See all blog posts
FIPS 140-3 support and simplified library configuration in 25.0.0.3
The 25.0.0.3 release includes support for the Federal Information Processing Standard (FIPS) 140-3 and a new library configuration option that simplifies the way you manage files and folders. This release also includes updates for audit logging and AES and hash encryption algorithms.
In Open Liberty 25.0.0.3:
View the list of fixed bugs in 25.0.0.3.
Check out previous Open Liberty GA release blog posts.
Develop and run your apps using 25.0.0.3
If you’re using Maven, include the following in your pom.xml file:
<plugin>
<groupId>io.openliberty.tools</groupId>
<artifactId>liberty-maven-plugin</artifactId>
<version>3.11.3</version>
</plugin>Or for Gradle, include the following in your build.gradle file:
buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'io.openliberty.tools:liberty-gradle-plugin:3.9.3'
}
}
apply plugin: 'liberty'Or if you’re using container images:
FROM icr.io/appcafe/open-libertyOr take a look at our Downloads page.
If you’re using IntelliJ IDEA, Visual Studio Code or Eclipse IDE, you can also take advantage of our open source Liberty developer tools to enable effective development, testing, debugging, and application management all from within your IDE.
New library configuration for a path that targets a file or a folder
You can configure a library in Liberty with a list of file, folder or fileset configuration elements. The file and folder elements require you to know ahead of time whether the target of the configuration is a file (such as a JAR) or a folder. The fileset configuration matches targets that are files and ignores folders. For the Liberty 25.0.0.3 release, a new configuration option is added for library named path. A path configuration can target either a file or a folder. With this option, you don’t need to know the target type ahead of time because the path configuration can accept either a file or a folder target.
For example, consider the following library configuration for someLib:
<library id="someLib">
<!-- path to a jar -->
<file name="libs/lib1.jar"/>
<!-- path to a folder -->
<folder dir="libs/lib2folder"/>
</library>This configuration for someLib can now use path for both locations instead:
<library id="someLib">
<!-- path to a jar -->
<path name="libs/lib1.jar"/>
<!-- path to a folder -->
<path name="libs/lib2folder"/>
</library>Support for FIPS 140-3 with IBM JDK 8
FIPS 140-3 is the latest version of the FIPS 140 standard, which provides a set of guidelines for cryptographic modules to ensure their security and integrity.
Before this update, FIPS 140-2 was supported, but its certification for IBM SDK 8 is now expired. The new FIPS 140-3 support provides an updated and more secure cryptographic module for Liberty users who use IBM SDK 8.
For information about IBM SDK 8 FIPS 140-3 support, including supported operating systems, see FIPS 140-3 in the IBM SDK 8 documentation. For more information about FIPS and Open Liberty, Run FIPS-compliant applications on Open Liberty.
Enabling FIPS 140-3
To enable FIPS 140-3 in Liberty, complete the following steps. You must use IBM SDK for Java 8.0.8.30 or later.
-
If your Liberty server is running, stop it.
-
Set the following system properties in the
jvm.optionsfile:Copied to clipboard-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
-
If you have LTPA keys, delete the
ltpa.keysfile before you restart the server to generate new FIPS 140-3 compliant keys.For more information, see the LTPA support section.
-
Restart the Liberty server to enable FIPS 140-3.
TLS Support
FIPS 140-3 supports only the TLS 1.2 and 1.3 protocols.
LTPA Support
When FIPS 140-3 is enabled, LTPA keys use FIPS 140-3 approved cryptographic algorithms. To use LTPA single sign-on (SSO), all participating servers must be configured to use FIPS 140-3.
To create LTPA keys with FIPS 140-3 enabled, choose one of the following options:
-
Delete the existing
ltpa.keysfile and restart the server after configuring FIPS 140-3.The default location for this file is
${server.output.dir}/resources/security/ltpa.keys. A newltpa.keysfile is created when the Liberty server restarts. These new LTPA keys support FIPS 140-3 standards. -
Use the
securityUtilitycommand with thecreateLTPAKeysoption.If you have LTPA validation keys, you must also delete these and generate new validation keys after FIPS 140-3 is enabled. You can generate new validation keys by using the securityUtility createLTPAKeys command, as demonstrated in the following examples.
To use the
securityUtility createLTPAKeyscommand to create LTPA keys that use FIPS 140-3 approved algorithms, export the following system property before you run the command:Copied to clipboardexport JVM_ARGS="-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS"
Then, run the
securityUtility createLTPAKeyscommand:Copied to clipboardsecurityUtility createLTPAKeys --password=mypassword --passwordEncoding=aes
For more information about LTPA, see Configuring LTPA in Liberty.
Updates to audit logging encryption and signing
Starting with the 25.0.0.3 release, Liberty uses updated algorithms to sign and encrypt audit logs, regardless of whether FIPS 140-3 is enabled. The updated auditUtility command does not read audit logs that were signed or encrypted before version 25.0.0.3. To read logs from these earlier versions, run the auditUtility command from a Liberty server version 25.0.0.2 or earlier.
Updates for AES and hash passwords
Starting with the 25.0.0.3 release, all new AES passwords in Liberty use AES 256 algorithms and all new hash passwords use PBKDF2WithHmacSHA512 algorithms, regardless of whether FIPS 140-3 is enabled. If FIPS 140-3 is not enabled, secrets from previous versions are tolerated. With FIPS 140-3 enabled, old secrets must be regenerated by using the securityUtility command.
Get Open Liberty 25.0.0.3 now
Available through Maven, Gradle, Docker, and as a downloadable archive.
