Using ZCM to Migrate from Oracle JRE to Open JRE

Using ZCM to Migrate from Oracle JRE to Open JRE

Oracle made significant changes to their Oracle SE licensing for all releases starting on April 16th 2019, requiring the purchase of a license for most non-personal or development work.  As a  result, businesses may no longer be legally allowed to patch existing or deploy new Oracle JRE to their managed devices.

See - https://www.java.com/en/download/win10.jsp  (Contains details of the licensing change as of the date this article was originally written.)

As a  result of this change, many businesses and software packages are migrating to OpenJRE and OpenJDK.  ZCM was updated to replace Oracle Java with Open Java for both Server and Client functionality.

(Note: ZCM itself moved to OpenJRE with ZCM 17 Update 4 for it's use both on servers and managed agents.  This article is to assist those who require JRE for other purposes.)

This change could also potentially create software compliance issues as older versions that did not require a license for businesses are automatically upgraded to versions that may require a license or users unknowingly download and install the latest Oracle JRE without reading the new license.

  1. How Do I ensure I do not remove Oracle JRE from Specific Devices?
  2. How Do I Remove Oracle JRE from all other devices?
  3. How Do I ensure I do not remove Specific Older Versions of Oracle JRE that are still required?
  4. How Do I disable the AutoUpdate Utility for older Versions of Oracle JRE?
  5. What is OpenJRE?
  6.  Are there major differences between OpenJRE and Oracle JRE?
  7. How can I deploy OpenJRE?
  8. What is the current role of ZPM for patching Oracle and OpenJRE?
  9. How can I safely continue to use older Oracle JRE releases that lack the most current security fixes in the latest versions which require a license?.

Removing and Modifying your Oracle JRE Deployment

I have created a ZCM bundle that will help handle the first four items on the list above.  Those four items will be covered in the order listed above.

The bundle has a SYSTEM REQUIREMENT that requires the "AllowOracleJRE" registry key to "Not Equal" one.   This key will not normally exist on a device.  For any devices that you wish to alter any existing deployment or Oracle JRE, set the listed key to the listed value or tweak the requirement as desired.  Perhaps to check for the existence of certain software.  The setting used to prevent this bundle from running could optionally be set via a separate Oracle JRE install bundle so that if you assign and deploy Oracle JRE to a specific set of devices, that will ensure this bundle does not undo that deployment.

The bundle itself contains two separate actions.

Action#1 - Run Script Action: (Remove Existing Oracle Java) 

This is a simple Powershell script that will generate and then clean up the following script on the fly:

gwmi Win32_Product -filter "name like 'java%' AND vendor like 'oracle%' AND not Version Like '99.99.99*'" | % {$_.Uninstall()}

This script will make a WMI call to list all installed software product from the vendor "Oracle" with "Java" in their name.  The list will exclude any software product that is "like" "99.99.99".  The version value is simply a placeholder that can be updated if there is a specific version of Oracle Java that should be retained for business reasons.  Even if multiple versions of Oracle Java are installed, the script will detect and silently remove them all.  

Note: If the Oracle Java Software is simply copied to the PC and not actually "Installed" using an installer, this script would not detect it.  Nor would it detect if the Oracle JRE was embedded in another product in most cases.

Action#2 - This is a "Registry Edit Action" that deletes that removes "JUSCHED.exe" from both the 32-bit and 64-bit "Run" registry keys.  This will minimize the occurrences where Java will prompt the user to perform an update.

OpenJRE - What it is, is not, and how to deploy it.

The following three Wiki articles cover some important topics.  I would recommend reading and trying to understand these three articles as well as reading some of the references contained in the articles.  

This article does not attempt to cover every possible detail about the differences between Oracle JRE and OpenJRe but one of the biggest differences between Oracle JRE and OpenJRE is browser integration.

The "Java Applet" and "Java Web Start"  technologies above have been deprecated by Oracle and most major browsers.  The later was not released as part of OpenJRe, but there is an open-source implementation of it called "IcedTea-Web".  OracleJRE plugins are not supported by current versions of Chrome, Firefox, or Edge.  Internet Explorer is the last major browser to support this type of plugins.  Oracle is also dropping support entirely going forward for these plugins.  Due to the fact support for these plugins is being dropped by all major browsers and Oracle itself, IcedTea-Web does not plan to create similar plugins.

Deploying OpenJRE 

The first step to deploying OpenJRE is selecting the distribution.  There are many to choose from with some details in the following two articles.

ZCM has selected to use AZUL as it's source for OpenJDK that is used by the ZCM Servers, Agents and ZCC Helper requirements.  (ZCM's embedded use of AZUL OpenJDK should not impact the choice of OpenJDK to be installed on a device for general use.)

As an example for deploying OpenJRE, this article will use AdoptOpenJDK.  The reason for this is that it is the only distribution that includes IcedTea-Web, which may be an important component for managed devices to facilitate the delivery of Web-Based java applications.  Other distributions would require the downloading, installation, and configuration separately.  The AdoptOpenJDK installer also optionally sets the "JAVA_HOME"  variable upon install.  Changes to the Windows path are also reflected immediately upon install, which required a logoff or reboot with AZUL.

This article is not intended to influence the final choice of which distribution to use.  The topic of which distribution is ultimately correct for any organization is beyond the scope of this article.  As a result the sample bundle and instructions for deploying AdoptOpenJDK may need to be tweaked depending on the distribution selected.

I've created a "Deploy OpenJRE"  bundle that does the following:

  • Installs AdoptOpenJDK and IcedTea-Web using a single MSI
  • Installs GAWOR LDAP Browser to be used to verify Java functionality
  • Launches GAWOR LDAP Browser 
  • Launches a sample Oracle JNLP "Web Start" application to verify IcedTea-web functionality.

The sample application does not include the OpenJRE installer.  This can be downloaded from here: https://adoptopenjdk.net/releases.html#x64_win.  The bundle would need to be updated to either point to the installer on a share or have the bundle download the install to the PC from the Content-Repository.

The AdoptOpenJRE MSI in the sample bundle is passed the "InstallLevel=3" parameter, which instructs it to install all available options.

For more details see: https://adoptopenjdk.net/installation.html

 

What is ZENworks Patch Management's role in patching Oracle JRE and OpenJRE

ZPM provides Oracle JRE8 updates through those released in January 2019, which is the last available public patch for Oracle JRE.  It is possible support for one or more specific OpenJRE releases may be added to the list of products ZPM patches, this is not currently the case.  ZPM is also considering the ability in future versions for customers to provide their Oracle Licenses to facilitate obtained licensed patches from Oracle.  However, it is possible to build custom patch bundles and deploy either OpenJRE or Oracle JRE via ZPM in that manner.

Micro Focus Desktop Containers is one option to allow for the safe use of unpatched Java versions.  I plan to release another article that includes Video Links that demonstrate how virtualization of an application can help thwart MALWARE as well as demonstrate a virtual browser with Java Plugins.

 

!! IMPORTANT Reminder !!

"Tips and Tricks" are not Officially Supported by Micro Focus.  Always make sure to read, understand, and test in your own environment.  Items discussed in this article could have a significant impact.  Test everything in your environment

To find other articles by Craig Wilson simply follow the link below:

https://community.microfocus.com/t5/tkb/usercontributedarticlespage/user-id/191566

👍 If you find this article useful, please be sure to give it a like at the bottom of the page! 👍

Labels (1)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
21 of 21
Last update:
‎2020-02-25 21:04
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.