diff --git a/docs/modules/ROOT/pages/capacity-planning.adoc b/docs/modules/ROOT/pages/capacity-planning.adoc index d193edbb8..b388d97cb 100644 --- a/docs/modules/ROOT/pages/capacity-planning.adoc +++ b/docs/modules/ROOT/pages/capacity-planning.adoc @@ -595,11 +595,8 @@ of your Hazelcast data pipeline. === Upgrade Your JDK -If you are still on JDK 8, seriously consider upgrading. We found that -none of its garbage collectors are a match for the offerings of JDK 11, -which is the current version with Oracle's Long-Term Support (LTS). The -JVM has been undergoing a phase of rapid development lately, which means -you can expect numerous improvements with each JDK version. +Hazelcast no longer supports JDK 8 starting with the Platform 5.3 release, so if you are still on JDK 8, please upgrade it. +The garbage collectors of JDK 11+ have been improved to achieve much higher throughputs. === The G1 Collector is Great for Most Workloads diff --git a/docs/modules/ROOT/pages/production-checklist.adoc b/docs/modules/ROOT/pages/production-checklist.adoc index eb7bd11c5..b5126b8cb 100644 --- a/docs/modules/ROOT/pages/production-checklist.adoc +++ b/docs/modules/ROOT/pages/production-checklist.adoc @@ -70,19 +70,11 @@ General recommendations: * GC logs should be enabled * Minimum and maximum heap size should be equal -For Java 9+: +For Java 11+: * G1GC is the default recommended GC policy * No tuning is recommended unless needed -For Java 8: - -* Recommended GC policies are CMS and ParNewGC: -** `-XX:CMSInitiatingOccupancyFraction=65` -** `-XX:+UseParNewGC` -** `-XX:+UseConcMarkSweepGC` -* For large heaps G1GC is recommended as above - == Data Size Calculation Recommendations Total data size should be calculated based on the combination of primary data and backup data. For example, if you have configured your cluster with a backup count of 2, then total memory consumed is actually 3x larger than the primary data size (primary + backup + backup). Partition sizes of 50MB or less are recommended. diff --git a/docs/modules/cluster-performance/pages/performance-tuning.adoc b/docs/modules/cluster-performance/pages/performance-tuning.adoc index f05668fe2..23b2d6941 100644 --- a/docs/modules/cluster-performance/pages/performance-tuning.adoc +++ b/docs/modules/cluster-performance/pages/performance-tuning.adoc @@ -132,24 +132,10 @@ We xref:ROOT:production-checklist.adoc#jvm-recommendations[recommend] enabling GC logs to allow troubleshooting if performance problems occur. To enable GC logging, use the following JVM arguments: -*Java 8* -``` --verbose:gc --Xloggc:gc.log --XX:NumberOfGCLogFiles=10 --XX:GCLogFileSize=10M --XX:+UseGCLogFileRotation --XX:+PrintGCDetails --XX:+PrintGCDateStamps --XX:+PrintTenuringDistribution --XX:+PrintGCApplicationConcurrentTime --XX:+PrintGCApplicationStoppedTime -``` - -*Java 9 (and above)* +*Java 11+* ``` --Xlog:safepoint,gc+age=debug,gc*=debug:file=gc.log:uptime,level,tags:filesize=10m,filecount=10 +-Xlog:gc=debug:file=/tmp/gc.log:time,uptime,level,tags:filesize=100m,filecount=10 ``` === Azul Zing® and Zulu® Support diff --git a/docs/modules/deploy/pages/versioning-compatibility.adoc b/docs/modules/deploy/pages/versioning-compatibility.adoc index 5cc8e82fc..3d8023165 100644 --- a/docs/modules/deploy/pages/versioning-compatibility.adoc +++ b/docs/modules/deploy/pages/versioning-compatibility.adoc @@ -141,28 +141,22 @@ Hazelcast Platform has been tested against the following JVMs. It may run on oth |Amazon Corretto 11 |✓ -|Azul Prime (formerly Zing) 17 -|✓ - -|Azul Prime (formerly Zing) 11 -|✓ - |Azul Core (formerly Zulu) 17 |✓ |Azul Core (formerly Zulu) 11 |✓ -|IBM Semeru Runtime 17 +|Azul Zing 17 |✓ -|IBM Semeru Runtime 11 +|Azul Zing 11 |✓ -|Oracle JDK 17 +|Oracle 17 |✓ -|Oracle JDK 11 +|Oracle 11 |✓ |Red Hat build of OpenJDK 17 @@ -171,15 +165,23 @@ Hazelcast Platform has been tested against the following JVMs. It may run on oth |Red Hat build of OpenJDK 11 |✓ +|Microsoft Build of OpenJDK 17 +|✓ + |Microsoft Build of OpenJDK 11 |✓ -|Microsoft Build of OpenJDK 17 +|IBM Semeru Runtime (OpenJ9) 17 +|✓ + +|IBM Semeru Runtime (OpenJ9) 