Skip to content

Commit e4d0caf

Browse files
updates to 26.0.0.4 GA blog
1 parent 8ebc01c commit e4d0caf

1 file changed

Lines changed: 33 additions & 32 deletions

File tree

posts/2026-04-21-26.0.0.4.adoc

Lines changed: 33 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -106,101 +106,104 @@ FROM icr.io/appcafe/open-liberty
106106

107107
Or take a look at our link:{url-prefix}/start/[Downloads page].
108108

109-
If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code] or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging and application management all from within your IDE.
109+
If you're using link:https://plugins.jetbrains.com/plugin/14856-liberty-tools[IntelliJ IDEA], link:https://marketplace.visualstudio.com/items?itemName=Open-Liberty.liberty-dev-vscode-ext[Visual Studio Code], or link:https://marketplace.eclipse.org/content/liberty-tools[Eclipse IDE], you can also take advantage of our open source link:https://openliberty.io/docs/latest/develop-liberty-tools.html[Liberty developer tools] to enable effective development, testing, debugging, and application management all from within your IDE.
110110

111111
[link=https://stackoverflow.com/tags/open-liberty]
112112
image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="center"]
113113

114114
[#TAG_1]
115115
=== File Transfer changes for 26.0.0.4
116-
Liberty's FileService MBean provided by the `restConnector-2.0` feature now includes an extra attribute `blocklist`. This attribute can be configured by the `server.xml` config element `<blockDir>`. The default value of this attribute is `${server.output.dir}/resources/security`. This behavior change resolves link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915], by restricting default FileTransfer access to `${server.output.dir}/resources/security`.
116+
Liberty's FileService MBean provided by the `restConnector-2.0` feature now includes an extra `blocklist` attribute. This attribute is configured by the `<blockDir>` config element in the `server.xml` file. The default value of this attribute is `${server.output.dir}/resources/security`. This behavior change resolves the security vulnerability link:https://github.com/advisories/GHSA-c39w-6qgm-5cp7[CVE-2025-14915], by restricting default FileTransfer access to `${server.output.dir}/resources/security`.
117117

118118
If FileTransfer access to `${server.output.dir}/resources/security` is required, the original behavior can be restored by setting an empty blocklist.
119119

120-
For more information, see
121-
link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileService[]
122-
link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileTransfer__title__1[]
123-
link:https://www.ibm.com/docs/en/was-liberty/nd?topic=manually-file-transfer[]
120+
For more information, see:
121+
122+
* link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileService[]
123+
* link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-list-provided-mbeans#rwlp_mbeans_list__FileTransfer[]
124+
* link:https://www.ibm.com/docs/en/was-liberty/nd?topic=manually-file-transfer[]
124125

125126
[#ltpa]
126127
== Default LTPA keys password removal
127128

128-
The default LTPA keys password is removed to resolve the link:https://www.ibm.com/support/pages/node/7266845[CVE-2025-14917].
129+
The default LTPA keys password is removed to resolve the security vulnerability link:https://www.ibm.com/support/pages/node/7266845[CVE-2025-14917].
129130

130131
Previously, a default password for the LTPA keys was used when the `keysPassword` attribute was not defined in the `<ltpa />` element. With this change, the default password is no longer supported.
131132

132-
If LTPA keys password is not configured in `server.xml`, the `keystore_password` in `server.env` is used to reencrypt the LTPA keys in the `ltpa.keys` file. The LTPA keys themselves are not impacted. The `keystore_password` is configured in the `server.env` file during server creation unless the `--no-password` option is used with the `server create` command.
133+
For existing servers, if the LTPA keys password is not configured in the `server.xml` file, the `keystore_password` in the `server.env` file is used. This value re-encrypts the LTPA keys in the `ltpa.keys` file. The LTPA keys themselves are not impacted. The `keystore_password` is configured in the `server.env` file during server creation unless the `--no-password` option is used with the `server create` command.
133134

134-
If a keysPassword is not defined in the `<ltpa />`` element in the `server.xml` file and a `keystore_password` is not defined in the `server.env` file, the LTPA service fails.
135+
If a `keysPassword` is not defined in the `<ltpa />` element in the `server.xml` file and a `keystore_password` is not defined in the `server.env` file, the LTPA service fails.
135136
The following error message is displayed:
136137

137138
[source,text]
138139
----
139140
CWWKS4118E: LTPA configuration error. A keysPassword attribute is not configured on the <ltpa /> element, the 'ltpa_keys_password' environment variable is not set, and the 'keystore_password' environment variable is not set.
140141
----
141142

142-
For existing servers, confirm that an LTPA keys password is set up by doing the following steps:
143+
Confirm that an LTPA keys password is set up by doing the following steps:
143144

144145
. Check to see whether a `keysPassword` attribute is provided for the `<ltpa />` element in the `server.xml` file (for example, `<ltpa keysPassword="myKeysPassword" />`).
145146
* If it is provided, this update does not affect you and no further action is needed.
146147
* If it is not provided, do *not* add it and proceed to the next step.
147148
. Check to see whether the `keystore_password` environment variable exists in the `server.env` file (for example, `keystore_password=myKeystorePassword`).
148-
* If it exists, then `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
149+
* If it exists, then the `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
149150
* If it does not exist, proceed to the next step.
150-
. Add the following environment variable to the `server.env` file:
151+
. Add the following environment variable to the `server.env` file (ensure you use the `keystore_password` here and *not* the `ltpa_keys_password` described in the next section for new servers):
151152
+
152153
[source,properties]
153154
----
154-
keystore_password=(your-desired-password)
155+
keystore_password=your-desired-password
155156
----
156157
+
157158
* The `keystore_password` is used to reencrypt the LTPA keys that were previously encrypted with the default `keysPassword` when the server starts.
158159

