From 4f02e6faa3ab13b64f18bf3a9161605eb5e1fd55 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Wed, 9 Oct 2024 16:13:45 -0400 Subject: [PATCH 01/17] add explanation #7623 --- .../pages/command/securityUtility-encode.adoc | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/modules/reference/pages/command/securityUtility-encode.adoc b/modules/reference/pages/command/securityUtility-encode.adoc index dccd78c4ea..4db200d37f 100644 --- a/modules/reference/pages/command/securityUtility-encode.adoc +++ b/modules/reference/pages/command/securityUtility-encode.adoc @@ -19,7 +19,12 @@ The `securityUtility encode` command supports plain text obfuscation for Open Li This command obfuscates text that you provide, such as a password, based on the type that is specified. If no text is provided, the command enters interactive mode. Interactive mode prompts you to enter and confirm your text input, rather than provide text on the same line as the command. -Text with spaces must be put in quotation marks. +Enclose any text with spaces in quotation marks. +If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. For more information, see <> +Special characters and escape characters might vary according to your operating system. +For example, on Unix systems, `pa$$W0rd` must be provided as `pa\$\$W0rd`. + + For more information about limits to password encryption, see xref:ROOT:password-encryption.adoc[Password encryption limitations]. == Usage examples @@ -111,3 +116,27 @@ The following exit codes are available for the `securityUtility encode` command: |5 |This code indicates that the file already exists. |=== + + +[#pw] +== Check passwords for special characters + +If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. +Special characters and escape characters might vary according to your operating system. +For example, on Unix systems, `pa$$W0rd` must be provided as `pa\$\$W0rd`. + +To check whether your password includes any characters that your operating system considers to be special characters, you can run the `echo` command. + +On the command line, type `echo` followed by the password and review the output to determine whether it differs from your specified password. If any characters are changed, you must escape the characters. The following example is for Ubuntu. + +---- +$ echo pa$$word +pa683word // OK until "pa" +$ echo pa\$$word // Added escape after "pa" +pa$ // OK until "pa$" +$ echo pa\$\$word // Added escape after "pa$" +pa$$word +// Escaping each special character individually provides the correct password to encode + +$ securityUtility encode pa\$\$word +---- From b03348f9d10da5427c3ef0cd54e7c71cb90aea45 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 10 Oct 2024 15:54:26 -0400 Subject: [PATCH 02/17] edits #7623 --- .../reference/pages/command/securityUtility-encode.adoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/reference/pages/command/securityUtility-encode.adoc b/modules/reference/pages/command/securityUtility-encode.adoc index 4db200d37f..1a270e9561 100644 --- a/modules/reference/pages/command/securityUtility-encode.adoc +++ b/modules/reference/pages/command/securityUtility-encode.adoc @@ -16,13 +16,13 @@ The `securityUtility encode` command supports plain text obfuscation for Open Liberty. -This command obfuscates text that you provide, such as a password, based on the type that is specified. +This command obfuscates text that you provide, such as a password, based on the encoding type that you specify. + If no text is provided, the command enters interactive mode. Interactive mode prompts you to enter and confirm your text input, rather than provide text on the same line as the command. + Enclose any text with spaces in quotation marks. -If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. For more information, see <> -Special characters and escape characters might vary according to your operating system. -For example, on Unix systems, `pa$$W0rd` must be provided as `pa\$\$W0rd`. +If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. For more information, see <>. For more information about limits to password encryption, see xref:ROOT:password-encryption.adoc[Password encryption limitations]. From 