Merge pull request #7653 from OpenLiberty/staging

Publish 24.0.0.11 updates

modules/ROOT/pages/audit-log-events-list-cadf.adoc

@@ -18,8 +18,8 @@ Open Liberty can generate audit events in either CADF or xref:ROOT:json-log-even
 
 * <<SECURITY_AUDIT_MGMT, Management of the audit service (SECURITY_AUDIT_MGMT)>>
 * <<SECURITY_MEMBER_MGMT, SCIM operations/member management (SECURITY_MEMBER_MGMT)>>
-* <<SECURITY_API_AUTHN, Servlet 3.0 APIs: login/authenticate (SECURITY_API_AUTHN)>>
-* <<SECURITY_API_AUTHN_TERMINATE, Servlet 3.0 APIs: logout (SECURITY_API_AUTHN_TERMINATE)>>
+* <<SECURITY_API_AUTHN, Servlet APIs: login/authenticate (SECURITY_API_AUTHN)>>
+* <<SECURITY_API_AUTHN_TERMINATE, Servlet APIs: logout (SECURITY_API_AUTHN_TERMINATE)>>
 * <<SECURITY_AUTHN_TERMINATE, Form Logout (SECURITY_AUTHN_TERMINATE)>>
 * <<SECURITY_AUTHN, Basic Authentication (SECURITY_AUTHN)>>
 * <<SECURITY_AUTHN, Client certificate authentication (SECURITY_AUTHN)>>
@@ -232,7 +232,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action:
 
 == SECURITY_API_AUTHN
 
-You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field.
+You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field.
 
 .SECURITY_API_AUTHN event fields
 [cols=",",options="header",]
@@ -309,7 +309,7 @@ The following example shows a SECURITY_API_AUTHN event that results in a redirec
 
 == SECURITY_API_AUTHN_TERMINATE
 
-You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field.
+You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field.
 
 .SECURITY_API_AUTHN_TERMINATE event fields
 [cols=",",options="header",]
@@ -462,7 +462,7 @@ The following example shows a successful SECURITY_AUTHN event:
 
 == SECURITY_AUTHN_DELEGATION
 
-You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field.
+You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet `runAs` delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field.
 
 .SECURITY_AUTHN_DELEGATION event fields
 [cols=",",options="header",]

modules/ROOT/pages/enable-fips.adoc

@@ -12,9 +12,9 @@
 
 The Federal Information Processing Standard (FIPS) 140-2 is a US government security standard for cryptographic modules. Although FIPS compliance is determined by your underlying Java virtual machine (JVM), you can enable Open Liberty to run on a FIPS-compliant JVM.
 
-FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM ensures that only FIPS certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are included in both link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] and link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes].
+FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM helps ensure that only FIPS-certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] or link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes].
 
-For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty.
+For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty. This option is available only for Java SE 8. For Java SE 11 or later, use IBM Semeru Runtimes.
 
 == Enable FIPS for Open Liberty on IBM Semeru Runtimes
 
@@ -24,7 +24,16 @@ In FIPS mode, Semeru Runtimes does not support file-based keystores like JKS and
 Complete the following steps to configure your Open Liberty server to run on Semeru Runtimes in FIPS mode and to add your keys and certificates to the NSS database.
 
 1. Confirm that your RHEL operating system is installed in FIPS mode. +
-If your RHEL operating system was not installed in FIPS mode, you must switch it to FIPS mode. For more information about how to enable or check the FIPS status for your RHEL operating system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening?_ga=2.199036333.328645028.1662471426-119974336.1661806438#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies[Switching the system to FIPS mode] in the RHEL documentation.
++
+Run the following command:
++
+----
+fips-mode-setup --check
+----
++
+If FIPS mode is enabled, the command output is `FIPS mode is enabled.`
++
+If your RHEL operating system was not installed in FIPS mode, you must switch it to FIPS mode. For more information about how to enable or check the FIPS status for your RHEL operating system, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode[Switching RHEL to FIPS mode] in the RHEL documentation.
 
