WebSphere Application Server & Liberty

 View Only
  • 1.  WebSphere Liberty - Variouse questions seeking answers

    IBM Champion
    Posted Fri September 29, 2023 10:10 AM

    Hello,

    I'm investigating some issues with WebSphere Liberty for which I can't find clear answers yet. So I hope someone here can help with the following questions:

    1. How can we set the variable wlp.password.encryption.key? Can it be set via an environment variable?
      We are wondering if we can set the Liberty variable wlp.password.encryption.key via and environment variable as well. As per the documentation it seems that this variable can only be set via files. Setting it in server.xml is discouraged but it seems that the variable should be set by importing files outside the Liberty profile tree. I have not found any info that this can be set via an environment variable (tested that and did not work for us). Is it correct that we can't set the wlp.password.encryption.key via an environment variable? I can imagine that this is done on purpose for security reasons but would seek confirmation
    2. Which key-store is used by the feature utility? When using an https URL for the feature utility the connection fails (using http works fine). So we are wondering where we should add the signer certificate for the URL? We've added the signer of the URL's certificate to the JDKs cacerts file but that seems not to work? How can we debug that? 
    3. We are using the images from the Container images documentation as the base images for out images. As the development team is reluctant to permanently using the latest liberty versions (despite the features being loaded are the same) we are supposed to build from a certain image for some time. Let's say we are building based on icr.io/appcafe/open-liberty:22.0.0.6-kernel-slim-java17-openj9-ubi. As WebSphere Liberty provides a 5 year support period with security fixes created for 2 years automatically we are wondering how this is handled with containers. For example if we use the icr.io/appcafe/open-liberty:22.0.0.6-kernel-slim-java17-openj9-ubi and build based on this image today  - will this contain all the security fixes for Liberty and the OS since its release in June 2022?
    4. WebSphere Liberty is very flexible with its configuration by using the server.xml we are wondering if there is a way to remove and features via config files in ${server.config.dir}/configDropins/overrides/ which were added for example in ${server.config.dir}/server.xml? For example if a basicRegistry is configured in ${server.config.dir}/server.xml is there a way to remove that feature again using a configuration file in  ${server.config.dir}/configDropins/overrides/?

    Thanks a lot in advance for clarifications of that, Hermann



    ------------------------------
    Hermann Huebler
    2innovate IT Consulting GmbH
    Vienna
    Austria

    #IBMChampion
    ------------------------------


  • 2.  RE: WebSphere Liberty - Variouse questions seeking answers

    Posted Fri September 29, 2023 11:14 AM

    > ... if we use the icr.io/appcafe/open-liberty:22.0.0.6-kernel-slim-java17-openj9-ubi and build based on this image today  - will this contain all the security fixes for Liberty and the OS since its release in June 2022?

    No, the image will always have the same 22.0.0.6 and will be updated only with OS and Java fixes (for about 6 months)

    https://github.com/OpenLiberty/ci.docker/blob/main/docs/icr-images.md

    Applying any available interim fixes has to be done in the application image build.



    ------------------------------
    Eric Covener
    ------------------------------



  • 3.  RE: WebSphere Liberty - Variouse questions seeking answers

    Posted Fri September 29, 2023 12:12 PM
    Hi, Hermann
    1 - Is wlp.password.encryption.key environment variable? 
     
    You are correct. The code expects it to be a JVM property, rather than an environment variable.  This code i is one of our automated test. It sets wlp.password.encryption.key as a JVM property. 
     
    2 - What keystore does featureUtility is using? 
     
    Please incorporate "-Djavax.net.debug=all" into the featureUtility.bat or the featureUtility command. This will enable the JSSE trace output to display information about the keystore in use.


    ------------------------------
    Hiroko Takamiya
    IBM
    ------------------------------



  • 4.  RE: WebSphere Liberty - Variouse questions seeking answers

    Posted Fri September 29, 2023 03:36 PM
    Edited by Scott Kurz Fri September 29, 2023 03:36 PM

    For 4), I think your best bet is to factor out your config so that the elements you want to "disable" or override are only conditionally included vs. not-included in the first place. 

    You could do that via an <include> element: https://openliberty.io/docs/latest/reference/config/server-configuration-overview.html#include-processing  or via conditionally copying (or not copying) the XML into the configDropins locations (which you're already familiar with).



    ------------------------------
    Scott Kurz
    ------------------------------