[asymm} systems
JDK 25 LTS · 25.0.3 released

Eliya

Eliya is an OpenJDK 25 distribution from Asymm Systems for compliance-conscious production. One flag turns your JVM into a forensic recorder. Diagnostic data stays inside your perimeter.

All downloads User guide
Why Eliya

Engineered for operational discipline

Four core properties define the platform across all four phases, built into Eliya's foundation rather than sold as add-ons.

Observability by Design

Heap dump on OOM, native memory tracking, crash log path, and JFR one flag away, all configured by default via -XX:EliyaProfile=Production. Continuous 24-hour recording and unified GC logging land in Phase 2, putting the last day of execution profile on disk before failure. Performance impact: ~1–2% steady-state.

Local-Only Diagnostics

All diagnostic capture and (Phase 2) analysis runs on your infrastructure. No SaaS dependencies, no telemetry, no phone-home. Runs alongside whatever APM you're already using; Eliya provides forensic data APM tools structurally cannot.

Conservative Engineering

Eliya tracks the upstream OpenJDK source tree (openjdk/jdk25u) exactly, preserving API semantics. Based on TCK-certified upstream OpenJDK 25; Phase 2 will publish an independent TCK run of the Eliya binary itself. It is a hardened build, not a diverging fork.

Operational Cadence

Security requires velocity. Eliya ships quarterly Critical Patch Updates within two weeks of each upstream OpenJDK release. Critical CVEs target one-week turnaround. GPLv2 with Classpath Exception, same licence as upstream.

Engineering

What's actually different from upstream OpenJDK 25

Here's what Eliya changes vs. a vanilla OpenJDK 25 build, and what stays exactly upstream.

What Eliya gives you

  • One opt-in flag, -XX:EliyaProfile=Production, turns your JVM into a forensic recorder. Every run leaves audit-grade diagnostic data (JFR, heap dump on OOM, GC logs, native-memory accounting, crash artifacts) on disk in a predictable per-service path. ~1-2% steady-state overhead.
  • A diagnostic CLI on every install: asymm eliya info and asymm eliya doctor for fast triage. Diagnostic directory pre-created and writable by the running user.
  • Quarterly upstream sync within two weeks of every OpenJDK CPU; one-week target for out-of-cycle critical CVEs.
  • Honest TCK posture: built on TCK-certified upstream OpenJDK 25 today; independent TCK run of the Eliya binary is a Phase 2 deliverable.
  • Compliance-conscious by design: local execution only, no SaaS dependencies, no telemetry, no phone-home. Diagnostic data stays on your hardware.
  • Coexists with your existing APM. JVM forensic capture (HPROF heap dumps, JFR recordings, structured thread dumps) that APM tools structurally cannot produce. Runs alongside Datadog, New Relic, Dynatrace, AppDynamics, and Elastic APM without conflict. See JVM forensics vs APM for the architectural distinction.
  • Phased roadmap with named deliverables: FIPS 140-3 variant (Bouncy Castle FIPS, CMVP cert #4943) and bundled diagnostic tooling (Eclipse MAT headless, async-profiler) in Phase 2; Asymm Forensics cross-correlation platform in Phase 3; compliance-aligned profiles (PCI DSS, HIPAA, SOX, FedRAMP, GDPR, ISO 27001, SOC 2) plus combined profiles for industries spanning multiple frameworks (Healthcare-Payment, Financial-SaaS, Federal-Defense) demand-gated for Phase 4. Full trajectory: roadmap.

What stays exactly upstream

  • GC selection: JDK 25 ergonomics decide; Eliya does not pick a collector or set MaxGCPauseMillis.
  • JIT, class loader, module system: identical bytes, identical behaviour.
  • java.security in the standard build is bit-identical to upstream JDK 25. SSLv3 / TLS 1.0 / TLS 1.1 disabled, weak ciphers blocked, NIST-aligned key sizes: these are upstream defaults. Eliya does not duplicate them as “hardening” because performative duplication is dishonest. The file is bit-identical to upstream, verifiable with diff. Compliance-aligned profiles (PCI DSS, HIPAA, SOX) are a Phase 4 deliverable, demand-gated by customer signal.
  • SunJCE provider order in the standard build. The Phase 2 FIPS variant is a separate artifact (eliya-25-fips.tar.gz) with Bouncy Castle FIPS pre-installed; FIPS is not a configuration toggle on the standard build.
  • Java APIs, standard library, runtime semantics: built from the same source tree (openjdk/jdk25u). If your application runs on upstream OpenJDK 25, it runs on Eliya unchanged.
  • GPLv2 with Classpath Exception, same licence as upstream OpenJDK.

Full enumeration with exact flag values and patch locations: Differences from upstream OpenJDK 25

Quick start

Install and activate observability

Install paths for every deployment shape. Docker image (multi-arch) is ready now; tar.gz from GitHub Releases works on any Linux; DEB / RPM packages for production servers target Q4 2026; SDKman for developer machines is Phase 1 (submission in progress, target Q2 2026).

# Run on Docker (multi-arch image)

# Download directly from GitHub Releases (bare-metal Linux)

# Developer machines: SDKman registration in progress (target Q2 2026)

sdk install java 25.0.3-eliya

# Activate operational-readiness defaults (Phase 1)

Full installation guide: User guide  ·  Verify your download: Verification

Roadmap

Phase roadmap

Four phases. Phase 1 ships today; Phase 2–4 are demand-gated: they ship when customer signups indicate concrete need. Each waitlist is a real demand signal that determines shipping order. Full trajectory and demand-gating mechanics: roadmap page.

PhaseWhat shipsWhenStatusGet notified
Phase 1Observability defaults via -XX:EliyaProfile=Production, Linux x64 + aarch64 binaries, Docker multi-arch images, FreeBSD Research Preview (planned, late 2026), asymm CLI Phase 1 surfaceNowAvailable
Phase 2Bundled diagnostic tools (Eclipse MAT headless, async-profiler), FIPS variant build (Bouncy Castle FIPS, CMVP cert #4943), .deb / .rpm packages, hosted apt/yum repositories, macOS aarch64 binary (demand-gated), expanded asymm eliya CLI surfaceTarget H2 2026Demand-gatedNotify me about Phase 2 deliverables
Phase 3Asymm Forensics: JVM diagnostic forensics platform with cross-correlation analysis (JFR + heap + thread + GC + crash artifacts analysed together), ML-based pattern detection, compliance reporting (PCI DSS, HIPAA, SOX), and Dial-aware analysis. Windows x64 ships alongside.Target 2027 (post-Series A)PlannedNotify me about Asymm Forensics
Phase 4Compliance-aligned profile values (EliyaProfile=PCIDSS, =HIPAA, =SOX, =FedRAMP, =GDPR, =ISO27001, =SOC2) plus combined profiles for industries spanning multiple frameworks (Healthcare-Payment for PCI DSS + HIPAA, Financial-SaaS for SOC 2 + ISO 27001, Federal-Defense for FedRAMP + CMMC)Demand-gatedDemand-gatedNotify me about compliance profiles
Read on

Pick your starting point

Start where your role does.

Engineer ↑

Operator ↑

Decider ↑

[ } Eliya Eliya Dial Dial
Privacy
[ }
[ }
// PRODUCTS Eliya Eliya Dial Dial
Engineer User Guide Flags reference Diff from upstream asymm CLI Flag architecture Install Migration Operator Downloads Security Lifecycle Verify download Lessons from production Decider FAQ Compare JDKs JVM forensics vs APM Diff from upstream License Release Notes
Privacy Policy © 2026 Asymm Systems