IBM Support

CDC Replication Engines migrate from Java 8 to Java 17

News


Abstract

In IDR 11.4.0.5-5752, the CDC Replication Engines migrate from Java 8 to Java 17. This migration affects several features, including:
- user exits and custom KCOPs
- secret stores, authentication and endpoint encryption
- starting or modifying CDC Replication Engine instances
- character sets

It is important to follow the upgrade steps. If you run into difficulties, troubleshooting tips follow.

Content

Pre-requisites

IDR 11.4.0.5-5752 CDC Replication Engines include an upgrade of the JVM to IBM Semeru Certified Java 17, which is compatible with the Java SE standard. This includes the runtime JRE as well as the JVM used in the installer.  Before upgrading, make sure to take a full backup as described in Upgrading CDC Replication engines for Linux, UNIX, and Windows.

Java 17 includes modifications to the character encoding and decoding techniques, which might affect the functions of replication systems that rely on specific character sets. Any replication that uses nonstandard character sets must be tested to make sure that it continues to perform properly after the upgrade. The ICU4J jar is changed to the most recent version to guarantee that covered or addressed most the missing character sets. Refer to the character set change section before upgrading to confirm that all essential character set are available, and if not, a migration to a new or compatible character set is planned before upgrading.

Post-upgrade

IDR user exits might be affected by the change. Following the upgrade, recompile the user exits, including external secret store user exits and KCOPs. Recompile user exits that uses earlier Java specific APIs or JNI-related code with the updated API.

Troubleshooting installer errors

Symptom: Error occurs when installing IDR build on AIX
The following error might occur during the installation of IDR build:

failed to open </tmp/install.dir.19923406/AIX/resource/jre/lib/default/libjvm.so> - reason: < 0509-022 Cannot load module /tmp/install.dir.19923406/AIX/resource/jre/lib/default/libjvm.so.
0509-150 Dependent module libc++.a(shr_64.o) could not be loaded.
0509-022 Cannot load module libc++.a(shr_64.o).
0509-026 System error: A file or directory in the path name does not exist.
0509-022 Cannot load module /tmp/install.dir.19923406/AIX/resource/jre/lib/default/libjvm.so.
0509-150 Dependent module /tmp/install.dir.19923406/AIX/resource/jre/lib/default/libjvm.so could not be loaded.
Solution
Run the following command: 
lslpp -l | grep "C++ Runtime"

Make sure that the updated runtime is installed as per the OS version. For more details, see IBM AIX: IBM Semeru Java libc++.a dependency on AIX

Symptom: Installer files setup-*bin, setup*exe are smaller than before
The installer files previous to 11.4.0.5-5752 are approximately 500 MB, and the latest installers are only approximately 400 MB

Solution
No action required. The Java 17 Semeru JRE accounts for the size difference.

Symptom: After upgrading to 11.4.0.5-5752, the installation folder's `jre64/jre/lib/ext` directory no longer exists

Solution
No action required. Java removed the extension mechanism after JDK 8.

Troubleshooting secret stores, authentication and encrypting connections

The secret store IDR uses migrated from JCEKS to PKCS12 for improved security, compatibility with Java 17, and stronger encryption support. On upgrade, the installer automatically migrates the secret store.

Symptom: Unable to find valid certification path
A self-signed CA certificate is removed after the upgrade process
The error that follow is shown when the certificates are not added in the cacerts:
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target

Solution
To add the certificates to cacerts, run the following command:

cd <cdc-installation>/jre64/jre/bin
./keytool -import -alias <alias> -file <absolute path to the location of the certificates including the file name> -keystore <cdc-installation>/jre64/jre/lib/security/cacerts -storepass changeit
alias : name should be unique for each certificate

Note: If you already created a truststore, the steps before this are not needed. You can add the truststore to your encryption profile. For more details, see Managing encryption profiles.
To verify whether the certificates are included in cacerts, run the following command:

keytool -list -v -keystore <cdc-installation>/jre64/jre/lib/security/cacerts -storepass changeit

Symptom: Failed to build the path

If public ca is removed, the error is failed to build the path.
Solution
Before upgrading, make a backup of the installation.
If you face any issues with public CA certificates, run the following commands:

cd <cdc-installation>/jre64/jre/bin
./keytool -import -alias <alias> -file <backup-of-cdc-installation>/jre64/jre/lib/security/cacerts -keystore <cdc-installation>/jre64/jre/lib/security/cacerts -storepass changeit

Symptom: Kerberos authentication fails

Changes related to Kerberos authentication include renaming the parameters in the Jaas configuration file to reflect the new Java 17 options.
Solutions

In the installation folder, the upgrade replaces dmts64.vmargs. If you changed this file by adding 

-Djava.security.auth.login.config=/path/to/your/jaas.conf

then you must re-add it before starting the IDR instance.