159-
For new servers, a new `ltpa_keys_password` is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element. Do *not* use the `ltpa_keys_password` in place of the `keystore_password` in step 3 of the previous section for existing servers.
160+
For new servers, a new `ltpa_keys_password` is randomly generated during server creation. It is stored in the `server.env` file unless the `--no-password` option is specified with the `server create` command. The randomly generated `ltpa_keys_password` is used if the `keysPassword` attribute is not defined for the `<ltpa />` element.
160161

161162
For more information, see the link:https://openliberty.io/docs/latest/reference/config/ltpa.html[LTPA] configuration element.
162163

163164

164165
[#jwt]
165166
== Support selecting JWT signature and decryption algorithms from JOSE header
166167

167-
JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token.
168+
JSON Web Tokens (JWTs) can be signed by using various cryptographic signature algorithms. With this release, the JWT Consumer, MicroProfile JWT, OpenID Connect Client, and Social Media Login features support selecting the JWT signature algorithm from the JOSE header. This support allows different signature algorithms to be used based on the token header.
168169

169-
Earlier, developers and administrators were restricted to configuring a single signature algorithm (for example, `RS256`) in the `server.xml` file. If the incoming JWT was signed with a different algorithm, validation would fail. This update allows the signature algorithm from the JWT header to be used for validation. It provides the flexibility of using different signature algorithms within a single configuration.
170+
Previously, only one single signature algorithm (for example, `RS256`) was able to be configured for each configuration in the `server.xml` file. If the incoming JWT was signed with a different algorithm, validation would fail. This update allows the signature algorithm from the JWT header to be used for validation. It provides the flexibility of using different signature algorithms within a single configuration.
170171

171172
=== How to use
172173

173174
To enable signature algorithm selection from the header, set the `signatureAlgorithm` attribute to `FROM_HEADER` and optionally configure the `allowedSignatureAlgorithms` attribute to specify which algorithms are permitted.
174175

175-
If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384, ES512`.
176+
If `allowedSignatureAlgorithms` is not configured, the default list contains all Open Liberty-supported signature algorithms: `RS256, RS384, RS512, HS256, HS384, HS512, ES256, ES384`, and `ES512`.
176177

177-
When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed key is found, the client falls back to using the key specified by the trustedAlias attribute (for `jwtConsumer`) or trustAliasName attribute (for `openidConnectClient`, `oidcLogin` and `mpjwt`), if configured.
178+
When using `FROM_HEADER` with asymmetric algorithms and a trust store setup, the public keys must be prefixed with their corresponding algorithm (e.g., `RS256_keyalias`) for automatic selection. During validation, the server searches the trust store for an alias that begins with the algorithm specified in the JWT's header. If no algorithm-prefixed alias is found, the client falls back to using the alias specified by the `trustedAlias` attribute (for `jwtConsumer`) or `trustAliasName` attribute (for `openidConnectClient`, `oidcLogin` and `mpJwt`), if configured.
178179

179-
See the following `server.xml` file example:
180+
See the following `server.xml` file configurations for examples on how to apply these settings to the supported elements:
180181

181182
[source,xml]
182183
----
183184
<jwtConsumer
184185
signatureAlgorithm="FROM_HEADER"
185-
allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
186-
187-
...
186+
allowedSignatureAlgorithms="RS256, ES384, HS512"
187+
...
188+
/>
188189
189190
<mpJwt
190191
signatureAlgorithm="FROM_HEADER"
191-
allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
192-
193-
...
192+
allowedSignatureAlgorithms="RS256, ES384, HS512"
193+
...
194+
/>
194195
195196
<openidConnectClient
196197
signatureAlgorithm="FROM_HEADER"
197-
allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
198-
199-
...
198+
allowedSignatureAlgorithms="RS256, ES384, HS512"
199+
...
200+
/>
200201
201202
<oidcLogin
202203
signatureAlgorithm="FROM_HEADER"
203-
allowedSignatureAlgorithms="RS256, ES384, HS512" ... />
204+
allowedSignatureAlgorithms="RS256, ES384, HS512"
205+
...
206+
/>
204207
----
205208

206209
=== Learn more
@@ -264,7 +267,7 @@ For more information on Java 26, see the Java 26 link:https://jdk.java.net/26/re
264267
== displayCustomizedExceptionText property
265268
This release adds documentation and tests for the `displayCustomizedExceptionText` configuration, which allows users to override Liberty’s default error messages (such as SRVE0218E: Forbidden and SRVE0232E: An exception occurred) with clearer, user-defined messages.
266269

267-
The feature is enabled through simple `server.xml` file configuration, where custom messages can be mapped to specific HTTP status codes (403 and 500).
270+
The feature is enabled through simple `server.xml` file configuration, where custom messages can be mapped to specific HTTP status codes (`403` and `500`).
268271

269272
Testing ensures that these custom messages correctly replace Liberty’s defaults across all supported platforms, confirming that the configured text is returned consistently in all scenarios.
270273

@@ -275,8 +278,6 @@ Testing ensures that these custom messages correctly replace Liberty’s default
275278

276279
// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>
277280

278-
For more details, check the LINK[LINK_DESCRIPTION].
279-
280281
// // // // // // // //
281282
// In the preceding section:
282283
// Replace TAG_X/SUB_TAG_X with the given tag of your secton from the contents list

0 commit comments

Comments
 (0)