Why to upgrade your runtimes

Many companies have strict rules for technology updates made from various reasons. However, it is important to keep products updated to the latest version as possible. Just look at the browser and OS updates warnings showing everywhere pointing out about security related update importance.

One might ask why do we write about this?

Simply put, with the same reason, as a security warning importance. Our main product - Green Screens Terminal Service for IBM i is written in Java with back-compatibility to Java 8. However, latest production version today is Java 14, and in a few months, it will be Java 15. Importance to update Java runtimes to the latest version is equally important as OS or browser regular updates.

Difference between two Java versions 8..14 are enormous. Too big to write here about them all, but let's take the most important elements for an example:

  • performance on multiple levels - from networking, memory optimizations to code execution has dramatically increased.
  • garbage collector - from blocking to pauseless non-blocking high performance collector with extremely low impact
  • security - multiple levels, algorithm updates, various new technology updates as TLS 1.3, EC certificates etc.

To see a summary of how many things changed in last 6 years between versions 8 to 14 check out this link.

Still, some clients are persistent running old Java versions which might affect Java programs performance or feature availability and thus our product usually takes the blame as nonfunctional or with missing features from what is promoted.

Let us give one example:

Due to the constant battle in online security field, Internet is constantly moving forward introducing new standards, or big improvements in existing ones. For an example, new TLS 1.3 protocol, a replacement for 20+ years old SSL, use modern encryption algorithms, a replacement for 20+ years old RSA. New FIDO2 based password-less online security standards, as biometric, TPM modules almost any laptops have today; security keys as Yubico and many others requires modern algorithms to provide end user the best possible online protection in never ending online security battle.

As those updates brings new algorithms, software products get updated to a new version bringing more and more support for such new technologies making old versions obsolete. Sooner or later, update will have to happen. It is better and easier to do updates occasionally, to follow the trend as over the time, technology changes might be so big that updates will be complex, hard to implement and probably very expensive.

For an example, Green Screens Terminal Server for IBM i will detect Java runtime version used, and disable some features based on Java version. Will hide some features from the user or override some user settings selections as certificate key size, type of certificates, webauthn support etc. All that is required to make product functional with older Java Runtime versions. However, user might get lower security level activated making it more vulnerable to online attacks.

Green Screens Terminal Server for IBM i is developed under Java 8 to keep back compatibility, but tested and distributed in two packages - update package which is product it-self and distributable runtime which includes at least OpenJava 12 or newer to ensure all implemented features will work as intended.

Even so, users sometimes do things on their own, like moving our product packages into another Java Server running on Java Runtimes older than 12 and unoptimized for our product.

Another example is an issue with Java 8, builds older than 246 (by our knowledge) which does not have some methods in ByteBuffer class. Very important for modern networking, causing runtime errors and session disconnections. More about the issue can be found here. So, even we tested the product on Java 8, this points out that customer did not updated even 6 years old Java runtime with its own fixes.  

Our usual question we ask and we will ask here...Can you imagine running 6 years old OS or 6 years old browser? Comparing IT security with food, this is like eating 6 years old bread.

With many years working with Java technology, we can surely say, that it is one of the most widespread and backward-compatible technologies that exists which is extremely valuable asset for long term living products. The main Java postulate is to run everywhere and being back-binary supported. We never seen that newer Java Runtimes did not run older projects (might happen) but there is no excuse to not to update as for Java Runtimes it is not a problem to have multiple versions running on the same system.

We are aware that technology changes are rapid and tracking all changes are not easy, but they are a must. Our experience of 20+ years working in IT sector give us some knowledge based on situations where we burned our fingers a few times where we learned a lection (or two :) ) from our own experiences. So, we can give a simple and free advice:

If you can update to the latest production environment, do it. If you can't, try at least to update to one version before. But under any circumstances, do not hold to the old versions if you don't have to; especially to versions older than 2 or more years.

Please consider this advice and there will be less frictions. If it happens that for some reason you have to keep old Java Runtimes, there is another tip...

Multiple JVM versions can be used on the same system and all what is required to switch JVM version is a simple environment variable JAVA_HOME.

Don't downgrade, upgrade!