11 |✓ |=== // end::supported-jvms[] +WARNING: Hazelcast no longer supports JDK 8 as runtime for Hazelcast 5.3.x and later releases. + == Compatibility Guarantees === Cluster Members diff --git a/docs/modules/getting-started/pages/get-started-binary.adoc b/docs/modules/getting-started/pages/get-started-binary.adoc index 97b5937b1..977caf528 100644 --- a/docs/modules/getting-started/pages/get-started-binary.adoc +++ b/docs/modules/getting-started/pages/get-started-binary.adoc @@ -11,7 +11,7 @@ To complete this tutorial, you need the following: |=== |Prerequisites|Useful resources -|JDK 8+ +|JDK 11+ | xref:deploy:supported-jvms.adoc[Supported Java Virtual Machines] diff --git a/docs/modules/getting-started/pages/get-started-java.adoc b/docs/modules/getting-started/pages/get-started-java.adoc index 03dce4b2d..fadb8868a 100644 --- a/docs/modules/getting-started/pages/get-started-java.adoc +++ b/docs/modules/getting-started/pages/get-started-java.adoc @@ -11,7 +11,7 @@ To complete this tutorial, you need the following: |=== |Prerequisites|Useful resources -|JDK 8+ +|JDK 11+ | xref:deploy:supported-jvms.adoc[Supported Java Virtual Machines] diff --git a/docs/modules/pipelines/pages/stream-processing-client.adoc b/docs/modules/pipelines/pages/stream-processing-client.adoc index ce85b643f..5df822abd 100644 --- a/docs/modules/pipelines/pages/stream-processing-client.adoc +++ b/docs/modules/pipelines/pages/stream-processing-client.adoc @@ -14,7 +14,7 @@ To complete this tutorial, you need the following: |A full Hazelcast distribution (Docker or Binary) |xref:getting-started:install-hazelcast.adoc[Install Hazelcast] -|JDK 8 - 11 +|JDK 11+ | xref:deploy:supported-jvms.adoc[Supported Java Virtual Machines] diff --git a/docs/modules/security/pages/fips-140-2.adoc b/docs/modules/security/pages/fips-140-2.adoc index c8bf49127..e3f2587b1 100644 --- a/docs/modules/security/pages/fips-140-2.adoc +++ b/docs/modules/security/pages/fips-140-2.adoc @@ -9,12 +9,12 @@ used by the US government agencies. The NIST manages a list of FIPS certified cryptographic modules. These modules are certified under the Cryptographic Module Validation Program. The list can -be searched online https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search[here^]. +be searched online at the https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search[NIST website^]. -Hazelcast uses external modules for cryptographic tasks and it can be configured +Hazelcast uses external modules for cryptographic tasks, and it can be configured to use a FIPS 140-2 validated module. It means most of the configuration required for FIPS is outside of the Hazelcast configuration. To run -Hazelcast in the FIPS compliant mode you have to set the underlying Java +Hazelcast in the FIPS compliant mode, you have to set the underlying Java runtime into FIPS mode. It may also require switching the underlying Operating System into the FIPS mode. We consider using a FIPS enabled OS as a recommended approach even in cases when it's not asked for explicitly. @@ -24,15 +24,15 @@ runtimes into the FIPS mode. Please consult the documentation of your Java version to learn how to enable the FIPS mode. Usually it means changing the list of security providers in the `java.security` JRE configuration file. -Hazelcast is only responsible for enabling the OpenSSL native library into +Hazelcast is only responsible for enabling the OpenSSL native library into the FIPS mode (see the xref:security:integrating-openssl.adoc[Integrating OpenSSL section]). If the Hazelcast cluster configuration enables TLS communication using the native OpenSSL library, you have to enable its FIPS mode in the Hazelcast `OpenSSLEngineFactory` configuration. -The FIPS mode is controlled by an optional `true`/`false` property called -`fipsMode`. It is disabled by default. +The FIPS mode is controlled by an optional boolean property called +`fipsMode`. It is disabled by default (`false`). -**Example OpenSSL configuration in the FIPS mode:** +The following is an example OpenSSL configuration in the FIPS mode. [tabs] ==== @@ -85,11 +85,11 @@ either