back to all blogsSee all blog posts

Java 18 support and enhancements to client certificates in Open Liberty

image of author
Ryan Storey on Apr 12, 2022
Post available in languages:

Open Liberty provides support for Java 18, which includes many new exciting features and changes. This releases also provides support for client certificates with URL encoded strings. We’ve also made a number of notable bug fixes.

In Open Liberty

Along with the new features and functions added to the runtime, we’ve also made updates to our guides.

View the list of fixed bugs in

Run your apps using

If you’re using Maven, here are the coordinates:


Or for Gradle:

dependencies {
    libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[,)'

Or if you’re using Docker:

FROM open-liberty

Or take a look at our Downloads page.

Ask a question on Stack Overflow

Java 18 Support

Java 18 has arrived, and with it the following features and changes:

Java Security support has been removed with Java 18+ in Liberty. If "" is set in, it will produce the following error in the log:

CWWKE0955E: Java Security was requested in while using JDK "18", however this option is no longer valid when using Java 18 and later.

To use Java 18 with Liberty, download the general availibility release, install version of Open Liberty, and edit your Liberty server’s server.env file to point JAVA_HOME to your Java 18 installation.

For more information on Java 18, please visit the Java 18 release notes page, API Javadoc page or download page. For more information on Open Liberty, please visit our documentation page.

Support client certificates with URL encoded strings

An X.509 certificate is a digital certificate that is used to manage identity and security in internet communications and computer networking.

Intermediate servers, such as a web server, proxy server, or load balancer can send X.509 certificates to Open Liberty servers. Due to the deprecation of long lines folding in the HTTP header continuation, some open source intermediate servers might send a client certificate in the Privacy-Enhanced Mail (PEM) url-encoded format.

Open Liberty adds the ability to automatically detect and process X.509 certificates that are sent in PEM format.

An example of a truncated url-encoded certificate sent to application server:app-name:



  • (1) The header (i.e BEGIN ) and footer (i.e END) information are appended before sending to application server.

  • (2) The presence of the percent character (%) in a certificate indicates that the string is encoded.

Prior to Open Liberty, this new url-encoded certificate was not supported. Any request with this new format was rejected and the request terminated.

For more information, check out the GitHub issue for this new feature.

Introducing the Paketo Liberty Buildpack

The Paketo Liberty Buildpack is a new method to deploy your applications. Paketo buildpacks transform your application source code into container images and easily keep them updated. The Paketo Liberty buildpack provides the Open Liberty runtime to a workflow that produces an Open Container Initiative (OCI) image that can run just about anywhere. There are many advantages to using this buildpack which are explained in more detail in the Introducing the Paketo Liberty Buildpack blog post.

Security vulnerability (CVE) fixes in this release

There are no security vulnerability fixes in Open Liberty

For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.

Notable bugs fixed in this release

We’ve spent some time fixing bugs. The following sections describe just some of the issues resolved in this release. If you’re interested, here’s the full list of bugs fixed in

  • Rebuild OpenAPI UI to fix CSS links in OpenAPI UI

    In, the OpenAPI CSS links in the html files which didn’t match with the actual CSS file names. This resulted in OpenAPI UI having no styling. This issue has now been resolved and the page displays correctly.

  • Timing window where cancellation of scheduled task is ignored

    There was a brief timing window between the completion (or skip) of a ManagedScheduledExecutorService task execution and the scheduling of the next execution where a cancel that is issued can be overwritten and ignored. Due to this issue, you might have intermittently seen subsequent executions of a scheduled task be attempted even though the application had requested to cancel the task. This issue was caused by code that was using AtomicReference.set rather than AtomicReference.compareAndSet in order to take into account the possibility of an intermediate state change. This issue has been resolved, and the scheduled task should now stop attempting subsequent executions after it is canceled.

  • MP JWT 1.2 fails to load all relevant MP Config properties

    Previously, the mpJwt-1.2 feature might have failed to load MP Config properties related to MicroProfile JWT 1.2. The MP JWT feature uses an OSGi service (MpConfigProxyService) to load MP Config properties related to the feature. There are currently implementation classes for two versions of that service - 1.1 and 1.2 - that load the MP Config properties specific to each respective MP JWT release. It was possible for the 1.1 version of the service to be activated and set as the service to use in the MicroProfileJwtTAI class before the 1.2 version of the service is activated. That caused the MP JWT feature to ignore any MP Config properties specific to MP JWT 1.2. This has now been fixed meaning that the MP Config properties for the MP JWT feature version in use is now loaded correctly.

  • Liberty OP configured with SAML IdP, logout at OP is not propagated to the IdP

    We have configured our ELM applications (RP) with Liberty OP which is further delegated to a SAML IDP. In this case we had issues with application logout which were solved by adding the attribute spLogout="true" in the samlWebSso20 configuration. To achieve SSO between our applications configured with Liberty OP and other applications configured with the SAML IDP we set the value forceAuthn="false" within the samlWebSso20 config. When we set forceAuthn="false" the SSO between Liberty OP and Other applications connected to SAML IDP worked, but then the Logout would not. We have now resolved this issue and now Logout should work with forceAuthn="false" parameter.

  • context-root for web-ext is no longer honored with WLP

    Specifying the the context-root in a web-ext element, e.g:

    <web-ext id="namehere" moduleName="namehere" context-root="/" />

    was ignored starting with the release. The context root for the app in the above example becomes /namehere instead of /. This issue was caused by the new code only looking for module info in the non-persistent cache when the parent overlay is not null.

    This issue is now resolved.

  • webContainer property skipMetaInfResourcesProcessing=true can cause NullPointerException in JSP taglib

    In Liberty, if webContainer property skipMetaInfResourcesProcessing is true, and a JSP references a taglib with a path under WEB-INF, it could cause a NullPointerException on the call to the JSP resulting in just the message Error 500: java.lang.NullPointerException. The error in messages.log was as follows:

    at java.base/
    at java.base/java.text.MessageFormat.subformat(
    at java.base/java.text.MessageFormat.format(
    at java.base/java.text.Format.format(
    at java.base/java.text.MessageFormat.format(
    at java.logging/java.util.logging.Logger.log(
    ... 20 more

    We’ve fixed this issue so that the JSP now returns to the client without a NPE even in file not found situations.

New and updated guides since the previous release

As Open Liberty features and functionality continue to grow, we continue to add new guides to on those topics to make their adoption as easy as possible. Since our last release, we’ve added the following two guides:

We also update existing guides to address any reported bugs/issues, keep their content current, and expand what their topics cover. Since our last release, we’ve updated the majority of the guides to align with MicroProfile 5 and Jakarta EE 9. Furthermore, our cloud hosted versions of the guides have also received various improvements. For further information on these updates, refer to the Learn MicroProfile 5.0 and Jakarta EE 9.1 from our newly enhanced cloud-hosted guides blog post.

The following 31 guides are updated to use MicroProfile 5 and Jakarta EE 9 features. Their java classes are now using the jakarta namespace. Also, their cloud-hosted guides are updated and enhanced with this new style.

Get Open Liberty now