683bb2b36b9a9d347fa443997e73f12f484595cf Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 14 Oct 2024 15:04:22 -0400 Subject: [PATCH 03/17] clarify instructions and fix link #7599 --- modules/ROOT/pages/enable-fips.adoc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/enable-fips.adoc b/modules/ROOT/pages/enable-fips.adoc index ddf1733ef7..428f1e8644 100644 --- a/modules/ROOT/pages/enable-fips.adoc +++ b/modules/ROOT/pages/enable-fips.adoc @@ -24,7 +24,16 @@ In FIPS mode, Semeru Runtimes does not support file-based keystores like JKS and Complete the following steps to configure your Open Liberty server to run on Semeru Runtimes in FIPS mode and to add your keys and certificates to the NSS database. 1. Confirm that your RHEL operating system is installed in FIPS mode. + -If your RHEL operating system was not installed in FIPS mode, you must switch it to FIPS mode. For more information about how to enable or check the FIPS status for your RHEL operating system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening?_ga=2.199036333.328645028.1662471426-119974336.1661806438#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies[Switching the system to FIPS mode] in the RHEL documentation. ++ +Run the following command: ++ +---- +fips-mode-setup --check +---- ++ +If FIPS mode is enabled, the command output is `FIPS mode is enabled.` ++ +If your RHEL operating system was not installed in FIPS mode, you must switch it to FIPS mode. For more information about how to enable or check the FIPS status for your RHEL operating system, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode[Switching RHEL to FIPS mode] in the RHEL documentation. 2. Specify system properties to enable FIPS mode for the JVM and, optionally, to enable debug tracing. + The `-Dsemeru.fips=true` property specifies that the JVM uses only FIPS certified cryptography, and ensures that the TLS and SSL protocols use only FIPS certified algorithms. The optional `-Djava.security.debug=semerufips` property enables debug tracing. Add these properties to the `jvm.options` file in your Open Liberty server configuration directory, one property per line, as shown in the following example. + From 21f31a76c063d1125d458e733aadb3e748b85bec Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 14 Oct 2024 15:53:14 -0400 Subject: [PATCH 04/17] Update enable-fips.adoc --- modules/ROOT/pages/enable-fips.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/enable-fips.adoc b/modules/ROOT/pages/enable-fips.adoc index 428f1e8644..fff128d1b3 100644 --- a/modules/ROOT/pages/enable-fips.adoc +++ b/modules/ROOT/pages/enable-fips.adoc @@ -12,9 +12,9 @@ The Federal Information Processing Standard (FIPS) 140-2 is a US government security standard for cryptographic modules. Although FIPS compliance is determined by your underlying Java virtual machine (JVM), you can enable Open Liberty to run on a FIPS-compliant JVM. -FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM ensures that only FIPS certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are included in both link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] and link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes]. +FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM ensures that only FIPS certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] or link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes] -For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty. +For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty. This option is available only for Java SE 8. For Java SE 11 or later, use IBM Semeru Runtimes. == Enable FIPS for Open Liberty on IBM Semeru Runtimes From f52ae52c18ad5d33107cb57df4b3ee13182a4960 Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Tue, 15 Oct 2024 12:46:44 +0530 Subject: [PATCH 05/17] 7629-Remove 3.0-Servlet 3.0 APIs-audit event description-1 7629-Remove 3.0-Servlet 3.0 APIs-audit event description-1 #7629 --- modules/ROOT/pages/audit-log-events-list-cadf.adoc | 4 ++-- modules/ROOT/pages/json-log-events-list.adoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/audit-log-events-list-cadf.adoc b/modules/ROOT/pages/audit-log-events-list-cadf.adoc index fc10c7e10a..fc23456f9a 