 2. Specify system properties to enable FIPS mode for the JVM and, optionally, to enable debug tracing. +
 The `-Dsemeru.fips=true` property specifies that the JVM uses only FIPS certified cryptography, and ensures that the TLS and SSL protocols use only FIPS certified algorithms. The optional `-Djava.security.debug=semerufips` property enables debug tracing. Add these properties to the `jvm.options` file in your Open Liberty server configuration directory, one property per line, as shown in the following example. +

modules/ROOT/pages/instanton.adoc

@@ -385,6 +385,8 @@ You can individually enable the Open Liberty public features that are enabled by
 In addition to the features that are enabled in the MicroProfile and Jakarta convenience features, InstantOn also supports the following features:
 
 
+- feature:appAuthorization-2.0[]
+- feature:appAuthorization-2.1[]
 - feature:appSecurity-1.0[]
 - feature:audit-1.0[]
 - feature:bells-1.0[]
@@ -406,6 +408,9 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con
 - feature:mdb-3.2[]
 - feature:mdb-4.0[]
 - feature:messaging-3.0[]
+- feature:messagingClient-3.0[]
+- feature:messagingSecurity-3.0[]
+- feature:messagingServer-3.0[]
 - feature:monitor-1.0[]
 - feature:openidConnectClient-1.0[]
 - feature:passwordUtilities-1.0[]
@@ -415,6 +420,9 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con
 - feature:sessionDatabase-1.0[]
 - feature:socialLogin-1.0[]
 - feature:springBoot-3.0[]
+- feature:wasJmsClient-2.0[]
+- feature:wasJmsSecurity-1.0[]
+- feature:wasJmsServer-1.0[]
 - feature:webCache-1.0[]
 - feature:xmlWS-3.0[]
 - feature:xmlWS-4.0[]

modules/ROOT/pages/java-se.adoc

@@ -52,7 +52,7 @@ The following table lists the Java SE versions that Open Liberty supports and pr
 
 |11
 |Yes
-|26.0.0.10
+|27.0.0.10
 |https://developer.ibm.com/languages/java/semeru-runtimes/downloads/?version=11[IBM Semeru 11]
 |https://adoptium.net/?variant=openjdk11&jvmVariant=hotspot[Eclipse Temurin 11]
 |https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-C25E2B1D-6C24-4403-8540-CFEA875B994A[Java SE 11 migration guide]

modules/ROOT/pages/json-log-events-list.adoc

@@ -237,8 +237,8 @@ Open Liberty can generate audit events in either JSON or xref:ROOT:audit-log-eve
 
 * <<SECURITY_AUDIT_MGMT, Management of the audit service (SECURITY_AUDIT_MGMT)>>
 * <<SECURITY_MEMBER_MGMT, SCIM operations/member management (SECURITY_MEMBER_MGMT)>>
-* <<SECURITY_API_AUTHN, Servlet 3.0 APIs: login/authenticate (SECURITY_API_AUTHN)>>
-* <<SECURITY_API_AUTHN_TERMINATE, Servlet 3.0 APIs: logout (SECURITY_API_AUTHN_TERMINATE)>>
+* <<SECURITY_API_AUTHN, Servlet APIs: login/authenticate (SECURITY_API_AUTHN)>>
+* <<SECURITY_API_AUTHN_TERMINATE, Servlet APIs: logout (SECURITY_API_AUTHN_TERMINATE)>>
 * <<SECURITY_AUTHN_TERMINATE, Form Logout (SECURITY_AUTHN_TERMINATE)>>
 * <<SECURITY_AUTHN, Basic Authentication (SECURITY_AUTHN)>>
 * <<SECURITY_AUTHN, Client certificate authentication (SECURITY_AUTHN)>>
@@ -458,7 +458,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action:
 
 === SECURITY_API_AUTHN
 
-You can use the SECURITY_API_AUTHN event for servlet 3.0 and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:
+You can use the SECURITY_API_AUTHN event for servlet APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field:
 
 .SECURITY_API_AUTHN event fields
 [cols=",",options="header",]
@@ -535,7 +535,7 @@ The following example shows a SECURITY_API_AUTHN event that results in a redirec
 
 === SECURITY_API_AUTHN_TERMINATE
 
-You can use the SECURITY_API_AUTHN_TERMINATE event for servlet 3.0 and later APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:
+You can use the SECURITY_API_AUTHN_TERMINATE event for servlet APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field:
 
