diff --git a/antora.yml b/antora.yml index 42e77a075..51f19acdd 100644 --- a/antora.yml +++ b/antora.yml @@ -1,6 +1,6 @@ name: docs # Do not rename since it will mess up the path in the url title: Docs overview -version: 25.0.0.12 +version: 26.0.0.1 start_page: ROOT:overview.adoc asciidoc: attributes: diff --git a/modules/ROOT/pages/enable-fips.adoc b/modules/ROOT/pages/enable-fips.adoc index 9fe63ce1f..156b8b741 100644 --- a/modules/ROOT/pages/enable-fips.adoc +++ b/modules/ROOT/pages/enable-fips.adoc @@ -14,11 +14,13 @@ The Federal Information Processing Standard (FIPS) is a US government security s FIPS enablement is important for many users, particularly if you work for or with US government agencies. Running your Open Liberty servers on a FIPS-compliant JVM helps ensure that only FIPS-certified cryptography is used when an application uses Java security libraries or APIs. FIPS-compliant JVM options for Open Liberty are link:https://www.ibm.com/docs/en/sdk-java-technology/8[IBM SDK, Java Technology Edition] or link:https://developer.ibm.com/articles/explore-options-for-downloading-ibm-semeru-runtimes[IBM Semeru Runtimes]. -To enable FIPS for Liberty with the IBM SDK, Java Technology Edition, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration for FIPS 140-3 is the same for both WebSphere Liberty and Open Liberty. This option is available only for Java SE 8. For Java SE 11 or later, use IBM Semeru Runtimes. +== Enable FIPS 140-3 for Open Liberty on IBM Semeru Runtimes -To enable FIPS 140-2 for Liberty with IBM Semeru Runtimes, complete the following steps. +To enable FIPS 140-3 for Liberty with the IBM SDK, Java Technology Edition or IBM Semeru Runtimes, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance] in the WebSphere Liberty documentation. The configuration for FIPS 140-3 is the same for both WebSphere Liberty and Open Liberty. -== Enable FIPS for Open Liberty on IBM Semeru Runtimes +Alternatively, to enable the outmoded FIPS 140-2 for Open Liberty with IBM Semeru Runtimes, complete the following steps. Be certain that you want to proceed; FIPS 140-2 validations are scheduled to move to the Historical List. + +=== Enable FIPS 140-2 for Open Liberty on IBM Semeru Runtimes You can enable either IBM Semeru Runtime Certified Edition or Open Edition in FIPS mode in version 11.0.16 and later for Java 11 and version 17.0.4 and later for Java 17. Java 11 and 17 support for FIPS with Semeru Runtimes is available only on Red Hat Enterprise Linux (RHEL) 8 on x86 platforms. The RHEL 8 operating system must be running in FIPS mode because the IBM Semeru Runtimes rely on the operating system’s underlying Network Security Services (NSS) FIPS 140-2 certification. To run Open Liberty on IBM Semeru Runtimes in FIPS mode, Open Liberty version 22.0.0.8 or later is recommended. In FIPS mode, Semeru Runtimes does not support file-based keystores like JKS and PKCS#12. Certificates in your file-based keystores must be imported into the NSS database. Open Liberty does not create certificates in the NSS database. diff --git a/modules/ROOT/pages/network-hardening.adoc b/modules/ROOT/pages/network-hardening.adoc index 797de169f..531132a83 100644 --- a/modules/ROOT/pages/network-hardening.adoc +++ b/modules/ROOT/pages/network-hardening.adoc @@ -203,6 +203,8 @@ You can disable HTTP session overflow by setting the `allowOverflow` attribute t [#jmx-connector] == JMX connector +Avoid the use of link:https://openliberty.io/docs/latest/reference/feature/localConnector-1.0.html[localConnector-1.0] in production. Instead, use link:https://openliberty.io/docs/latest/reference/feature/restConnector-2.0.html[restConnector-2.0]. The restConnector-2.0 feature provides better security than localConnector-1.0, because it requires TLS and is protected by the administrator and reader roles. + When you use the IBM HTTP Server, you can secure access to the Open Liberty JMX connector for remote administrative services in the web server plug-in by removing or commenting out the following entries: [source,xml] diff --git a/modules/reference/pages/command/securityUtility-commands.adoc b/modules/reference/pages/command/securityUtility-commands.adoc index bba8ef061..9233868a9 100644 --- a/modules/reference/pages/command/securityUtility-commands.adoc +++ b/modules/reference/pages/command/securityUtility-commands.adoc @@ -20,10 +20,11 @@ The `securityUtility` commands help you accomplish various security-related task The following `securityUtility` commands are available: +* xref:command/securityUtility-configureFIPS.adoc[securityUtility configureFIPS]: The command configures FIPS 140-3 for servers, clients, and tools. * xref:command/securityUtility-createLTPAKeys.adoc[securityUtility createLTPAKeys]: The command creates a set of LTPA keys for use by the server, or that can be shared with multiple servers. * xref:command/securityUtility-createSSLCertificate.adoc[securityUtility createSSLCertificate]: The command supports TLS certificate creation for Open