back to all blogsSee all blog posts

FIPS 140-3 support and simplified library configuration in 25.0.0.3

image of author
David Mueller on Mar 25, 2025
Post available in languages:

The 25.0.0.3 release includes support for the Federal Information Processing Standard (FIPS) 140-3 and a new library configuration option that simplifies the way you manage files and folders. This release also includes updates for audit logging and AES and hash encryption algorithms.

In Open Liberty 25.0.0.3:

View the list of fixed bugs in 25.0.0.3.

Develop and run your apps using 25.0.0.3

If you’re using Maven, include the following in your pom.xml file:

Copied to clipboard
<plugin>
    <groupId>io.openliberty.tools</groupId>
    <artifactId>liberty-maven-plugin</artifactId>
    <version>3.11.3</version>
</plugin>

Or for Gradle, include the following in your build.gradle file:

Copied to clipboard
buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.3'
    }
}
apply plugin: 'liberty'

Or if you’re using container images:

Copied to clipboard
FROM icr.io/appcafe/open-liberty

Or take a look at our Downloads page.

If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging, and application management all from within your IDE.

Ask a question on Stack Overflow

New library configuration for a path that targets a file or a folder

You can configure a library in Liberty with a list of file, folder or fileset configuration elements. The file and folder elements require you to know ahead of time whether the target of the configuration is a file (such as a JAR) or a folder. The fileset configuration matches targets that are files and ignores folders. For the Liberty 25.0.0.3 release, a new configuration option is added for library named path. A path configuration can target either a file or a folder. With this option, you don’t need to know the target type ahead of time because the path configuration can accept either a file or a folder target.

For example, consider the following library configuration for someLib:

Copied to clipboard
    <library id="someLib">
       <!-- path to a jar -->
       <file name="libs/lib1.jar"/>
       <!-- path to a folder -->
       <folder dir="libs/lib2folder"/>
    </library>

This configuration for someLib can now use path for both locations instead:

Copied to clipboard
    <library id="someLib">
       <!-- path to a jar -->
       <path name="libs/lib1.jar"/>
       <!-- path to a folder -->
       <path name="libs/lib2folder"/>
    </library>

Support for FIPS 140-3 with IBM JDK 8

FIPS 140-3 is the latest version of the FIPS 140 standard, which provides a set of guidelines for cryptographic modules to ensure their security and integrity.

Before this update, FIPS 140-2 was supported, but its certification for IBM SDK 8 is now expired. The new FIPS 140-3 support provides an updated and more secure cryptographic module for Liberty users who use IBM SDK 8.

For information about IBM SDK 8 FIPS 140-3 support, including supported operating systems, see FIPS 140-3 in the IBM SDK 8 documentation. For more information about FIPS and Open Liberty, Run FIPS-compliant applications on Open Liberty.

Enabling FIPS 140-3

To enable FIPS 140-3 in Liberty, complete the following steps. You must use IBM SDK for Java 8.0.8.30 or later.

  1. If your Liberty server is running, stop it.

  2. Set the following system properties in the jvm.options file:

    Copied to clipboard
    -Xenablefips140-3
    -Dcom.ibm.jsse2.usefipsprovider=true
    -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
  3. If you have LTPA keys, delete the ltpa.keys file before you restart the server to generate new FIPS 140-3 compliant keys.

    For more information, see the LTPA support section.

  4. Restart the Liberty server to enable FIPS 140-3.

TLS Support

FIPS 140-3 supports only the TLS 1.2 and 1.3 protocols.

LTPA Support

When FIPS 140-3 is enabled, LTPA keys use FIPS 140-3 approved cryptographic algorithms. To use LTPA single sign-on (SSO), all participating servers must be configured to use FIPS 140-3.

To create LTPA keys with FIPS 140-3 enabled, choose one of the following options:

  • Delete the existing ltpa.keys file and restart the server after configuring FIPS 140-3.

    The default location for this file is ${server.output.dir}/resources/security/ltpa.keys. A new ltpa.keys file is created when the Liberty server restarts. These new LTPA keys support FIPS 140-3 standards.

  • Use the securityUtility command with the createLTPAKeys option.

    If you have LTPA validation keys, you must also delete these and generate new validation keys after FIPS 140-3 is enabled. You can generate new validation keys by using the securityUtility createLTPAKeys command, as demonstrated in the following examples.

    To use the securityUtility createLTPAKeys command to create LTPA keys that use FIPS 140-3 approved algorithms, export the following system property before you run the command:

    Copied to clipboard
    export JVM_ARGS="-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"

    Then, run the securityUtility createLTPAKeys command:

    Copied to clipboard
    securityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes

For more information about LTPA, see Configuring LTPA in Liberty.

Updates to audit logging encryption and signing

Starting with the 25.0.0.3 release, Liberty uses updated algorithms to sign and encrypt audit logs, regardless of whether FIPS 140-3 is enabled. The updated auditUtility command does not read audit logs that were signed or encrypted before version 25.0.0.3. To read logs from these earlier versions, run the auditUtility command from a Liberty server version 25.0.0.2 or earlier.

Updates for AES and hash passwords

Starting with the 25.0.0.3 release, all new AES passwords in Liberty use AES 256 algorithms and all new hash passwords use PBKDF2WithHmacSHA512 algorithms, regardless of whether FIPS 140-3 is enabled. If FIPS 140-3 is not enabled, secrets from previous versions are tolerated. With FIPS 140-3 enabled, old secrets must be regenerated by using the securityUtility command.

Get Open Liberty 25.0.0.3 now