Release 26.2 is the first release of the Lobster Data Platform to support OpenJDK 21, and therefore the release with which you can make the switch. OpenJDK 11 remains supported in 26.2 on a transitional basis; OpenJDK 21 is the recommended runtime. Lobster and many of our customers use this JDK: Adoptium (Eclipse Temurin®), JDK 21 LTS.
What are the changes
The following is a summary of changes introduced with Java 21 or already in effect since Java 17. Note that not all of these changes will be relevant to you and the Lobster Data Platform.
Character encoding
The default encoding is now UTF-8, including on Windows, where Cp1252 was used previously. Applications that read or write files without an explicit encoding may behave differently. Check log files, CSV exports, and database imports in particular.
Fallback option:
-Dfile.encoding=WINDOWS-1252as a JVM parameter
Access to internal APIs
The --illegal-access option no longer exists. Frameworks or libraries that access internal Java APIs will break. You can replicate the previous behavior using targeted --add-opens entries in your startup scripts.
TLS connections
TLS 1.0 and 1.1 are disabled by default. Connections to legacy systems (e.g., legacy databases, older LDAP servers) will fail.
See also: Review TLS Java changes.
CAUTION
Re-enable via
conf/security/java.securityunderjdk.tls.disabledAlgorithms— for transitional use only.
Recommended installation method: Extract the JDK – don't install it
We recommend against installing OpenJDK via the Windows installer or your operating system's package manager. Instead, extract the ZIP or tarball archive (e.g., from Adoptium) into a dedicated directory. The reasons are:
Decoupled from automatic OS updates—An OS or package manager update cannot silently change the JDK version.
Controlled upgrades—Every JDK switch is a deliberate action that can be validated in staging first.
Fast rollback—If a new Java version causes issues, update the path in the Lobster startup scripts or in
platform.jsonto point back to the previously extracted JDK and restart.
The active JVM is selected exclusively via the Lobster startup scripts or the wrapper configuration (JAVA_HOME in hubenv.bat / hub.sh, or the JDK path in platform.json starting with 26.2). A system-wide Java registration is not required to run the Lobster Data Platform.
Step by step: Performing the upgrade
Extract JDK 21: Extract the JDK 21 archive into a dedicated directory (e.g.,
C:\java\jdk-21.x.xor/opt/java/jdk-21.x.x) alongside the existing JDK 11. Keep the existing JDK 11 in place as a rollback option.Point
JAVA_HOMEandPATHto the new directory.Start the application in test mode and watch for encoding issues and TLS errors.
Remove JDK 11 only once everything is running in a stable manner.
SecurityManager on Java 21
When the Lobster Data Platform starts on Java 21, the following message appears in logs/wrapper.log:
*** INFO: SecurityManager could not be installed. See documentation for more details ***Java's SecurityManager was deprecated by Oracle and is no longer available in Java 21. The JVM rejects the installation call. The platform continues to start and operates normally.
What changes with SecurityManager removed
Within the Lobster Data Platform, SecurityManager served two purposes:
System.exit()interception — it blocked libraries from terminating the JVM abruptly.Runtime.exec()interception — it blocked libraries from spawning external processes.
Both protections are no longer active on Java 21.
How security is handled now
These protections are now the responsibility of the operating system or container runtime. Use OS-level process controls or container security policies (for example, Linux seccomp profiles or Kubernetes security contexts) to restrict process termination and spawning.
No other security controls in the platform relied on SecurityManager. The sandbox capabilities it originally provided were not in use.