100644 --- a/modules/ROOT/pages/audit-log-events-list-cadf.adoc +++ b/modules/ROOT/pages/audit-log-events-list-cadf.adoc @@ -18,7 +18,7 @@ Open Liberty can generate audit events in either CADF or xref:ROOT:json-log-even * <> * <> -* <> +* <> * <> * <> * <> @@ -232,7 +232,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action: == SECURITY_API_AUTHN -You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field. +You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field. .SECURITY_API_AUTHN event fields [cols=",",options="header",] diff --git a/modules/ROOT/pages/json-log-events-list.adoc b/modules/ROOT/pages/json-log-events-list.adoc index a75175e175..0a9a1f63f8 100644 --- a/modules/ROOT/pages/json-log-events-list.adoc +++ b/modules/ROOT/pages/json-log-events-list.adoc @@ -237,7 +237,7 @@ Open Liberty can generate audit events in either JSON or xref:ROOT:audit-log-eve * <> * <> -* <> +* <> * <> * <> * <> @@ -458,7 +458,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action: === SECURITY_API_AUTHN -You can use the SECURITY_API_AUTHN event for servlet 3.0 and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field: +You can use the SECURITY_API_AUTHN event for servlet and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field: .SECURITY_API_AUTHN event fields [cols=",",options="header",] From cfd378c19d6d0e75ed8dd3b1001f4baf98e2ab3f Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Tue, 15 Oct 2024 13:04:52 +0530 Subject: [PATCH 06/17] 7627-security hardening config is not xml formatted-1 7627-security hardening config is not xml formatted-1 #7627 --- .../ROOT/pages/server-configuration-hardening.adoc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/server-configuration-hardening.adoc b/modules/ROOT/pages/server-configuration-hardening.adoc index 638ce29321..f6b35781de 100644 --- a/modules/ROOT/pages/server-configuration-hardening.adoc +++ b/modules/ROOT/pages/server-configuration-hardening.adoc @@ -28,10 +28,14 @@ Set the `WLP_OUTPUT_DIR` environment variable to point to the server logs with t * Ensure that any sensitive information in the `server.xml` file is AES-encrypted. * Disable all non-TLS ports by setting ports to the value of `-1` in the `httpPort` argument of the `httpEndpoint` stanza. * Use xref:reference:feature/transportSecurity-1.0.adoc[Transport Layer Security (TLS)] instead of SSL. -* Add the `webAppSecurity ssoRequiresSSL="true"` statement to the `server.xml` file. -* Add the `webAppSecurity httpOnlyCookies="true"` statement to the `server.xml` file. -* Add the `httpOptions removeServerHeader="true"` statement to the `server.xml` file. -* Add the `webContainer disableXPoweredBy="true"` statement to the `server.xml` file. + +Add the following declarations to your `server.xml` file: +[source,xml] +---- + + + +---- [#ol-images] == Open Liberty container images From 11a1906013a6c92f144df0764b2e07965fc3212a Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Wed, 16 Oct 2024 12:45:31 +0530 Subject: [PATCH 07/17] 7634-Update removal notice for Java SE 11 support-1 7634-Update removal notice for Java SE 11 support-1 #7634 --- modules/ROOT/pages/java-se.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/java-se.adoc b/modules/ROOT/pages/java-se.adoc index cacc1a6a7c..84c96de7bb 100644 --- a/modules/ROOT/pages/java-se.adoc +++ b/modules/ROOT/pages/java-se.adoc @@ -52,7 +52,7 @@ The following table lists the Java SE versions that Open Liberty supports and pr |11 |Yes -|26.0.0.10 +|27.0.0.10 |https://developer.ibm.com/languages/java/semeru-runtimes/downloads/?version=11[IBM Semeru 11] |https://adoptium.net/?variant=openjdk11&jvmVariant=hotspot[Eclipse Temurin 11] |https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-C25E2B1D-6C24-4403-8540-CFEA875B994A[Java SE 11 migration guide] From 2e98a671bad55f55fa50118ec76c53018b49dda5 Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Wed, 16 Oct 2024 21:40:23 +0530 Subject: [PATCH 08/17] 7627-security hardening config is not xml formatted-2 7627-security hardening config is not xml formatted-2 #7627 --- modules/ROOT/pages/server-configuration-hardening.