Java Distributions

This document describes the Shibboleth project's policy with regard to the many different available distributions of the Java Development Kit used to develop and deploy the project's Java products.

The audience for this document is the project itself; its purpose is to specify the level of testing given to each distribution during the development and release of new versions of the products, and to indicate the level of support provided to deployers relying on each distribution.

Deployers will find that the Requirements section of the documentation for each product will be more suitable to their needs than this document, which inlcudes many technical details relevant only to developers.

Each version of the Java SE Development Kit (JDK) required to build or run Java software from the Shibboleth Project is available from several distribution sources. Different distributions of the same JDK may be licensed under different terms, may be built from different source trees, or may incorporate patches specific to that distribution. This document serves to collate information about different JDK distributions, and to indicate how each is treated by the Shibboleth Project.

For a given Product Platform, one distribution is designated as the primary distribution and is used by the Shibboleth Project as its reference:

  • The primary distribution will be used for building product artifacts.

  • The primary distribution is the basis for most of the continuous integration testing we perform (e.g., the standard, -nightly  and -site  jobs in Jenkins).

Specific distributions are fully supported for use with the software. This means:

  • The community may report bugs with the expectation that we can attempt to reproduce and investigate problems related to this distribution.

  • Members of the Shibboleth Consortium may request technical support  related to this distribution.

  • Each such distribution will also be tested as part of the Jenkins -multi  jobs. For distributions provided by operating system vendors, this regular testing may be userspace-only (e.g., within a container) if the project does not maintain a permanent machine or VM running that specific operating system.

  • The project will maintain the ability to replicate the complete environment, including operating system at the VM level, for debugging purposes.

Additional distributions may be partially supported for use with the software. This means:

  • The community may file bugs but may commonly be expected to reproduce unusual or esoteric problems on a fully supported distribution before further investigation takes place.

  • Members of the Shibboleth Consortium may request technical support related to this distribution.

  • Such distributions may be tested as above but typically with reduced regularity or completeness.

  • The project may have lesser ongoing ability to replicate the complete environment but will do so when necessary to support Consortium members reporting issues.

Further distributions will be tested at the project's discretion as part of the Jenkins -multi  jobs. The purpose of this testing is to make the project aware of potential incompatibilities in advance of any requirement to address them.

The following specific distributions, and any others not covered above, are neither tested nor supported:

  • Any non-LTS “feature” release of Java (Java 9, Java 10, Java 12 through 16, Java 18 through 20, etc.)

  • Any distribution of the Java JRE (as opposed to the JDK)

When not specified:

  • Reference to a specific version of a Java distribution should be taken to refer to the most recent generally available release. For example, a reference to Java 11 at the time of writing refers to 11.0.23; previous versions (11, 11.0.1, …, 11.0.22) are not tested and not supported.

  • Reference to a specific version of an operating system should be taken to refer to the most recent generally available release.

  • Reference to a generic operating system ("Linux", "Windows") should be taken to mean that we will test under a specific version of the operating system (currently Rocky 9 for Linux, Windows Server 2016 or 2022 for Windows) but believe that such testing will be representative of similar systems as long as they are reasonably recent. "Linux", for example, would cover any reasonably recent operating system distribution incorporating a Linux kernel, but not FreeBSD.

  • Only 64-bit variants of the JDK are covered.

  • Only 64-bit Intel architecture variants (amd64, also known as x86_64) of operating systems are covered.

Note: information about Java distributions supported by Historic Product Platforms can be found in Java Distributions for Historic Product Platforms.

Java Distributions for the Java 17 Platform

The Java 17 Platform is used by:

  • Identity Provider v5.x

  • OpenSAML v5.x

  • Metadata Aggregator v0.10

The primary distribution for this platform is Amazon Corretto 17 for Linux.

