Big Data Service OS patch for JDK 1.8.0_381 and JDK 11-0-20 now available

  • Services: Big Data
  • Release Date: March 08, 2024

Big Data Service released this JDK patch as part of an Operating System (OS) patch. If you have clusters created with Big Data Service 3.0.23 or earlier, we recommend you install this patch, as it's a prerequisite for all forthcoming Big Data Service upgrades. Big Data Service releases new/updated features each month, and with this patch, you receive the feature updates.

  • Clusters created with Big Data Service 3.0.23 or earlier include JDK 1.8.0_331 to run all ODH components, except Trino, which uses JDK 11.
  • We're releasing an Operating System (OS) patch for existing Big Data Service to upgrade from JDK 1.8 to JDK 1.8.0_381 and from JDK 11 to JDK 11.0.20.
  • To view Oracle JDK Release Notes, see JDK 1.8.0_381 and JDK 11-0-20.

Eligibility criteria: Your cluster is eligible for this OS patch only if your Big Data Service cluster is updated to Big Data Service 3.0.23.4.

Things to consider before proceeding with the upgrade:

  • This patch updates the default Java path. If you explicitly use a full Java path in your application, be sure it's updated. JDK 1.8.0_381 is installed under /usr/lib/jvm/jdk-1.8-oracle-x64 on all nodes, and JDK 11 is installed under /usr/lib/jvm/jdk-11-oracle-x64.
  • JDK 8u351+ deprecated 3DES and RC4 in Kerberos. The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default (Ref: 8u351 release notes)
  • This patch updates the default encryption types used in Kerberos in Big Data Service secure and HA clusters and they are updated to include only aes128-cts and aes256-cts. Your Java applications might need to be restarted after JDK has been upgraded.
  • If you use external KDC with Active Directory integration, be sure the deprecated encryption algorithms discussed above aren't used. To verify and use supported algorithms in the Active Directory, AD Encryption Algorithms Update Support Document.
  • For clusters integrated with external KDC, ensure the KDC admin credential is saved in Ambari. To confirm this, go to Ambari UI -> Kerberos -> Manage KDC Credentials, and then enter the admin principal and password combination.
  • Ensure cluster services are healthy with no service pending restart because of stale config.

Impact: We recommend a maintenance window of at least one hour because there's downtime during installation.