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/server-configuration-hardening.adoc b/modules/ROOT/pages/server-configuration-hardening.adoc index f6b35781de..9c3b9c6d97 100644 --- a/modules/ROOT/pages/server-configuration-hardening.adoc +++ b/modules/ROOT/pages/server-configuration-hardening.adoc @@ -28,8 +28,8 @@ Set the `WLP_OUTPUT_DIR` environment variable to point to the server logs with t * Ensure that any sensitive information in the `server.xml` file is AES-encrypted. * Disable all non-TLS ports by setting ports to the value of `-1` in the `httpPort` argument of the `httpEndpoint` stanza. * Use xref:reference:feature/transportSecurity-1.0.adoc[Transport Layer Security (TLS)] instead of SSL. - -Add the following declarations to your `server.xml` file: +* Add the following declarations to your `server.xml` file: ++ [source,xml] ---- From 8196937395fb6fced2f28449245d45e52da288cc Mon Sep 17 00:00:00 2001 From: Ramkumar K Date: Thu, 17 Oct 2024 18:16:29 +0530 Subject: [PATCH 09/17] 7629-Remove 3.0-Servlet 3.0 APIs-audit event description-2 7629-Remove 3.0-Servlet 3.0 APIs-audit event description-2 #7629 --- modules/ROOT/pages/audit-log-events-list-cadf.adoc | 6 +++--- modules/ROOT/pages/json-log-events-list.adoc | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/ROOT/pages/audit-log-events-list-cadf.adoc b/modules/ROOT/pages/audit-log-events-list-cadf.adoc index fc23456f9a..30d2565b91 100644 --- a/modules/ROOT/pages/audit-log-events-list-cadf.adoc +++ b/modules/ROOT/pages/audit-log-events-list-cadf.adoc @@ -19,7 +19,7 @@ Open Liberty can generate audit events in either CADF or xref:ROOT:json-log-even * <> * <> * <> -* <> +* <> * <> * <> * <> @@ -309,7 +309,7 @@ The following example shows a SECURITY_API_AUTHN event that results in a redirec == SECURITY_API_AUTHN_TERMINATE -You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field. +You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field. .SECURITY_API_AUTHN_TERMINATE event fields [cols=",",options="header",] @@ -462,7 +462,7 @@ The following example shows a successful SECURITY_AUTHN event: == SECURITY_AUTHN_DELEGATION -You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field. +You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field. .SECURITY_AUTHN_DELEGATION event fields [cols=",",options="header",] diff --git a/modules/ROOT/pages/json-log-events-list.adoc b/modules/ROOT/pages/json-log-events-list.adoc index 0a9a1f63f8..e4d884561f 100644 --- a/modules/ROOT/pages/json-log-events-list.adoc +++ b/modules/ROOT/pages/json-log-events-list.adoc @@ -238,7 +238,7 @@ Open Liberty can generate audit events in either JSON or xref:ROOT:audit-log-eve * <> * <> * <> -* <> +* <> * <> * <> * <> @@ -458,7 +458,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action: === SECURITY_API_AUTHN -You can use the SECURITY_API_AUTHN event for servlet and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field: +You can use the SECURITY_API_AUTHN event for servlet APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field: .SECURITY_API_AUTHN event fields [cols=",",options="header",] @@ -535,7 +535,7 @@ The following example shows a SECURITY_API_AUTHN event that results in a redirec === SECURITY_API_AUTHN_TERMINATE -You can use the SECURITY_API_AUTHN_TERMINATE event for servlet 3.0 and later APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field: +You can use the SECURITY_API_AUTHN_TERMINATE event for servlet APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field: .SECURITY_API_AUTHN_TERMINATE event fields [cols=",",options="header",] @@ -690,7 +690,7 @@ The following example shows a successful SECURITY_AUTHN event: === SECURITY_AUTHN_DELEGATION -You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field: +You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field: .SECURITY_AUTHN_DELEGATION event fields [cols=",",options="header",] From f98778cc2a6a31852e0ecfbd9e54abd7d0bf3788 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Fri, 18 Oct 2024 09:02:18 -0400 Subject: [PATCH 10/17] add new 240011 instantOn features #7636 --- modules/ROOT/pages/instanton.