The following distributions are fully supported:

  • Amazon Corretto 17 for Linux

  • Amazon Corretto 17 for Windows

  • Amazon Corretto 21 for Linux

  • Amazon Corretto 21 for Windows

  • Red Hat’s OpenJDK 17 for Linux as supplied under Red Hat Enterprise Linux 8 or Rocky Linux 8

  • Red Hat’s OpenJDK 17 for Linux as supplied under Red Hat Enterprise Linux 9 or Rocky Linux 9

  • Red Hat’s OpenJDK 21 for Linux as supplied under Red Hat Enterprise Linux 9 or Rocky Linux 9

The following distributions are partially supported:

  • Debian’s OpenJDK 17 as supplied under Debian 11 “bullseye”

  • Debian’s OpenJDK 17 as supplied under Debian 12 “bookworm”

We will also test the following, although they are not supported:

Java Distributions for the Java 11 Platform

The Java 11 Platform is used by:

  • Identity Provider v4.x

  • OpenSAML v4.x.

  • Java XML Security Tool v3.x

The primary distribution for this platform is Amazon Corretto 11 for Linux.

The following distributions are fully supported:

  • Amazon Corretto 11 for Linux

  • Amazon Corretto 11 for Windows

  • Amazon Corretto 17 for Linux

  • Amazon Corretto 17 for Windows

  • Red Hat's OpenJDK 11 for Linux as supplied under Red Hat Enterprise Linux 8 or Rocky Linux 8

  • Red Hat’s OpenJDK 17 for Linux as supplied under Red Hat Enterprise Linux 8 or Rocky Linux 8

The following distributions are partially supported:

  • Debian’s OpenJDK 11 as supplied under Debian 11 “bullseye”

  • Debian’s OpenJDK 17 as supplied under Debian 11 “bullseye”

  • Debian’s OpenJDK 17 as supplied under Debian 12 “bookworm”

We will also test the following, although they are not supported:

Rationale by Distribution

This section discusses each distribution so as to give a brief rationale for its level of support.

Oracle JDK

We have historically recommended the use of Oracle's "standard" JDK on all platforms. Prior to Java 8, one reason for this was that some deployers have had problems with the OpenJDK implementations shipped by various vendors, including memory leaks.

Since that time, however, two important changes mean that we no longer take this position:

  • Licensing changes mean that although Oracle's JDK releases are still available for free use by developers, they are no longer in general free for production use. The exact situation varies depending on Java version, and on the length of time since each version was released. Consult Oracle’s documentation for details about the free Java license and other related matters.

  • The Oracle JDK and OpenJDK code bases have come much closer together, such that we no longer anticipate large functional differences between the two.

As a result, we no longer anticipate that the majority of our deployers will go to production using Oracle's product, and it therefore makes less sense for us to regard it as the "canonical" version of Java in production. At least for our customers, that is now more likely to be some flavour of OpenJDK.

Oracle’s support roadmap can be found at Oracle Java SE Support Roadmap. A matrix documenting past and intended future releases of Oracle’s JDK is also available at https://www.java.com/releases/matrix/.

Oracle OpenJDK

Oracle produces OpenJDK builds through the early development phases of each new version of Java. As these provide the best available advance indication of the contents of the new version, we test these builds as part of our long term support of the evolution of Java, but we do not support these builds for production use.

Note that Oracle OpenJDK builds only exist during the early access stage of a new release to around six months after general availability. After this time, Oracle ceases OpenJDK builds and the previous ones are no longer available.

Amazon Corretto

Amazon Corretto provides builds of OpenJDK 11, 17 and 21 for our two most important deployment platforms (Linux and Windows) in both "real installer" and "tarball" packages. This makes it a good distribution for us to recommend to our deployers. In addition, they provide similar builds for macOS, which is important to several of us as developers.

The Corretto documentation provides information about the specific patches applied by Amazon to the upstream generic OpenJDK release, which provides a reassuring level of transparency.

There is no cost to use Amazon Corretto in production. It is used internally by Amazon for its own services.

We have selected Corretto as the current best all-round Java distribution for our own use, and for our deployers.

Amazon’s support lifecycle for Corretto can be found at Amazon Corretto FAQs:

  • Corretto 11 end of life is October 2027.

  • Corretto 17 end of life is October 2028.

  • Corretto 21 end of life is October 2030.

Red Hat OpenJDK

Red Hat have a critical role in the JDK updates projects for Java 11, 17 and 21. They provide only two OpenJDK builds themselves, however: for Red Hat Enterprise Linux, and for Windows.

We anticipate that Red Hat's "vendor" OpenJDK distribution for their own Red Hat Enterprise Linux will be used by many of our deployers simply because of the convenience factor. We therefore support the use of Red Hat's OpenJDK distributions in this context.

