diff --git a/modules/ROOT/pages/audit-log-events-list-cadf.adoc b/modules/ROOT/pages/audit-log-events-list-cadf.adoc index fc10c7e10..b1fedc452 100644 --- a/modules/ROOT/pages/audit-log-events-list-cadf.adoc +++ b/modules/ROOT/pages/audit-log-events-list-cadf.adoc @@ -18,8 +18,8 @@ Open Liberty can generate audit events in either CADF or xref:ROOT:json-log-even * <> * <> -* <> -* <> +* <> +* <> * <> * <> * <> @@ -232,7 +232,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action: == SECURITY_API_AUTHN -You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field. +You can use the SECURITY_API_AUTHN event to capture the audit information from the login and authentication for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field. .SECURITY_API_AUTHN event fields [cols=",",options="header",] @@ -309,7 +309,7 @@ The following example shows a SECURITY_API_AUTHN event that results in a redirec == SECURITY_API_AUTHN_TERMINATE -You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet 3.0 APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field. +You can use the SECURITY_API_AUTHN_TERMINATE event to capture the audit information from the log out for servlet APIs. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field. .SECURITY_API_AUTHN_TERMINATE event fields [cols=",",options="header",] @@ -462,7 +462,7 @@ The following example shows a successful SECURITY_AUTHN event: == SECURITY_AUTHN_DELEGATION -You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field. +You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet `runAs` delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field. .SECURITY_AUTHN_DELEGATION event fields [cols=",",options="header",] diff --git a/modules/ROOT/pages/enable-fips.adoc b/modules/ROOT/pages/enable-fips.adoc index ddf1733ef..2a21e59a0 100644 --- a/modules/ROOT/pages/enable-fips.adoc +++ b/modules/ROOT/pages/enable-fips.adoc @@ -12,9 +12,9 @@ The Federal Information Processing Standard (FIPS) 140-2 is a US government security standard for cryptographic modules. Although FIPS compliance is determined by your underlying Java virtual machine (JVM), you can enable Open Liberty to run on a FIPS-compliant JVM. -FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM ensures that only FIPS certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are included in both link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] and link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes]. +FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM helps ensure that only FIPS-certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] or link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes]. -For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty. +For more information about enabling FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration is the same for both WebSphere Liberty and Open Liberty. This option is available only for Java SE 8. For Java SE 11 or later, use IBM Semeru Runtimes. == Enable FIPS for Open Liberty on IBM Semeru Runtimes @@ -24,7 +24,16 @@ In FIPS mode, Semeru Runtimes does not support file-based keystores like JKS and Complete the following steps to configure your Open Liberty server to run on Semeru Runtimes in FIPS mode and to add your keys and certificates to the NSS database. 1. Confirm that your RHEL operating system is installed in FIPS mode. + -If your RHEL operating system was not installed in FIPS mode, you must switch it to FIPS mode. For more information about how to enable or check the FIPS status for your RHEL operating system, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening?_ga=2.199036333.328645028.1662471426-119974336.1661806438#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies[Switching the system to FIPS mode] in the RHEL documentation. ++ +Run the following command: ++ +---- +fips-mode-setup --check +---- ++ +If FIPS mode is enabled, the command output is `FIPS mode is enabled.` ++ +If your RHEL operating system was not installed in FIPS mode, you must switch it to FIPS mode. For more information about how to enable or check the FIPS status for your RHEL operating system, see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#federal-information-processing-standards-140-and-fips-mode_switching-rhel-to-fips-mode[Switching RHEL to FIPS mode] in the RHEL documentation. 