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index 485f250db9..f8fcba01ac 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -385,6 +385,9 @@ You can individually enable the Open Liberty public features that are enabled by In addition to the features that are enabled in the MicroProfile and Jakarta convenience features, InstantOn also supports the following features: +- feature:appAuthorization-2.0[] +- feature:appAuthorization-2.1[] +- feature:appAuthorization-3.0[] - feature:appSecurity-1.0[] - feature:audit-1.0[] - feature:bells-1.0[] @@ -406,6 +409,9 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con - feature:mdb-3.2[] - feature:mdb-4.0[] - feature:messaging-3.0[] +- feature:messagingClient-3.0[] +- feature:messagingSecurity-3.0[] +- feature:messagingServer-3.0[] - feature:monitor-1.0[] - feature:openidConnectClient-1.0[] - feature:passwordUtilities-1.0[] @@ -415,6 +421,9 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con - feature:sessionDatabase-1.0[] - feature:socialLogin-1.0[] - feature:springBoot-3.0[] +- feature:wasJmsClient-2.0[] +- feature:wasJmsSecurity-1.0[] +- feature:wasJmsServer-1.0[] - feature:webCache-1.0[] - feature:xmlWS-3.0[] - feature:xmlWS-4.0[] From ba40e5146521483b74fff31eddc04dce5626125a Mon Sep 17 00:00:00 2001 From: David Mueller Date: Fri, 18 Oct 2024 11:22:10 -0400 Subject: [PATCH 11/17] Update instanton.adoc --- modules/ROOT/pages/instanton.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index f8fcba01ac..b3dddf2823 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -387,7 +387,6 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con - feature:appAuthorization-2.0[] - feature:appAuthorization-2.1[] -- feature:appAuthorization-3.0[] - feature:appSecurity-1.0[] - feature:audit-1.0[] - feature:bells-1.0[] From d5765574e3fda3565bd3448e0fe4c9a7c73d256a Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 21 Oct 2024 13:35:32 -0400 Subject: [PATCH 12/17] edits #7623 --- .../pages/command/securityUtility-encode.adoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/reference/pages/command/securityUtility-encode.adoc b/modules/reference/pages/command/securityUtility-encode.adoc index 1a270e9561..0f0643ab28 100644 --- a/modules/reference/pages/command/securityUtility-encode.adoc +++ b/modules/reference/pages/command/securityUtility-encode.adoc @@ -130,13 +130,13 @@ To check whether your password includes any characters that your operating syste On the command line, type `echo` followed by the password and review the output to determine whether it differs from your specified password. If any characters are changed, you must escape the characters. The following example is for Ubuntu. ---- -$ echo pa$$word -pa683word // OK until "pa" -$ echo pa\$$word // Added escape after "pa" -pa$ // OK until "pa$" -$ echo pa\$\$word // Added escape after "pa$" -pa$$word -// Escaping each special character individually provides the correct password to encode - -$ securityUtility encode pa\$\$word +$ echo pa$$W0rd +pa683Word +// The dollar sign ($) special characters aren't encoded properly. + +$ echo pa\$\$W0rd +pa$$W0rd +// Escape each special character individually to return the correct password to encode. + +$ securityUtility encode pa\$\$w0rd ---- From a594e6840190147caca742ffdda4b8adb76d97dd Mon Sep 17 00:00:00 2001 From: David Mueller Date: Mon, 21 Oct 2024 14:21:27 -0400 Subject: [PATCH 13/17] Update securityUtility-encode.adoc --- modules/reference/pages/command/securityUtility-encode.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/reference/pages/command/securityUtility-encode.adoc b/modules/reference/pages/command/securityUtility-encode.adoc index 0f0643ab28..951b7664fb 100644 --- a/modules/reference/pages/command/securityUtility-encode.adoc +++ b/modules/reference/pages/command/securityUtility-encode.adoc @@ -131,12 +131,12 @@ On the command line, type `echo` followed by the password and review the output ---- $ echo pa$$W0rd -pa683Word +pa683W0rd // The dollar sign ($) special characters aren't encoded properly. $ echo pa\$\$W0rd pa$$W0rd // Escape each special character individually to return the correct password to encode. -$ securityUtility encode pa\$\$w0rd +$ securityUtility encode pa\$\$W0rd ---- From c750ae983bdd6defcc69c5261dc37d1c83a7191e Mon Sep 17 00:00:00 2001 From: David Mueller Date: Tue, 22 Oct 2024 10:50:47 -0400 Subject: [PATCH 14/17] Update enable-fips.adoc --- modules/ROOT/pages/enable-fips.