 .SECURITY_API_AUTHN_TERMINATE event fields
 [cols=",",options="header",]
@@ -690,7 +690,7 @@ The following example shows a successful SECURITY_AUTHN event:
 
 === SECURITY_AUTHN_DELEGATION
 
-You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:
+You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet `runAs` delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field:
 
 .SECURITY_AUTHN_DELEGATION event fields
 [cols=",",options="header",]

modules/ROOT/pages/security-vulnerabilities.adoc

@@ -28,6 +28,13 @@ The `CWWKF0012I` message uses the word "installed", but it lists features that a
 |===
 |CVE |CVSS score by X-Force® |Vulnerability assessment |Versions affected |Version fixed |Notes
 
+|https://www.cve.org/CVERecord?id=CVE-2024-7254[CVE-2024-7254]
+|7.5
+|Denial of service
+|20.0.0.12 - 24.0.0.10
+|24.0.0.11
+|Affects the feature:grpc-1.0[] and feature:grpcClient-1.0[] features
+
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50314[CVE-2023-50314]
 |5.3
 |Information disclosure

modules/ROOT/pages/server-configuration-hardening.adoc

@@ -28,10 +28,14 @@ Set the `WLP_OUTPUT_DIR` environment variable to point to the server logs with t
 * Ensure that any sensitive information in the `server.xml` file is AES-encrypted.
 * Disable all non-TLS ports by setting ports to the value of `-1` in the `httpPort` argument of the `httpEndpoint` stanza.
 * Use xref:reference:feature/transportSecurity-1.0.adoc[Transport Layer Security (TLS)] instead of SSL.
-* Add the `webAppSecurity ssoRequiresSSL="true"` statement to the `server.xml` file.
-* Add the `webAppSecurity httpOnlyCookies="true"` statement to the `server.xml` file.
-* Add the `httpOptions removeServerHeader="true"` statement to the `server.xml` file.
-* Add the `webContainer disableXPoweredBy="true"` statement to the `server.xml` file.
+* Add the following declarations to your `server.xml` file:
++
+[source,xml]
+----
+<webAppSecurity ssoRequiresSSL="true" httpOnlyCookies="true" />
+<httpOptions removeServerHeader="true" />
+<webContainer disableXPoweredBy="true" />
+----
 
 [#ol-images]
 == Open Liberty container images

modules/reference/pages/command/securityUtility-encode.adoc

@@ -16,10 +16,15 @@
 
 The `securityUtility encode` command supports plain text obfuscation for Open Liberty.
 
-This command obfuscates text that you provide, such as a password, based on the type that is specified.
+This command obfuscates text that you provide, such as a password, based on the encoding type that you specify.
+
 If no text is provided, the command enters interactive mode.
 Interactive mode prompts you to enter and confirm your text input, rather than provide text on the same line as the command.
-Text with spaces must be put in quotation marks.
+
+Enclose any text with spaces in quotation marks.
+If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. For more information, see <<pw,Check passwords for special characters>>.
+
+
 For more information about limits to password encryption, see xref:ROOT:password-encryption.adoc[Password encryption limitations].
 
 == Usage examples
@@ -111,3 +116,27 @@ The following exit codes are available for the `securityUtility encode` command:
 |5
 |This code indicates that the file already exists.
 |===
+
+
+[#pw]
+== Check passwords for special characters
+
+If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded.
+Special characters and escape characters might vary according to your operating system.
+For example, on Unix systems, `pa$$W0rd` must be provided as `pa\$\$W0rd`.
+
+To check whether your password includes any characters that your operating system considers to be special characters, you can run the `echo` command.
+
+On the command line, type `echo` followed by the password and review the output to determine whether it differs from your specified password. If any characters are changed, you must escape the characters.  The following example is for Ubuntu.
+
+----
+$ echo pa$$W0rd
+pa683W0rd
+// The dollar sign ($) special characters aren't encoded properly.
+
+$ echo pa\$\$W0rd
+pa$$W0rd
+// Escape each special character individually to return the correct password to encode.
+
+$ securityUtility encode pa\$\$W0rd
+----