find you "need" into the new jvm. Of course, one challenge is you may not have the other certs you'd important. And I realize it's too late anyway, if you didn't save off the original cacerts that came with the new jvm.
And even if you did, you may not want to bother. It's working now, right? 🙂
I just hope this may help you or others coming across this stuff. And I cover it all in a lot more detail in a 2014 post, https://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start, as well as in a related https://coldfusion.adobe.com/2019/06/error-calling-cf-via-https-solved-updating-jvm/.
Either way, glad you got things sorted, blckburn77.