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/enable-fips.adoc b/modules/ROOT/pages/enable-fips.adoc index fff128d1b3..2a21e59a07 100644 --- a/modules/ROOT/pages/enable-fips.adoc +++ b/modules/ROOT/pages/enable-fips.adoc @@ -12,7 +12,7 @@ The Federal Information Processing Standard (FIPS) 140-2 is a US government security standard for cryptographic modules. Although FIPS compliance is determined by your underlying Java virtual machine (JVM), you can enable Open Liberty to run on a FIPS-compliant JVM. -FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM ensures that only FIPS certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] or link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes] +FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM helps ensure that only FIPS-certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] or link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes]. For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty. This option is available only for Java SE 8. For Java SE 11 or later, use IBM Semeru Runtimes. From 45b28148bb76b353ecd7c657da5f11599bb3061b Mon Sep 17 00:00:00 2001 From: Ramkumar <88021034+ramkumar-k-9286@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:47:32 +0530 Subject: [PATCH 15/17] Update modules/ROOT/pages/audit-log-events-list-cadf.adoc Co-authored-by: David Mueller <48686014+dmuelle@users.noreply.github.com> --- modules/ROOT/pages/audit-log-events-list-cadf.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/audit-log-events-list-cadf.adoc b/modules/ROOT/pages/audit-log-events-list-cadf.adoc index 30d2565b91..b1fedc452f 100644 --- a/modules/ROOT/pages/audit-log-events-list-cadf.adoc +++ b/modules/ROOT/pages/audit-log-events-list-cadf.adoc @@ -462,7 +462,7 @@ The following example shows a successful SECURITY_AUTHN event: == SECURITY_AUTHN_DELEGATION -You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field. +You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet `runAs` delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field. .SECURITY_AUTHN_DELEGATION event fields [cols=",",options="header",] From 35369c3036f5c2bce3cb9bea1f3feda21464d0b2 Mon Sep 17 00:00:00 2001 From: Ramkumar <88021034+ramkumar-k-9286@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:47:41 +0530 Subject: [PATCH 16/17] Update modules/ROOT/pages/json-log-events-list.adoc Co-authored-by: David Mueller <48686014+dmuelle@users.noreply.github.com> --- modules/ROOT/pages/json-log-events-list.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/json-log-events-list.adoc b/modules/ROOT/pages/json-log-events-list.adoc index e4d884561f..17d92bb635 100644 --- a/modules/ROOT/pages/json-log-events-list.adoc +++ b/modules/ROOT/pages/json-log-events-list.adoc @@ -690,7 +690,7 @@ The following example shows a successful SECURITY_AUTHN event: === SECURITY_AUTHN_DELEGATION -You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field: +You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet `runAs` delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field: .SECURITY_AUTHN_DELEGATION event fields [cols=",",options="header",] From ded56e3a0d7f4a20bf04f568fb0635738f5723e9 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Wed, 23 Oct 2024 15:24:58 -0400 Subject: [PATCH 17/17] Update security-vulnerabilities.adoc --- modules/ROOT/pages/security-vulnerabilities.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/ROOT/pages/security-vulnerabilities.adoc b/modules/ROOT/pages/security-vulnerabilities.adoc index 9dd0d291a1..512e9f656d 100644 --- a/modules/ROOT/pages/security-vulnerabilities.adoc +++ b/modules/ROOT/pages/security-vulnerabilities.adoc @@ -28,6 +28,13 @@ The `CWWKF0012I` message uses the word "installed", but it lists features that a |=== |CVE |CVSS score by X-ForceĀ® |Vulnerability assessment |Versions affected |Version fixed |Notes +|https://www.cve.org/CVERecord?id=CVE-2024-7254[CVE-2024-7254] +|7.5 +|Denial of service +|20.0.0.12 - 24.0.0.10 +|24.0.0.11 +|Affects the feature:grpc-1.0[] and feature:grpcClient-1.0[] features + |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50314[CVE-2023-50314] |5.3 |Information disclosure