2. Specify system properties to enable FIPS mode for the JVM and, optionally, to enable debug tracing. + The `-Dsemeru.fips=true` property specifies that the JVM uses only FIPS certified cryptography, and ensures that the TLS and SSL protocols use only FIPS certified algorithms. The optional `-Djava.security.debug=semerufips` property enables debug tracing. Add these properties to the `jvm.options` file in your Open Liberty server configuration directory, one property per line, as shown in the following example. + diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index 485f250db..b3dddf282 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -385,6 +385,8 @@ You can individually enable the Open Liberty public features that are enabled by In addition to the features that are enabled in the MicroProfile and Jakarta convenience features, InstantOn also supports the following features: +- feature:appAuthorization-2.0[] +- feature:appAuthorization-2.1[] - feature:appSecurity-1.0[] - feature:audit-1.0[] - feature:bells-1.0[] @@ -406,6 +408,9 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con - feature:mdb-3.2[] - feature:mdb-4.0[] - feature:messaging-3.0[] +- feature:messagingClient-3.0[] +- feature:messagingSecurity-3.0[] +- feature:messagingServer-3.0[] - feature:monitor-1.0[] - feature:openidConnectClient-1.0[] - feature:passwordUtilities-1.0[] @@ -415,6 +420,9 @@ In addition to the features that are enabled in the MicroProfile and Jakarta con - feature:sessionDatabase-1.0[] - feature:socialLogin-1.0[] - feature:springBoot-3.0[] +- feature:wasJmsClient-2.0[] +- feature:wasJmsSecurity-1.0[] +- feature:wasJmsServer-1.0[] - feature:webCache-1.0[] - feature:xmlWS-3.0[] - feature:xmlWS-4.0[] diff --git a/modules/ROOT/pages/java-se.adoc b/modules/ROOT/pages/java-se.adoc index cacc1a6a7..84c96de7b 100644 --- a/modules/ROOT/pages/java-se.adoc +++ b/modules/ROOT/pages/java-se.adoc @@ -52,7 +52,7 @@ The following table lists the Java SE versions that Open Liberty supports and pr |11 |Yes -|26.0.0.10 +|27.0.0.10 |https://developer.ibm.com/languages/java/semeru-runtimes/downloads/?version=11[IBM Semeru 11] |https://adoptium.net/?variant=openjdk11&jvmVariant=hotspot[Eclipse Temurin 11] |https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-C25E2B1D-6C24-4403-8540-CFEA875B994A[Java SE 11 migration guide] diff --git a/modules/ROOT/pages/json-log-events-list.adoc b/modules/ROOT/pages/json-log-events-list.adoc index a75175e17..17d92bb63 100644 --- a/modules/ROOT/pages/json-log-events-list.adoc +++ b/modules/ROOT/pages/json-log-events-list.adoc @@ -237,8 +237,8 @@ Open Liberty can generate audit events in either JSON or xref:ROOT:audit-log-eve * <> * <> -* <> -* <> +* <> +* <> * <> * <> * <> @@ -458,7 +458,7 @@ The following example shows a SECURITY_MEMBER_MGMT user lookup action: === SECURITY_API_AUTHN -You can use the SECURITY_API_AUTHN event for servlet 3.0 and later APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field: +You can use the SECURITY_API_AUTHN event for servlet APIs to capture audit information when a user logs in and authenticates. The following table provides the fields for the SECURITY_API_AUTHN event and a description of each field: .SECURITY_API_AUTHN event fields [cols=",",options="header",] @@ -535,7 +535,7 @@ The following example shows a SECURITY_API_AUTHN event that results in a redirec === SECURITY_API_AUTHN_TERMINATE -You can use the SECURITY_API_AUTHN_TERMINATE event for servlet 3.0 and later APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field: +You can use the SECURITY_API_AUTHN_TERMINATE event for servlet APIs to capture the audit information when a user logs out. The following table provides the fields for the SECURITY_API_AUTHN_TERMINATE event and a description of each field: .SECURITY_API_AUTHN_TERMINATE event fields [cols=",",options="header",] @@ -690,7 +690,7 @@ The following example shows a successful SECURITY_AUTHN event: === SECURITY_AUTHN_DELEGATION -You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet runAs delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field: +You can use the SECURITY_AUTHN_DELEGATION event to capture the audit information from Servlet `runAs` delegation and EJB delegation. The following table provides the fields for the SECURITY_AUTHN_DELEGATION event and a description of each field: .SECURITY_AUTHN_DELEGATION event fields [cols=",",options="header",] diff --git a/modules/ROOT/pages/security-vulnerabilities.adoc b/modules/ROOT/pages/security-vulnerabilities.adoc index 9dd0d291a..512e9f656 100644 --- a/modules/ROOT/pages/security-vulnerabilities.adoc +++ b/modules/ROOT/pages/security-vulnerabilities.adoc @@ -28,6 +28,13 @@ The `CWWKF0012I` message uses the word "installed", but it lists features that a |=== |CVE |CVSS score by X-ForceĀ® |Vulnerability assessment |Versions affected |Version fixed |Notes +|https://www.cve.org/CVERecord?id=CVE-2024-7254[CVE-2024-7254] +|7.5 +|Denial of service +|20.0.0.12 - 24.0.0.10 +|24.0.0.11 +|Affects the feature:grpc-1.0[] and feature:grpcClient-1.0[] features + |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50314[CVE-2023-50314] |5.3 |Information disclosure diff --git a/modules/ROOT/pages/server-configuration-hardening.adoc b/modules/ROOT/pages/server-configuration-hardening.adoc index 638ce2932..9c3b9c6d9 100644 --- a/modules/ROOT/pages/server-configuration-hardening.adoc +++ b/modules/ROOT/pages/server-configuration-hardening.adoc @@ -28,10 +28,14 @@ Set the `WLP_OUTPUT_DIR` environment variable to point to the server logs with t * Ensure that any sensitive information in the `server.xml` file is AES-encrypted. * Disable all non-TLS ports by setting ports to the value of `-1` in the `httpPort` argument of the `httpEndpoint` stanza. * Use xref:reference:feature/transportSecurity-1.0.adoc[Transport Layer Security (TLS)] instead of SSL. -* Add the `webAppSecurity ssoRequiresSSL="true"` statement to the `server.xml` file. -* Add the `webAppSecurity httpOnlyCookies="true"` statement to the `server.xml` file. -* Add the `httpOptions removeServerHeader="true"` statement to the `server.xml` file. -* Add the `webContainer disableXPoweredBy="true"` statement to the `server.xml` file. +* Add the following declarations to your `server.xml` file: ++ +[source,xml] +---- + + + +---- [#ol-images] == Open Liberty container images diff --git a/modules/reference/pages/command/securityUtility-encode.adoc b/modules/reference/pages/command/securityUtility-encode.adoc index dccd78c4e..951b7664f 100644 --- a/modules/reference/pages/command/securityUtility-encode.adoc +++ b/modules/reference/pages/command/securityUtility-encode.adoc @@ -16,10 +16,15 @@ The `securityUtility encode` command supports plain text obfuscation for Open Liberty. -This command obfuscates text that you provide, such as a password, based on the type that is specified. +This command obfuscates text that you provide, such as a password, based on the encoding type that you specify. + If no text is provided, the command enters interactive mode. Interactive mode prompts you to enter and confirm your text input, rather than provide text on the same line as the command. -Text with spaces must be put in quotation marks. + +Enclose any text with spaces in quotation marks. +If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. For more information, see <>. + + For more information about limits to password encryption, see xref:ROOT:password-encryption.adoc[Password encryption limitations]. == Usage examples @@ -111,3 +116,27 @@ The following exit codes are available for the `securityUtility encode` command: |5 |This code indicates that the file already exists. |=== + + +[#pw] +== Check passwords for special characters + +If your password includes special characters, you must escape each special character to help ensure that the password is properly encoded. +Special characters and escape characters might vary according to your operating system. +For example, on Unix systems, `pa$$W0rd` must be provided as `pa\$\$W0rd`. + +To check whether your password includes any characters that your operating system considers to be special characters, you can run the `echo` command. + +On the command line, type `echo` followed by the password and review the output to determine whether it differs from your specified password. If any characters are changed, you must escape the characters. The following example is for Ubuntu. + +---- +$ echo pa$$W0rd +pa683W0rd +// The dollar sign ($) special characters aren't encoded properly. + +$ echo pa\$\$W0rd +pa$$W0rd +// Escape each special character individually to return the correct password to encode. + +$ securityUtility encode pa\$\$W0rd +----