back to all blogsSee all blog posts

Support for new changes to SSL certificates in Open Liberty 22.0.0.2-beta

image of author
Ryan Storey on Jan 20, 2022
announcements , release , beta , security ,
Post available in languages:

Open Liberty 22.0.0.2-beta offers just one new feature, supporting new changes in SSL certificates with urlencoded strings.

All Beta Features package

The All Beta features package for Open Liberty contains all Open Liberty beta features and GA features and functions.

This means that you can now try out our in-development Open Liberty features by just adding the relevant coordinates to your build tools.

If you try the beta package, let us know what you think.

The following beta features are available in 22.0.0.2-beta:

Support new change in the SSL certificate with urlencoded string

An X.509 certificate is a digital certificate that is used to manage identity and security in internet communications and computer networking.

Intermediate servers, such as a web server, proxy server, or load balancer can send X.509 certificates to Open Liberty servers. Due to the deprecation of long lines folding in the HTTP header continuation, some open source intermediate servers might send a client certificate in the Privacy-Enhanced Mail (PEM) url-encoded format.

Open Liberty 22.0.0.2-beta adds the ability to auto detect and process this new format.

An example of a truncated url-encoded certificate sent to application server:app-name:

[-----BEGIN%20CERTIFICATE-----%0AMIIDODCCAiCgAwIBAgIIHbO76YfCH1cwDQYJKoZIhvcNAQELBQAw
OjELMAkGA1UE%0ABhMCVVMxDDAKBgNVBAoTA0lCTTEMMAoGA1UECxMDVFdTMQ8wDQYDVQQDEwZDbGll%0AbnQ
wHhcNMTUxMTAzMTYyODM1WhcNMzUxMDMwMTYyODM1WjA6MQswCQYDVQQGEwJV%0AUzEMMAoGA1UEChMDSUJNM
QwwCgYDVQQLEwNUV1MxDz%2F%2Bpo%2FF%2Bzi%2F0sfAUwRdfgMm%2FAKAGzwMQufOYeKCgMULtq14QAJQnL
mq4M%2FM00%0AC5QyeYtdaTou%2BMsLmoa1tkq2VSDVxAcktJyRSRsox36G7EHDLV4U2gtR6xczNEjw%0A2%2
Bsj772FjdAMXRSR%0A-----END%20CERTIFICATE-----%0A]

Note:

  • (1) The header (i.e BEGIN ) and footer (i.e END) information are appended before sending to application server.

  • (2) The encoded character (i.e %) presents in the certificate.

Prior to Open Liberty 22.0.0.2-beta, this new url-encoded certificate was not supported. Any request with this new format was rejected and the request terminated.

For more information, check out the GitHub issue for this new feature.

Try it now

To try out these features, just update your build tools to pull the Open Liberty All Beta Features package instead of the main release. The beta works with Java SE 17, Java SE 11, or Java SE 8.

If you’re using Maven, here are the coordinates:

<dependency>
  <groupId>io.openliberty.beta</groupId>
  <artifactId>openliberty-runtime</artifactId>
  <version>22.0.0.2-beta</version>
  <type>pom</type>
</dependency>

Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty.beta', name: 'openliberty-runtime', version: '[22.0.0.2-beta,)'
}

Or take a look at our Downloads page.

Jakarta EE 9 Features

As of 21.0.0.12 the Jakarta EE 9.1 features are now out of beta and fully supported. Check out the release blog post for these features.

Your feedback is welcomed

Let us know what you think on our mailing list. If you hit a problem, post a question on StackOverflow. If you hit a bug, please raise an issue.