Documentation, Remove default LTPA keys password #8246
Description
Feature epic details
- For the title of this issue, type: Documentation, Remove default LTPA keys password
- Link to development epic: IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2025-14917 CVSS 6.7) open-liberty#34447
- Target GA release:
26.0.0.4
Operating systems
Does the documentation apply to all operating systems?
- Yes
- No; specify operating systems: ______
Summary
Provide a concise summary of your feature. What is the update, why does it matter, and to whom? What do 80% of target users need to know to be most easily productive using your runtime update?
The default LTPA keys password has been removed to address OpenLiberty/open-liberty#34447.
Configuration
List any new or changed properties, parameters, elements, attributes, etc. Include default values and configuration examples where relevant:
Now, if the keysPassword attribute on the <ltpa /> element is not set, we will use the ltpa_keys_password or keystore_password environment variables from the server.env file as the LTPA keys password if they are set. These are randomly generated on server creation unless the user specifies in the command not to generate them by using the --no-password option (i.e., if they ran ./server create <server-name> --no-password). If ltpa_keys_password and keystore_password are both set, then ltpa_keys_password takes precedence. A password must be defined in the keysPassword attribute, or in the ltpa_keys_password or keystore_password environment variables, to configure the LTPA keys.
Updates to existing topics
To update existing topics, specify a link to the topics that are affected. Include a copy of the current text and the exact text to which it will change. For example: Change ABC to XYZ
update:
Open Liberty creates a keystore password when the server is created and puts it in the ${server.config.dir}/server.env file that is in the server home directory. If no keyStore element exists to create the default keystore file, this password is used to create a keystore file. This keystore file is then used as the default keystore file. Likewise, if a defaultKeyStore entry exists without a password in the server.xml file, the password from the server.env file is used to open the file. If you don't want to use the generated keystore password, remove the keystore_password entry from the server.env file. If a default keystore file was already generated with the password from the server.env file, you might need to remove it.
to:
Open Liberty creates a keystore password when the server is created and puts it in the ${server.config.dir}/server.env file that is in the server home directory unless the --no-password option is specified with the server create command. If no keyStore element exists to create the default keystore file, this password is used to create a keystore file. This keystore file is then used as the default keystore file. Likewise, if a defaultKeyStore entry exists without a password in the server.xml file, the keystore password from the server.env file is used to open the file.
The keystore password from the server.env file is also used as the LTPA keys password if the keysPassword attribute in the ltpa element and the ltpa_keys_password environment variable are not defined. For more information, see LTPA Token (ltpa).
If you don't want to use the generated keystore password, remove the keystore_password entry from the server.env file. If a default keystore file was already generated with the password from the server.env file, you might need to remove it.
update:
When this option is specified, no default keystore password is generated when the server is created.
to:
When this option is specified, no default keystore password nor default LTPA keys password is generated when the server is created.
Create a new topic
To create a topic, specify a first draft of the topic that you want added and the section in the navigation where the topic should go.