Documentation, Remove default LTPA keys password

[jimmy1wu]

Feature epic details

• For the title of this issue, type: Documentation, Remove default LTPA keys password
• Link to development epic: IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2025-14917 CVSS 6.7) open-liberty#34447
• Target GA release: 26.0.0.4

Operating systems

Does the documentation apply to all operating systems?

• Yes
• No; specify operating systems: ______

Summary

Provide a concise summary of your feature. What is the update, why does it matter, and to whom? What do 80% of target users need to know to be most easily productive using your runtime update?

The default LTPA keys password has been removed to address OpenLiberty/open-liberty#34447.

Configuration

List any new or changed properties, parameters, elements, attributes, etc. Include default values and configuration examples where relevant:

Now, if the keysPassword attribute on the <ltpa /> element is not set, we will use the ltpa_keys_password or keystore_password environment variables from the server.env file as the LTPA keys password if they are set. These are randomly generated on server creation unless the user specifies in the command not to generate them by using the --no-password option (i.e., if they ran ./server create <server-name> --no-password). If ltpa_keys_password and keystore_password are both set, then ltpa_keys_password takes precedence. A password must be defined in the keysPassword attribute, or in the ltpa_keys_password or keystore_password environment variables, to configure the LTPA keys.

Updates to existing topics

To update existing topics, specify a link to the topics that are affected. Include a copy of the current text and the exact text to which it will change. For example: Change ABC to XYZ

• https://openliberty.io/docs/latest/reference/feature/transportSecurity-1.0.html

update:
Open Liberty creates a keystore password when the server is created and puts it in the ${server.config.dir}/server.env file that is in the server home directory. If no keyStore element exists to create the default keystore file, this password is used to create a keystore file. This keystore file is then used as the default keystore file. Likewise, if a defaultKeyStore entry exists without a password in the server.xml file, the password from the server.env file is used to open the file. If you don't want to use the generated keystore password, remove the keystore_password entry from the server.env file. If a default keystore file was already generated with the password from the server.env file, you might need to remove it.

to:
Open Liberty creates a keystore password when the server is created and puts it in the ${server.config.dir}/server.env file that is in the server home directory unless the --no-password option is specified with the server create command. If no keyStore element exists to create the default keystore file, this password is used to create a keystore file. This keystore file is then used as the default keystore file. Likewise, if a defaultKeyStore entry exists without a password in the server.xml file, the keystore password from the server.env file is used to open the file.

The keystore password from the server.env file is also used as the LTPA keys password if the keysPassword attribute in the ltpa element and the ltpa_keys_password environment variable are not defined. For more information, see LTPA Token (ltpa).

If you don't want to use the generated keystore password, remove the keystore_password entry from the server.env file. If a default keystore file was already generated with the password from the server.env file, you might need to remove it.

• https://openliberty.io/docs/latest/reference/command/server-create.html#_options

update:
When this option is specified, no default keystore password is generated when the server is created.

to:
When this option is specified, no default keystore password nor default LTPA keys password is generated when the server is created.

Create a new topic

To create a topic, specify a first draft of the topic that you want added and the section in the navigation where the topic should go.

[ramkumar-k-9286]

Hi Jimmy @jimmy1wu

Suggested changes have been made to the pages.

Draft link:

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/transportSecurity-1.0.html

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/command/server-create.html#_options

Please review the same and add the Developer Reviewed label if you are satisfied with the changes.

Regards,
Ramkumar.

[jimmy1wu]

hi @ramkumar-k-9286 ,

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/transportSecurity-1.0.html

can we update:
The keystore password from the server.env file is also used as the LTPA keys password if the keysPassword attribute in the ltpa element and the ltpa_keys_password environment variable are not defined. For more information, see LTPA Token (ltpa).

to:
The keystore_password from the server.env file is also used as the LTPA keys password if the keysPassword attribute in the ltpa element in the server.xml file and the ltpa_keys_password environment variable in the server.env file are not defined. For more information, see the keysPassword description in the LTPA configuration element.

--

also, can we update this doc as well https://openliberty.io/docs/latest/reference/feature/appSecurity-2.0.html#ltpa (applies to all appSecurity versions)

can we update:
When the Application Security feature is enabled, Lightweight Third-Party Authentication (LTPA) is enabled by default. You can override the default settings for the ltpa element by configuring the ltpa element in the server.xml file. The following example shows how to configure the ltpa element:

<ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" expiration="120" />

to:
When security features are enabled, Lightweight Third-Party Authentication (LTPA) is enabled by default.

The LTPA keys are encrypted using a password and stored in the ltpa.keys file. If a keysPassword is configured in the ltpa element, then it will be used as the password to encrypt the LTPA keys. If it is not configured, the LTPA keys are encrypted by using a randomly generated password created during server creation (unless the --no-password option is specified with the server create command) and stored as ltpa_keys_password in the server.env file.

On existing servers where the ltpa_keys_password does not exist, and the keysPassword is not specified in the ltpa element, the LTPA keys are encrypted by using the keystore_password in the server.env file.

Note: If a keyPassword is not configured in the ltpa element in the server.xml file, and if the ltpa_keys_password and keystore_password environment variables are not set in the server.env file, such as when the --no-password option is specified with the server create command, then then the LTPA service will fail.

You can override the default settings for the ltpa element by configuring the ltpa element in the server.xml file. The following example shows how to configure the ltpa element:

<ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="changeIt" expiration="120" />

--

i'm also wondering if it's possible to reference the upcoming 26.0.0.4 release blog in these docs, when the docs freeze is, and if you'll be working on https://github.ibm.com/websphere/liberty-docs/issues/4671 as well?

[ramkumar-k-9286]

Hi Jimmy @jimmy1wu

Suggested changes have been made to the pages.

Draft link:

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/transportSecurity-1.0.html

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/command/server-create.html#_options

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/appSecurity-2.0.html#ltpa

Please review the same and add the Developer Reviewed label if you are satisfied with the changes.

The WL issue ( https://github.ibm.com/websphere/liberty-docs/issues/4671 ) - has been picked up by Jeff Antley

Regards,
Ramkumar.