Merge pull request #7393 from OpenLiberty/staging

Staging to vNext 24.0.0.6 issues

modules/ROOT/pages/distributed-session-caching.adoc

@@ -25,7 +25,7 @@ HTTP session cache data is distributed across multiple servers that act as a clu
 The feature:sessionCache[display=JCache Session Persistence feature] builds on an existing technology called link:https://hazelcast.com/glossary/jcache-java-cache/[JCache] that offers a standardized distributed in-memory caching API.
 Though the feature builds on JCache, your application doesn't need to use the JCache API.
 Open Liberty handles the session caching in the web container layer.
-For more information about how Open Liberty handles HTTP session data, see the link:https://openliberty.io/docs/21.0.0.5/reference/javadoc/liberty-javaee8-javadoc.html#javax/servlet/http/HttpSession.html[HttpSession interface].
+For more information about how Open Liberty handles HTTP session data, see the link:/docs/latest/reference/javadoc/liberty-jakartaee10-javadoc.html?package=jakarta/servlet/package-frame.html&class=jakarta/servlet/http/HttpSession.html[HttpSession interface].
 
 == Session caching in your application
 

modules/ROOT/pages/instanton-limitations.adoc

@@ -15,7 +15,7 @@
 
 In addition to the general InstantOn prerequisites, Open Liberty InstantOn is subject to certain limitations. For example, applications that must run early startup code or that rely on certain Liberty features might require modification to use InstantOn.
 
-For more information about InstantOn prerequisites, see xref:instanton.adoc#prereq[Runtime and host build system prerequisites]. 
+For more information about InstantOn prerequisites, see xref:instanton.adoc#prereq[Runtime and host build system prerequisites].
 
 The following sections describe the limitations and known issues with using Open Liberty InstantOn.
 
@@ -33,6 +33,7 @@ The following sections describe the limitations and known issues with using Open
 - <<#linux-calls,Access to Linux system calls>>
 - <<#linux, Running without the necessary Linux capabilities>>
 - <<#processors, Supported processors>>
+- <<#connectors, Jakarta Connectors work submission before checkpoint>>
 
 [#transaction]
 == Jakarta Transactions configuration limitations
@@ -77,14 +78,14 @@ This `Servlet` example uses the `loadOnStartup = 1` attribute. When you use this
 
 [source,text]
 ----
-[WARNING ] WTRN0155W: An application began or required a transaction during the server checkpoint request. The following stack trace for this thread was captured when the transaction was created: 
+[WARNING ] WTRN0155W: An application began or required a transaction during the server checkpoint request. The following stack trace for this thread was captured when the transaction was created:
 ----
 
 This warning is followed by a stacktrace that helps identify the application code that is attempting to begin a transaction. The server then fails to checkpoint and the following error is logged:
 
 [source,text]
 ----
-WTRN0154E: The server checkpoint request failed because the transaction service is unable to begin a transaction. 
+WTRN0154E: The server checkpoint request failed because the transaction service is unable to begin a transaction.
 ----
 
 You can avoid this failure by using the `beforeAppStart` option or by modifying the component not to use early startup code. In this example, that modification is to remove the `loadOnStartup = 1` attribute.
@@ -166,7 +167,7 @@ If an application is injected with a `DataSource` before the checkpoint and the
 == Accessing MicroProfile Config properties with no default value at checkpoint
 An application injected with a configuration property that has no default value set in any configuration source might cause errors during checkpoint. This section provides solutions for common errors that are encountered.
 
-A configuration property can be introduced into the application either statically or dynamically, and in either case, the property can be declared optional. The following example shows ways to inject static, static-optional, dynamic, and dynamic-optional configuration properties. 
+A configuration property can be introduced into the application either statically or dynamically, and in either case, the property can be declared optional. The following example shows ways to inject static, static-optional, dynamic, and dynamic-optional configuration properties.
 [source,java]
 ----
   @Inject
@@ -214,7 +215,7 @@ Specify a default value in a `variable` element in the server.xml` file::
   <variable name="static_config" defaultValue="defaultValue" />
 ----
 
-If no default value is set, you can still avoid the previous error by injecting configuration with the `static_optional_config`, `dynamic_config`,  or `dynamic_optional_config` properties. 
+If no default value is set, you can still avoid the previous error by injecting configuration with the `static_optional_config`, `dynamic_config`,  or `dynamic_optional_config` properties.
 However,  the following error might occur if you use the checkpoint option with CDI beans that are `@ApplicationScoped` and the `dynamic_config` is accessed too early during application startup:
 [source,sh]
 ----
@@ -280,7 +281,7 @@ To work around this limitation, you can either enable the `virt_sandbox_use_netl
 If link:https://www.kernel.org/doc/Documentation/security/Yama.txt[Yama] is configured with one of the following modes, InstantOn cannot checkpoint or restore the application process in running containers:
 
 - `2` - admin-only attach
-- `3` - no attach 
+- `3` - no attach
 
 When this configuration is present, the `/logs/checkpoint/restore.log` contains the following error:
 
@@ -363,3 +364,67 @@ The `Operation not permitted` message is an indication that the required Linux c
 == Supported processors
 Currently, the only supported processor is X86-64/AMD64. Other processors are expected to be supported in later releases of Open Liberty InstantOn.
 
