Stronger password encryption and updated guides in 25.0.0.2
The 25.0.0.2 release includes 256-bit AES password encryption, updates to our Open Liberty guides, and a CVE fix.
In Open Liberty 25.0.0.2:
View the list of fixed bugs in 25.0.0.2.
Check out previous Open Liberty GA release blog posts.
Develop and run your apps using 25.0.0.2
If you’re using Maven, include the following in your pom.xml
file:
<plugin>
<groupId>io.openliberty.tools</groupId>
<artifactId>liberty-maven-plugin</artifactId>
<version>3.11.2</version>
</plugin>
Or for Gradle, include the following in your build.gradle
file:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.2'
}
}
apply plugin: 'liberty'
Or if you’re using container images:
FROM icr.io/appcafe/open-liberty
Or take a look at our Downloads page.
If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging and application management all from within your IDE.
Support for AES-256 password encryption
Open Liberty supports Advanced Encryption Standard (AES) encryption for passwords that are stored in the server.xml
file. This AES encryption now uses an AES-256 bit key. For AES decryption, Open Liberty supports both AES-128 and AES-256. Previously, Open Liberty AES password encryption and decryption used only a 128-bit key. The 256-bit key provides stronger encryption, making encrypted passwords more secure.
To encrypt a password with AES-256 encryption, run the securityUtility encode
command from the wlp/bin
directory with the --encoding=aes
option.
securityUtility encode --encoding=aes superAES256password
The response is a 256-bit AES encrypted password, similar to the following example:
{aes}ARAmkTCr3of9G0gvieyx7NtHFbeX5fiueD6yGTvnYzyFMxyg7Cd5V6Ew34uxunYb0pYixwDiR6V2qCx2Yxm9io4KBZiW8T9GJLCut1ClauY7GNBM6lFM+PMZfCaScPzUgSE07PJYI37WQ8lSzjaeWGCA+K5dlA==
You can now use this password in your server.xml
file, for example in your keystore definition:
<keyStore id="MyKeyStore" password="{aes}ARAmkTCr3of9G0gvieyx7NtHFbeX5fiueD6yGTvnYzyFMxyg7Cd5V6Ew34uxunYb0pYixwDiR6V2qCx2Yxm9io4KBZiW8T9GJLCut1ClauY7GNBM6lFM+PMZfCaScPzUgSE07PJYI37WQ8lSzjaeWGCA+K5dlA==" />
For more information, see the following resources:
New and updated guides since the previous release
As Open Liberty features and functionality continue to grow, we add new guides to openliberty.io on those topics to make their adoption as easy as possible. Existing guides also receive updates to address any reported bugs or issues, keep their content current, and expand what their topic covers.
-
A new guide, Building a dynamic web application with integrated user interface and backend logic, is published under the Client side category.
-
All guides except those that are marked Deprecated are updated to use MicroProfile 7 and versionless features.
-
The Deploying microservices to Azure Kubernetes Service guide is updated to use the IBM WebSphere Liberty and Open Liberty on AKS plan to create resource group.
Security vulnerability (CVE) fixes in this release
CVE | CVSS Score | Vulnerability Assessment | Versions Affected | Notes |
---|---|---|---|---|
5.5 |
Denial of service |
21.0.0.2 - 25.0.0.1 |
Affects the |
For a list of past security vulnerability fixes, reference the Security vulnerability (CVE) list.
Get Open Liberty 25.0.0.2 now
Available through Maven, Gradle, Docker, and as a downloadable archive.