Welcome Guest! Log in
Due to some maintenance operations, stambia.org will be switched to read-only mode during the 13th November. It will be possible to read and download, but impossible to post on the forums or create new accounts. For any question please contact the support team.

Choosing the right Java version

    This article is a Work in Progress!

    Java is distributed by different vendors in different versions. It is important to choose the appropriate version, depending on the technical needs and requirements.

    In this article we are giving some advice to help selecting the appropriate Java version for your Stambia DI environment.

    Generalities

    • Supported Java distributions
      • Stambia DI officially supports Oracle Java (versions 6, 7 and 8).
      • Java 9 & 10 are not supported.
      • Java 11 will be supported starting with Designer S19.1
      • Some installations run with IBM Java (AIX servers), OpenJdk (Linux). Stambia DI can work with these so feel free to use them and inform us in case of issues.
    • Good practices & information
      • Make sure your QA environment has the same exact Java version as your target Production environment
      • Upgrade your JVM with care: test your Stambia processes before deploying the new Java version, avoid Java auto-updates
      • You can easily install standalone Java versions to avoid dependency with other applications and auto-updates.
    • Examples of technical requirements
      • If you plan to use ODBC datasources, make sure that the JVM architecture (32 bits / 64 bits) matches the ODBC driver architecture.
      • SSL connections to some SFTP/SSH/HTTPS servers may require Java Security algorythms => make sure the Java version supports them.
      • Some JDBC drivers require minimum Java versions. See your JDBC vendor's documentation (Oracle, Microsoft SqlServer, etc...)
      If the requirements lead to several Java versions, you can setup several Runtimes with different Java versions!

    Checking which Java version is currently used by Stambia DI

    • Java version used by the Designer
      • Select the "Help" / "About Stambia Designer" menu
      • Click the "Installation Details" button
      • Go to the "Configuration" tab and look for the line starting with "java.home" and "java.version"
    • Java version used by the Runtime - Method 1
      • Execute a Stambia process which executes the following Rhino Scripting action:
        __ctx__.publishVariable("/JAVA_VERSION", java.lang.System.getProperty("java.version"));
        __ctx__.publishVariable("/JAVA_HOME", java.lang.System.getProperty("java.home"));
      • Consult the result in the Session's Variables view
    • Java version used by the Runtime - Method 2
      • Connect the Designer to the Runtime
      • From the "Runtime" view, click the "Open" button
      • Select the "Virtual Machine" tab and consult the information, included the additional links at the bottom

    Configuring Stambia DI for a specific standalone Java installation

    It is a good idea to configure Stambia DI for a specific standalone Java installation: it ensures you keep control on the JVM used by Stambia DI, for example no impact when the Operating System silently does a Java upgrade...

    • Download a standalone Java archive (usually available as a .tar.gz archive)
    • Uncompress it to your preferred installation directory, for example: /home/stambia/java/jre1.8.0_151
    • Configure the Designer to use this Java installation, in stambia.ini :
      -vm
      /home/stambia/java/jre1.8.0_151
      -vmargs
      [...]
    • Configure the Runtime to use this Java installation, using the STAMBIA_JAVA_HOME environment variable:
      export STAMBIA_JAVA_HOME=/home/stambia/java/jre1.8.0_151

     

    Configuring Java for Certificates and SSL

      Some technologies sometimes require a certificate to connect to the server. For example when working with HTTPS, SSH, SFTP, FTPS, SMTP servers, etc.

      Java needs to have these certificates in the truststore, and then Stambia DI Runtime will be able to connect.

      Creating a certificate

      If you need to configure Stambia for publishing a service with SSL, then maybe you need to create a certificate.

      The usual recommendation is to get a certificate from a Certification Authority, especially when the service is publicly exposed and/or critical. Other use cases (such as SSL communication within the company local network, or test environments) can be satisfied with a self-signed certificate.

      Here is how to create a self-signed certificate using Java keytool.

       

      Creating the certificate and registering it in the Java installation:

      D:\apps\java\jre1.8.0_151_64\bin>keytool.exe -genkey -keyalg RSA -alias MyCertificate -keystore keystore.jks -storepass changeit -validity 365 -keysize 2048
      What is your first and last name?
        [Unknown]:  myserver.domain.com
      What is the name of your organizational unit?
        [Unknown]:  companyName
      What is the name of your organization?
        [Unknown]:  companyName
      What is the name of your City or Locality?
        [Unknown]:  Somewhere
      What is the name of your State or Province?
        [Unknown]:  Somewhere
      What is the two-letter country code for this unit?
        [Unknown]:  FR
      Is CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR correct?
        [no]:  yes

      Enter key password for <MyCertificate>
              (RETURN if same as keystore password):
      Re-enter new password:

       

       

      Viewing the certificates installed in the Java keystore:

      D:\apps\java\jre1.8.0_151_64\bin>keytool -list -v -keystore keystore.jks
      Enter keystore password:
      Keystore type: JKS
      Keystore provider: SUN

      Your keystore contains 1 entry

      Alias name: mycertificate
      Creation date: 12-Feb-2019
      Entry type: PrivateKeyEntry
      Certificate chain length: 1
      Certificate[1]:
      Owner: CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR
      Issuer: CN=myserver.domain.com, OU=companyName, O=companyName, L=Somewhere, ST=Somewhere, C=FR
      Serial number: 2165da64
      Valid from: Tue Feb 12 12:13:40 CET 2019 until: Wed Feb 12 12:13:40 CET 2020
      Certificate fingerprints:
               MD5:  31:DD:93:B9:51:CA:6F:64:08:57:0F:60:ED:F4:C5:7D
               SHA1: E1:2F:94:67:4C:9D:39:03:82:9B:69:1E:2B:5D:8E:2E:6C:FB:BA:D5
               SHA256: C7:AD:21:DD:0B:7D:0A:7D:A9:CB:FB:14:7B:54:EF:E4:19:FA:45:1D:27:B2:75:EE:AB:01:11:5A:02:DA:44:68
      Signature algorithm name: SHA256withRSA
      Subject Public Key Algorithm: 2048-bit RSA key
      Version: 3

      Extensions:

      #1: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 2A 4A F3 6F 7C 70 E2 C4   41 5F 12 BC 24 D9 FB 7D  *J.o.p..A_..$...
      0010: 98 78 8D 73                                        .x.s
      ]
      ]

      *******************************************
      *******************************************

       

       

      Exporting the certificate:

      D:\apps\java\jre1.8.0_151_64\bin>keytool -certreq -alias MyCertificate -keystore keystore.jks -file MyCertificate.csr

      Enter keystore password:

      D:\apps\java\jre1.8.0_151_64\bin>dir MyCertificate.csr
       Volume in drive D is Data
       Volume Serial Number is 2891-91F0

       Directory of D:\apps\java\jre1.8.0_151_64\bin

      12/02/2019  12:25             1,128 MyCertificate.csr
                     1 File(s)          1,128 bytes
                     0 Dir(s)  91,272,257,536 bytes free

       

      Viewing the certificate content:

      D:\apps\java\jre1.8.0_151_64\bin>type MyCertificate.csr
      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIIC9OKNVdwCAQAwfzELMAkGA1UEBhMCRlIxEjAQBgNVBAgTCVNvbWV3aGVyZTES
      MBAGA1UEBxMJU29tZXdoZXJlMRQwEgYDVQQKEwtjb21wYW55TmFtZTEUMBIGA1UE
      CxMLY29tcGFueU5hbWUxHDAaBgNPTGSTE215c2VydmVyLmRvbWFpbi5jb20wggEi
      MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqIv1uYxujXBqSwMBx8HsObWbo
      VIoeKabEgM3UmwRKcmFp0HTNvApsqu/hibVxDAui5mWYKRa9pQCjrXSbsKpaYuw4
      z9AI9O71wV1ip7wVilXlOkwvd6X25vkjBFMjBMDlEEPo+nAm+e+yl7JsIr6a6svp
      3ueXPl18TV5VyrAAVSuXGCdIW9/pHYgPJULmA8QvGhcqGnPYLRsCHOwGOUDMV/xG
      TE/cJoRtLvRpMS3zen92EwGrl37SHplmwEWuiR4L/RN2KR1KB+BOTacUFpDHWuOx
      wgmwM6zEYMjBzKvHA1+UAQT5YfG1pg2KWfvwki22Jtub/vBT8vdquXbV8z05AgMB
      AAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBQqSvNvfHDixEFfErwk2ft9
      mHiNczANBgkqhkiG9w0BAQsFAAOCAQEANljQi0YvYjHJFpfEcdC4UnbiGqxXEHBq
      VXoHP8eAh5LcdgjkFZKs2f/2Z+3vkbVH/e1DamtqKC9xNV3NBRd8GbTFCTSWvIbi
      f2S8abtw3mkOvu9B1gS3aWL7PpWA7sV8O2pGDd/gfMqjsjldKDWwwAeXjZqwJgAr
      a9gAiaL4VBJEKPPfURf9eRqicAJkXvlZXTx5eyFvgYAz4vN+dkN/FRZ0eZoPUrkw
      N6WQhxSg+Ri2m6ada+caF6TKCrP1z9M/nxfh7Fix/KSbnwGy7PH36q/rNxmll2/+
      ojX/c0AYDdPBRyefi9hI9deDgCOFmXR2jOumpQwQl/EeYBZ67BkxVQ==
      -----END NEW CERTIFICATE REQUEST-----

       

      Getting an existing certificate

      You will need a certificate file (extension is usually .crt or .csr). This must be done out of Stambia DI.