+[#connectors]
+== Jakarta Connectors work submission before checkpoint
+
+Open Liberty InstantOn does not allow resource adapters to submit work nor create timer tasks that schedule periodic work before a checkpoint is performed for the application process. This scenario is possible when the  `afterAppStart` option is configured and the resource adapter has xref:instanton.adoc#beforeAppStart[early startup code] that attempts to submit work or create a timer by using the bootstrap context facilities provided by the runtime.
+
+In such cases, the server fails the checkpoint and logs an error. You can avoid these failures by using the xref:instanton.adoc#beforeAppStart[beforeAppStart] option.
+
+Consider the following JavaBean resource adapter code. The `start()` method is invoked when the server starts the resource adapter, which occurs before the checkpoint if you use the `afterAppStart` option.
+
+[source,java]
+----
+public class StartupExample implements ResourceAdapter {
+    BootstrapContext bootstrapCtx = null;
+
+    @Override
+    public void start(BootstrapContext ctx) {
+        bootstrapCtx = ctx;
+        WorkManager workMgr = bootstrapCtx.getWorkManager();
+        ...
+
+        // work submission is not allowed before checkpoint
+        try {
+            workMgr.scheduleWork(new ExampleWork());  // same for doWork() and startWork()
+        } catch (WorkRejectedException wre) {}
+
+        // timer creation is not allowed before checkpoint
+        try {
+            Timer timer = bootstrapCtx.createTimer();
+        } (UnavailableException ue) {}
+        ...
+     }
+----
+
+=== Error submitting work
+
+When a resource adapter attempts to submit work before checkpoint, the work manager throws a `WorkRejectedException` with the `J2CA8602E` message that identifies the resource adapter and the rejected work instance:
+
+[source,console]
+----
+J2CA8602E: The ExampleWork work that was submitted by the StartupExample resource adapter was rejected during the server checkpoint request.
+----
+
+The server then fails the checkpoint and logs the following error:
+
+[source,console]
+----
+J2CA8601E: The server checkpoint request failed because the StartupExample resource adapter submitted work ExampleWork.
+----
+
+=== Error creating a timer
+
+When a resource adapter attempts to create a timer before checkpoint, the `createTimer()` method throws an `UnavailableException` with the following `J2CA8512E` message that identifies the resource adapter:
+
+[source,console]
+----
+J2CA8512E: A timer could not be created for the StartupExample resource adapter during the server checkpoint request.
+----
+
+The server then fails the checkpoint and logs the following error:
+
+[source,console]
+----
+J2CA8511E: The server checkpoint request failed because the StartupExample resource adapter created a timer.
+----

modules/ROOT/pages/instanton.adoc

@@ -384,28 +384,39 @@ You can individually enable the Open Liberty public features that are enabled by
 
 In addition to the features that are enabled in the MicroProfile and Jakarta convenience features, InstantOn also supports the following features:
 
+
+- feature:appSecurity-1.0[]
 - feature:audit-1.0[]
 - feature:bells-1.0[]
+- feature:connectors-2.0[]
+- feature:connectors-2.1[]
+- feature:crac-1.4[]
 - feature:distributedMap-1.0[]
 - feature:federatedRegistry-1.0[]
+- feature:javaMail-1.6[]
+- feature:jaxws-2.2[]
+- feature:jca-1.7[]
+- feature:jdbc-4.1[]
+- feature:jdbc-4.3[]
+- feature:jms-2.0[]
 - feature:ldapRegistry-3.0[]
+- feature:localConnector-1.0[]
+- feature:mail-2.0[]
+- feature:mail-2.1[]
+- feature:mdb-3.2[]
+- feature:mdb-4.0[]
+- feature:messaging-3.0[]
 - feature:monitor-1.0[]
 - feature:openidConnectClient-1.0[]
+- feature:passwordUtilities-1.0[]
 - feature:passwordUtilities-1.1[]
 - feature:restConnector-2.0[]
+- feature:sessionCache-1.0[]
 - feature:sessionDatabase-1.0[]
 - feature:socialLogin-1.0[]
+- feature:springBoot-3.0[]
 - feature:webCache-1.0[]
-- feature:jaxws-2.2[]
 - feature:xmlWS-3.0[]
 - feature:xmlWS-4.0[]
-- feature:appSecurity-1.0[]
-- feature:javaMail-1.6[]
-- feature:mail-2.0[]
-- feature:mail-2.1[]
-- feature:jdbc-4.1[]
-- feature:jdbc-4.3[]
-- feature:localConnector-1.0[]
-- feature:passwordUtilities-1.0[]
 
