Security policy for Java based products


Subscribe to our blog



OpenLM is developing Java based software since our foundation since this infrastructure provided us multi platform capabilities and a huge offering of libraries we could utilise. 

Since there are multiple versions of Java infrastructure using the infrastructure installed on the server machine proved to be problematic. Most software vendors, including OpenLM distribute a copy of Java with their software and by that assure stability.

We decided to allow the customer to choose, when installing the Java based application we allow the user to choose his own, or, install the one we are distributing.

When choosing the infrastructure included with the application, OpenLM and the customer need to patch the version with security release, as made available. 

When installing the infrastructure on the operating system, typically the system team of the customer will make sure it’s updated regularly.

Our Java infrastructure

OpenLM is using OpenJDK  LTS version 11. New versions exist but at this stage, we don’t see a benefit in upgrading now. We don’t typically distribute all the packages, we only include what is really needed.

Some of our products are distributed with Oracle Java 8 because of back compatibility reasons. We intend to switch these to AdoptOpenJDK 8 as soon as possible in order to get security updates for this old version.

Our Java upgrade policy

Until recently our policy was to distribute updates to Java with new versions of our software. This policy proved to be problematic since some of our customers tend to keep the same release of the broker for years. Following this we set a new policy:

OpenLM is monitoring OpenJDK for new security releases. As such are made available, we are testing the applications and publishing a new “infrastructure security release” of the application. We might take the opportunity to include other security fixes requested by our customers. This is reported in detail in the release notes

Customers that are using their own security infrastructure can usually ignore these security releases. Customers that installed our Java infrastructure need to upgrade their Java based applications on their earliest convenience. 

Which applications are affected

The following OpenLM applications are using Java infrastructure:

OpenLM Broker

OpenLM Application Manager

OpenLM Scheduler

OpenLM Router

Reporting HUB 

ServiceNow integration 

DB Migration 


Note that OpenLM only distributes Java with the Windows installer of the applications. On other platforms the infrastructure is required by the installer and needs to be maintained by the customer.

Automatic distribution of upgrades 

The upgrade process is more complicated when upgrading the broker since it may be installed on multiple Windows based servers. The Broker can be distributed and silently installed on all license server machines as explained in the following article (via silent install/upgrade).

Skip to content