set to the FIPS mode or an exception is thrown, e.g., in the cases when OpenSSL is compiled without the FIPS support. If there are more Hazelcast instances (members or clients) with TLS enabled -employing the OpenSSL, then all them must have the `fipsMode` property +employing the OpenSSL, then all of them must have the `fipsMode` property configured in the same way, either enabled or disabled. When the FIPS mode is successfully enabled, you will see the following -`INFO` level message in the log files: +`INFO` level message in the log files. ``` OpenSSL is enabled in FIPS mode. @@ -101,70 +101,9 @@ NOTE: BoringSSL libraries don't support the FIPS mode. The FIPS environment configuration steps depend on the used operating system and Java version. You should consult with their documentation for the specific configurations. +The following are links to such configuration for various environments. -We will describe a sample configuration which uses Red Hat Enterprise Linux -(RHEL) version 7 and IBM Java SDK 8. If you find any difference between the -sample configuration described here and the documentation of the OS and Java -vendors, use the vendor's up-to-date instructions instead. - -**Switching RHEL 7 into the FIPS mode** - -The steps on how to configure RHEL 7 in FIPS 140-2 mode are described in the -https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations[Security guide^] on the Red Hat customer portal. - -Perform the following steps for the already installed systems: - -. Install the `dracut-fips` package using the YUM package manager. -. Run the `dracut` command to regenerate the `initramfs` file. -. Add the `fips=1` option to the kernel command line of the boot loader. -. Disable prelinking (if it was enabled before. -. Reboot the system. - -After finishing these steps, check if the FIPS mode is enabled by running -the following command: - -[source,bash,options="nowrap"] ----- -# Following command should print "crypto.fips_enabled = 1" (value 1 means the FIPS mode is enabled) -sysctl crypto.fips_enabled ----- - -To automate the FIPS mode enablement on RHEL 7, you can check the script -which is shared in the https://access.redhat.com/discussions/3487481[Red Hat discussion forum^]. - -**Switching IBM Java SDK into the FIPS mode** - -IBM Java 8 provides the FIPS mode itself without any third party -dependencies. - -Details on how to enable the FIPS 140-2 validated configuration can be -found in the https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/security-overview.html[Security guide^] in the Java 8 documentation. - -First, it's necessary to edit the `jre/lib/security/java.security` file and -do the following changes: - -* Put `IBMJCEFIPS` as the first security provider. It will be the first provider -to be selected when a JCA API call is made without specifying an explicit security provider. -+ -[source,shell] ----- -security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS ----- -+ -And re-number the original set of security providers by increasing the priority -of provider by one, i.e., the old `security.provider.1` becomes `security.provider.2` and so on. -* Add the new security properties (related to handling TLS protected communication): -+ -[source,shell] ----- -ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl -ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl ----- -+ -The Security provider covering the TLS implementation in IBM Java is `IBMJSSE2`. -To instruct this provider about using the FIPS validated security primitives -(from `IBMJCEFIPS`), use additional system properties. -+ -``` --Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEFIPS -``` \ No newline at end of file +* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening[Red Hat Enterprise Linux] +* https://access.redhat.com/documentation/en-us/openjdk/11/html-single/configuring_openjdk_11_on_rhel_with_fips/index[OpenJDK on Red Hat Enterprise Linux] +* https://ubuntu.com/security/certifications/docs/fips-enablement[Ubuntu] +* https://www.ibm.com/support/pages/fips-certified-cryptography-ibm-semeru-runtimes[IBM Semeru Runtimes]