 For more information about limitations, see xref:instanton-limitations.adoc[InstantOn limitations and known issues].

modules/ROOT/pages/jakarta-ee.adoc

@@ -38,13 +38,20 @@ image::jakarta-ee-ol-2.png[diagram that shows the relationship between Jakarta E
 
 [#platform]
 === Platform versions
-Java SE evolved through a series of versions as more classes were added to the JCL, new APIs were introduced, and some older functions were deprecated and replaced. Currently, the only versions of Java SE that are maintained with long-term support (LTS) are Java SE 8, Java SE 11, and Java SE 17. In between LTS releases, Oracle  introduces short-term support releases, such as Java 16. These short-term releases are supported for only 6 months.  For more information about which versions of Java SE Open Liberty runs on, see xref:java-se.adoc[Java SE support].
+Java SE evolved through a series of versions as more classes were added to the JCL, new APIs were introduced, and some older functions were deprecated and replaced. Currently, the following versions of Java SE are maintained with long-term support (LTS):
+
+* Java SE 8
+* Java SE 11
+* Java SE 17
+* Java SE 21
+
+In between LTS releases, Oracle  introduces short-term support releases, such as Java 16. These short-term releases are supported for only 6 months.  For more information about which versions of Java SE Open Liberty runs on, see xref:java-se.adoc[Java SE support].
 
 Java EE, which is now the open source Jakarta EE platform, has also evolved over a series of versions:
 
-* Java EE 8 was the last release of the platform by the Oracle corporation before it was moved to the Eclipse foundation, which first released the platform as Jakarta EE 8. 
-* Jakarta EE 9 arrived in 2020. The primary change in this release was to replace `javax` with `jakarta` in Jakarta package names. 
-* In February 2021, Jakarta EE 9.1 was released. Although this release did not include any API changes from version 9.0, it added support for Java SE 11. 
+* Java EE 8 was the last release of the platform by the Oracle corporation before it was moved to the Eclipse foundation, which first released the platform as Jakarta EE 8.
+* Jakarta EE 9 arrived in 2020. The primary change in this release was to replace `javax` with `jakarta` in Jakarta package names.
+* In February 2021, Jakarta EE 9.1 was released. Although this release did not include any API changes from version 9.0, it added support for Java SE 11.
 * In September 2022, Jakarta EE 10 was released. This release included many API changes and dropped support for Java SE 8.
 
 == Jakarta EE specifications

modules/ROOT/pages/java-se.adoc

@@ -75,7 +75,7 @@ The following table lists the Java SE versions that Open Liberty supports and pr
 |22
 |No
 |Because Java 22 is not an LTS release, Open Liberty supports it only until Java 23 is released.
-|IBM Semeru 22 (coming soon)
+|link:https://developer.ibm.com/languages/java/semeru-runtimes/downloads/?version=22[IBM Semeru 22]
 |https://adoptium.net/temurin/releases/?version=22[Eclipse Temurin 22]
 |https://docs.oracle.com/en/java/javase/22/migrate/getting-started.html[Java SE 22 migration guide]
 |===

modules/ROOT/pages/security-vulnerabilities.adoc

@@ -28,6 +28,13 @@ The `CWWKF0012I` message uses the word "installed", but it lists features that a
 |===
 |CVE |CVSS score by X-Force® |Vulnerability assessment |Versions affected |Version fixed |Notes
 
+|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22354[CVE-2024-22354]
+|7.0
+|XML External Entity (XXE) injection
+|17.0.0.3 - 24.0.0.5
+|24.0.0.6
+|
+
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27268[CVE-2024-27268]
 |5.9
 |Denial of service

modules/ROOT/pages/transaction-service.adoc

@@ -85,6 +85,19 @@ To monitor peers, servers must be configured so that their transaction logs are
 
 The use of a shared file system for this purpose, such as an RWX persistent volume in a Kubernetes cluster, is explicitly not supported where the file system crosses data centers. This limitation is due to the difficulty of implementing POSIX locking semantics in such a configuration. Under these circumstances, the transaction service must be configured to use a relational database for its transaction logs. For more information, see the <<#log,Transaction log management>> section.
 