Liberty. -* xref:command/securityUtility-generateAESKey.adoc[securityUtility generateAESKey]: Generates a Base64-encoded 256-bit AES key for use with password encryption in Open Liberty. * xref:command/securityUtility-encode.adoc[securityUtility encode]: The command supports plain text obfuscation for Open Liberty. +* xref:command/securityUtility-generateAESKey.adoc[securityUtility generateAESKey]: Generates a Base64-encoded 256-bit AES key for use with password encryption in Open Liberty. * xref:command/securityUtility-help.adoc[securityUtility help]: The command displays information about the `securityUtility` command, with details about its actions and options. diff --git a/modules/reference/pages/command/securityUtility-configureFIPS.adoc b/modules/reference/pages/command/securityUtility-configureFIPS.adoc new file mode 100644 index 000000000..f16761d4c --- /dev/null +++ b/modules/reference/pages/command/securityUtility-configureFIPS.adoc @@ -0,0 +1,87 @@ +// +// Copyright (c) 2026 IBM Corporation and others. +// Licensed under Creative Commons Attribution-NoDerivatives +// 4.0 International (CC BY-ND 4.0) +// https://creativecommons.org/licenses/by-nd/4.0/ +// +// Contributors: +// IBM Corporation +// +:page-description: The `securityUtility configureFIPS` command configures FIPS 140-3 for servers, clients, and tools. +:seo-title: securityUtility configureFIPS - OpenLiberty.io +:seo-description: The `securityUtility configureFIPS` command configures FIPS 140-3 for servers, clients, and tools. +:page-layout: general-reference +:page-type: general += securityUtility configureFIPS + +The `securityUtility configureFIPS` command configures FIPS 140-3 for servers, clients, and tools. + +== Usage example + +Enable FIPS 140-3 across all servers, clients, and tools: + +---- +securityUtility configureFIPS +---- + +== Syntax + +Run the command from the `_path_to_liberty_/wlp/bin` directory. + +[subs=+quotes] +---- +securityUtility configureFIPS [_options_] +---- + +== Options + +.Options for the securityUtility configureFIPS command +[%header,cols=2*] +|=== +|Option +|Description + +|--server=_server_name_ +|Configures FIPS 140-3 at a specified server. + +|--client=_client_name_ +|Configures FIPS 140-3 at a specified client. + +|--customProfileFile=_name_ +a|For IBM Semeru Runtime, creates a custom profile file with a specified name or at a specified location. The default name of the custom profile file is `FIPS140-3-Liberty-Application.properties`. + +* If this option is not provided, the custom profile file is located in the `/etc` directory of your Liberty installation. +* If this option is not provided and the `--server` option is used, the custom profile file is located in the `/security` directory of the specified server. +* If this option is not provided and the `--client` option is used, the custom profile file is located in the `/security` directory of the specified client. + +|--disable +|Disables FIPS 140-3 from all servers and clients that were not individually configured. Use the --server and --client options with the --disable option to disable FIPS 140-3 from specified servers and clients respectively. + +|=== + +== Exit codes + +The following exit codes are available for the `securityUtility configureFIPS` command: + +.Exit codes for the securityUtility configureFIPS command +[%header,cols="2,9"] +|=== + +|Code +|Explanation + +|0 +|This code indicates successful completion of the requested operation. + +|1 +|This code indicates a generic error. + +|2 +|This code indicates that the server is not found. + +|3 +|This code indicates that the client is not found. + +|4 +|This code indicates that the path can not be created. +|=== diff --git a/modules/reference/pages/command/securityUtility-createLTPAKeys.adoc b/modules/reference/pages/command/securityUtility-createLTPAKeys.adoc index bd3a780f8..224ff8911 100644 --- a/modules/reference/pages/command/securityUtility-createLTPAKeys.adoc +++ b/modules/reference/pages/command/securityUtility-createLTPAKeys.adoc @@ -17,15 +17,7 @@ The `securityUtility createLTPAKeys` command creates a set of LTPA keys for use by the server, or that can be shared with multiple servers. If no server or file is specified, an `ltpa.keys` file is created in the current working directory. -When FIPS 140-3 is enabled, set the system properties by using the following JVM_ARGS environment variable to enable the 'securityUtility' tool to create LTPA keys with the 'createLTPAKeys' command: - ----- -export JVM_ARGS="-Xenablefips140-3 -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS" ----- - -After the system properties are set, replace the existing LTPA keys with the newly created LTPA keys. - -For more information about FIPS 140-3, see xref:ROOT:enable-fips.adoc[Run FIPS-compliant applications on Open Liberty]. +For information about creating LTPA keys using FIPS 140-3 approved algorithms, see link:https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-setting-up-fips-compliance[Setting up Liberty for FIPS compliance]. == Usage example