      The server administrator can generally provide this certificate.

      Other ways to get the certificate are:

      • HTTPS servers: point a web browser to the URL and export the Certificate (search "how to export certificate using your_browser_name")
      • Using openssl command line
        > openssl s_client -connect <host>:<port> 
        CONNECTED(000001B0)
        [...]
        Server certificate
        -----BEGIN CERTIFICATE-----
        MIAJHTCCAjkCBE3yCVIwDQYJKp87hvcNAQEFBQAwbTELMAkGA1UEBhMCRlIxDjAM
        BgNVBAgMBXJob25lMRIwEAYDVQQHDAlsb2NhbGhvc3QxEjAQBgNVBAoMCWxvY2Fs
        aG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcN
        MTEwNj45FDwODUwMOIHMTIwNjA5MfTIwODUwWjBtMQswCQYDVQQGEwJGUjEOMAwG
        A1UECAwFcmhvbmUxEjAQBgNVBAcMCWxvY2FsaG9zdDESMBAGA1UECgwJbG9jYWxo
        b3N0MRIwEAYDVQQLDAlsb2NhbGhvc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIw
        DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJtqhXrGNhWG8UpLS/gPN2NI0zSJ
        wMIyVNHwwOdg2Vj8R+Pbda+FX+DvDOGFRE3HWNgCw3WKN526c9p4EkCtr0K01Qc1
        GyXIuYagpzs/RrfkWFXoQ0pcTe9yilzlggYF0cYuweIGJCJMCzoyaupr4/Pd5N7K
        laDHyvVpGwNFLwfwNht6fToCfr7jZA8mp2OJ8VdqbhS7PoO2LSusN2ct0IhyXwFh
        YyjtFTslj8h6N5GSx/kMqUcEx+rbHslL1MTplgbG+X3S5oTIDqsgR0Il7W5IaBJl
        MyzyGMxPVi1U6auEouSpI+KYlRNO7EdTzod+hLn5H6SO8b7A9CEL67cw22UCAwEA
        ATANBgkqhkiG9w0BAQUFAA9k7zvjz851yH/hnGgwTTDCgaaZHzaOMuTq/DNLFDCL
        rYcDC1+yokwPicTJIUxPDQ/tYs51Ml0IDjz+j+0p44PDbonmMM+Axb4RJElzH66i
        tPGKqW2A8h5f9HJBiq5pRmLwqb2N5Gio8uPY3ncRaM9LbOvQ0A4VHTzy5PR+4w8t
        +hvuDDhSiD168nMljkyvXvlMJW8VlCgVBtq2ByFZA4s0xXSropqcIpIiwuWetnKp
        BnrTkZOAm/JsS8R2zE3n46sTo4Ej/on+7Z6524coS1ky9QXTQ21+TeXaO0xEOCUK
        AtHZbGYtCEEd3iI1eib3tuhssEJPyjXY9wkHV1rznx1r+fXHcA==
        -----END CERTIFICATE-----
        [...]

      • Copy the lines between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", including these
      • Save these lines to a temporary "certificate.crt" file

      Importing the certificate into your Java installation

      This is usually done with the keytool utility, included in your Java distribution.

      Example 1: adding the certificate to the default truststore

      <JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file certificate.crt

       

      Example 2: creating a specific truststore

      <JAVA_HOME>/bin/keytool -import -alias alias01 -file D:\data\certificate.crt -keystore d:\data\myKeyStore.jks
      Enter new keyfile password :
      Re-enter new password :
      Owner : C=FR
      Issuer : C=FR
      Serial Number : 0
      Valid from: Thu Sep 25 18:01:13 PDT 1997 until: Wed Dec 24 17:01:13 PDT 1997
      Certificate Fingerprints:
               MD5:  C0:5B:B9:6F:63:1B:5E:70:4C:E3:A1:C6:0F:2B:58:68
               SHA1 : F8:44:F1:BC:9B:19:8A:FA:8A:58:D4:7C:AC:D3:16:B8:92:79:66:78
               SHA256 : F2:9D:89:02:55:4C:F5:77:E5:13:C7:5F:06:CF:0B:2C:F1:C6:04:4B:D5:1F:E4:E6:FD:9B:98:A1:F0:A3:F4:C7
      Trust this certificate? [no] :  yes
      Certificate added to keystore

       

      Please consult your Java distribution's documentation for further details.

      Making sure that Stambia DI uses the certificate

      When the certificate is installed in the default truststore of the Java installation, then Stambia DI will automatically use it.

      When the certificate is installed in a specific location, you can specify the truststore on the Action by adding the following properties:

      KEY_STORE: d:\data\myKeyStore.jks
      KEY_STORE_TYPE: JKS
      KEY_STORE_PASSWORD: <encrypted password>

      Note: the password can be encrypted using the Runtime's encrypt <password> command.

       

      Articles

      Suggest a new Article!