+=== Considerations when using a proxy server
+
+The older alternative to peer recovery in a cloud environment is to route WS-AtomicTransaction traffic through a proxy server by specifying the `externalURLPrefix` attribute in the `server.xml` using the pod IP address, as shown in the following in the example:
+
+[source,xml]
+----
+<wsAtomicTransaction
+  ...
+  externalURLPrefix="https://${env.POD_IP}:9443"
+/>
+----
+
+In some Kubernetes environments, this setting might cause intermittent socket timeout exceptions when non-WS-AtomicTransaction traffic communicates through a Kubernetes service to the same destination pod on the same port. To avoid these timeouts, add another config:httpEndpoint[display=HTTP Endpoint] with a different port that is solely for `externalURLPrefix` traffic. Then, add another `hostAlias` attribute for this port in the config:virtualHost[display=Virtual Host] configuration and set the `externalURLPrefix` attribute to this new port.
 
 [#log]
 == Transaction log management
@@ -110,7 +123,9 @@ To store your Open Liberty transaction logs in an RDBMS, you can configure a ded
 </library>
 ----
 
-The `false` value for the `transactional` attribute specifies that the datasource is non-transactional. Transaction logs can be written to this data source, but it does not participate in transactions.
+The `false` value for the `transactional` attribute specifies that the data source is non-transactional. Transaction logs can be written to this data source, but it does not participate in transactions.
+
+When you configure a non-transactional data source to store transaction logs, you must not change the value of the `syncQueryTimeoutWithTransactionTimeout` attribute from the default, which is `false`.
 
 If you store transaction logs in an RDBMS, each server must have its own tables. You can specify a unique table suffix by using the `transactionLogDBTableSuffix` attribute for the `transaction` element. The value for this attribute is a string that is appended to the table name to make it unique to the server where the table is hosted. In the previous example, `MyServer1` is added as a suffix to any table names that are created for this server in an RDBMS.
 

modules/ROOT/pages/troubleshooting.adoc

@@ -19,6 +19,7 @@ If you want to find solutions to security related issues , the following informa
 - <<#Troubleshooting_Kerberos, Troubleshooting Kerberos authentication to LDAP servers>>
 * <<#Troubleshooting_SSO, Troubleshooting SSO>>
 * <<#Troubleshooting_SSL, Troubleshooting SSL and TLS>>
+* <<#Troubleshooting_TAI, Troubleshooting TAI>>
 * <<#Other_troubleshooting, Other troubleshooting issues>>
 
 [#Troubleshooting_ACME]
@@ -272,6 +273,12 @@ Exception thrown while trying to read configuration and update ManagedServiceFac
 This error occurs when a keystore element exists in the configuration without an ID field.
 If you use a minimal TLS configuration, set the `ID` field to `defaultKeyStore`.
 
+[#Troubleshooting_TAI]
+== Troubleshooting Trust Association Interceptor
+
+When you configure the `TrustAssociationInterceptor` component to call the `InitialDirContext` class, the `java.naming.ldap.factory.socket` property must be set to the `com.ibm.ws.ssl.protocol.LibertySSLSocketFactory` Liberty socket factory. Setting this property to other factories can cause a `NoClassDefFoundException`.
+
+
 [#Other_troubleshooting]
 == Other troubleshooting issues
 

modules/reference/pages/feature/crac-1.4/description.adoc

@@ -0,0 +1,3 @@
+These APIs integrate with the Liberty xref:ROOT:instanton.adoc[InstantOn support].
+
+The link:https://javadoc.io/doc/org.crac/crac/1.4.0/index.html[org.crac] package provides APIs for receiving checkpoint/restore notifications. These notifications enable applications to perform actions before they checkpoint an application process and after they restore the application process. For example, this package allows Spring-based applications to support checkpoint and restore. The use of `org.crac` is not limited to Spring-based applications. Any application that runs on Liberty can choose to receive checkpoint/restore notifications by enabling this feature.

modules/reference/pages/feature/springBoot-1.5/description.adoc

@@ -1,4 +1,6 @@
 
+## Spring Boot Starters
+
 link:https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#using.build-systems.starters[Spring Boot Starters] are a set of convenient dependency descriptors provided by the Spring Boot that you can include in your application. When you use these starters with a Spring Boot application that is deployed on Open Liberty, you might need to enable features beyond the Spring Boot Support feature. The following table lists the Open Liberty features that are required to support certain Spring Boot 1.5 starters.
 
 .Open Liberty features that support Spring Boot 1.5 starters

modules/reference/pages/feature/springBoot-2.0/description.adoc

@@ -1,4 +1,6 @@
 
+## Spring Boot Starters
+
 link:https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#using.build-systems.starters[Spring Boot Starters] are a set of convenient dependency descriptors provided by the Spring Boot that you can include in your application. When you use these starters with a Spring Boot application that is deployed on Open Liberty, you might need to enable features beyond the Spring Boot Support feature. The following table lists the Open Liberty features that are required to support certain Spring Boot 2.0 starters.
 
 .Open Liberty features that support Spring Boot 2.0 starters