Replace the file com.ibm.security.auth.module.Krb5LoginModule with com.sun.security.auth.module.Krb5LoginModule.
Replace the parameter `useDefaultCcache=true` with `useTicketCache=true`.
Replace the parameter `credsType=both` with `isInitiator=true`.
Replace the parameter `useKeytab=""` with `useKeyTab=true` and `keyTab=""`.

In Java 17, the setting in the krb5.conf file specifies the default encryption types used for Kerberos ticket-granting tickets (TGTs). By default, Java 17 disables the older, less secure des3-hmac-sha1 and rc4-hmac encryption types.
 

You may get an error such as:

com.datamirror.ts.util.TsThread.run(TsThread.java:130)|Caused by: org.apache.kafka.common.KafkaException javax.security.auth.login.LoginException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: AES128 CTS mode with HMAC SHA1-96 AES256 CTS mode with HMAC SHA1-96 RC4 with HMAC DES CBC mode with MD5 DES CBC mode with CRC-32 |
You may need to change both the krb5.conf/ini files and the CDC JVM configuration to allow compatible encryption modes to be enabled and used by the JVM and KDC in handling the authentication tickets. 

Review your current KDC server and specific krb5.conf details with respect to the listed key-type / algorithms reported in the authentication failure message. Review documentation for default_tkt_enctypes. If you require weaker encryption methods, then you may need to configure CDC's JVM to allow weak-crypto to load/allow those methods. Discuss with your internal security focals before making changes which could allow weaker crypto methods.

Troubleshooting errors saving or starting CDC Replication Engine for FlexRep instances

Symptom: CDC Replication Engine for FlexRep using YugabyteDB fails to start Solution

Edit the instance and select the JDBC driver postgresql-42.7.2.jar from the lib directory

Symptom: CDC Replication Engine for FlexRep using Snowflake fails to start
The instances fail to save or start. The following error is shown: 
Cannot overwrite tables that were not created by IBM Data Replication. com.datamirror.ts.jdbcagent.message.AgentException Cannot overwrite tables that were not created by IBM Data Replication

Solution
In the instance's conf/dmts64.vmargs file, add --add-opens=java.base/java.nio=ALL-UNNAMED
Save, then edit or restart the instance.

Troubleshooting character sets

Symptom: Then encoding is not a valid IANA name for a character encoding

IBM Data Replication Db2 for z/OS Remote Source encounters an error setting the source columns encoding for the subscription ~'TR02701A'~ _subscription_ and source table ~'TR02701AP0'~ _table_ from ~'TR45712S'~ _schema_.
An error occurs while processing a message for column 'CLOB1'.
The encoding 367 is not a valid IANA name for a character encoding. This value is not supported by IBM Data Replication Db2 for z/OS Remote Source.

Solution
IANA name is US-ASCII. Replace 367 with US-ASCII.

Character set change

Removed Character sets
IBM00924 (also an Oracle charset)
ISO-2022-CN
PTCP154
x-IBM1027
x-IBM1041
x-IBM1043
x-IBM1046S
x-IBM1088
x-IBM1114
x-IBM1115
x-IBM1351
x-IBM1362
x-IBM1363
x-IBM1363C
x-IBM1364
x-IBM1370
x-IBM1380
x-IBM1382
x-IBM1385
x-IBM1390A
x-IBM1399A
x-IBM301
x-IBM33722A
x-IBM33722C
x-IBM420S
x-IBM808
x-IBM835
x-IBM836
x-IBM837
x-IBM859
x-IBM864S
x-IBM897
x-IBM927
x-IBM930A
x-IBM939A
x-IBM947
x-IBM951
x-IBM954C
x-ISO-8859-6S
x-KOI8_RU
x-KSC5601
x-UTF_8J
x-windows-1256S
x-IBM16684
x-IBM16684A
x-IBM29626
x-IBM300A
x-IBM4933
x-MS950-HKSCS-XP
x-mswin-936A
KZ-1048
windows-874
x-COMPOUND_TEXT (now lower case)
x-IBM1047_LF
x-IBM1141_LF
x-IBM1165
x-IBM1377
x-IBM1386
x-IBM924_LF
x-IBM941
IBM274
x-IBM1130
x-IBM1164
x-IBM1379

Moved Character sets
x-IBM856
x-IBM29626C

Added Character sets
x-MS950-HKSCS-XP
cp1363
x-compound-text (was upper case)
x-windows-874


[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSSLAQ","label":"IBM Data Replication"},"ARM Category":[{"code":"a8m0z0000001gSjAAI","label":"CDC"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

CDC
Change Data Capture
CDD
Change Data Delivery
IDR
IBM Data Replication
IIDR
IBM InfoSphere Data Replication

Document Information

More support for:
IBM Data Replication

Component:
CDC

Software version:
All Versions

Document number:
7184594

Modified date:
26 March 2025

UID

ibm17184594

Manage My Notification Subscriptions

Page Feedback