We do not support Red Hat's OpenJDK releases for Windows at this time, and we do not test against them.

Red Hat’s policies around OpenJDK support are described at OpenJDK Life Cycle and Support Policy - Red Hat Customer Portal:

  • OpenJDK 11 is supported by Red Hat on supported underlying RHEL distributions (currently, RHEL 8.0+) until October 2024.

  • OpenJDK 17 is supported by Red Hat on supported underlying RHEL distributions (currently, RHEL 8.5+ and RHEL 9.0+) until October 2027.

  • OpenJDK 21 is supported by Red Hat on supported underlying RHEL distributions (currently, RHEL 8.9+ and RHEL 9.3+) until December 2029.

Red Hat Enterprise Linux “Rebuilds”

There are several Linux distributions available which purport to be direct “bug for bug” rebuilds of versions of Red Hat Enterprise Linux. In general, these behave identically to the upstream RHEL release but we have on occasion noted differences between them, in particular in the timing of availability of a particular OpenJDK release to each distribution. This means that, given the variety available, we are unable to fully support all RHEL rebuild distributions. We do fully support one specific rebuild distribution counterpart for each supported RHEL release:

  • As a counterpart to RHEL 8, we fully support Rocky Linux 8.

  • As a counterpart to RHEL 9, we fully support Rocky Linux 9.

Debian OpenJDK

See DebianReleases - Debian Wiki

Debian 10 “Buster” and earlier are not supported.

Debian 11 (Bullseye)

Debian 11, also known as Bullseye, the “oldstable” release at 2023-06-16, ships a vendor-supplied OpenJDK 11 as its primary Java distribution and OpenJDK 17 as a secondary, additional feature.

  • The OpenJDK 11 distribution is partially supported for the Java 11 platform and IdP v4.

  • The OpenJDK 17 distribution is partially supported for the Java 11 platform and IdP v4, and for the Java 17 platform and IdP v5.

Debian 11’s long-term support ends on 2026-06-30, see LTS - Debian Wiki.

Debian 12 (Bookworm)

Debian 12, also known as Bookworm, is the “stable” release at 2023-06-16. It ships a vendor-supplied OpenJDK 17.

  • The OpenJDK 17 distribution is partially supported for the Java 11 platform and IdP v4, and for the Java 17 platform and IdP v5.

Debian 12’s long-term support ends on 2028-06-30, see LTS - Debian Wiki.

Ubuntu OpenJDK

Although the vendor-supplied version of OpenJDK shipped by Ubuntu Linux is closely related to that supplied by Debian, we do not support any version of it. If your deployment platform is Ubuntu, we support but do not test Amazon Corretto on this platform.

If your deployment requires using the vendor-supplied OpenJDK on Ubuntu Linux, note that only certain versions garner full security support from Ubuntu by virtue of being part of the “main” repository. The same level of support of alternative versions installed from the “universe” repository may require a Ubuntu Pro subscription. The following table may be helpful in understanding the level of support provided for different versions of Java across current Ubuntu versions:

Release

Codename

OpenJDK 8

OpenJDK 11

OpenJDK 17

OpenJDK 21

Release

Codename

OpenJDK 8

OpenJDK 11

OpenJDK 17

OpenJDK 21

18.04 LTS

Bionic Beaver

universe

main

universe

n/a

20.04 LTS

Focal Fossa

universe

main

universe

universe

22.04 LTS

Jammy Jellyfish

universe

main

universe

universe

24.04 LTS

Noble Numbat

universe

universe

main

main

Adoptium (formerly AdoptOpenJDK)

Adoptium provides automated OpenJDK builds for a wide variety of target architectures and operating systems, and with a choice of JVMs (HotSpot or OpenJ9).

We think Adoptium is a good (and sometimes the only) source of OpenJDK for niche environments, but we do not currently support or test Adoptium builds.

GraalVM

GraalVM is an emerging alternative Java VM which shows promise particularly for mixed-language environments. It is available in editions based either on Java 11 or on Java 17 (or on Java 8, for commercial “Enterprise” licensees).

Note that GraalVM includes a different JavaScript engine than was shipped with Java 8 or Java 11.

We do not test against GraalVM, and we do not support it for production use.