|
| 1 | +// Copyright (c) 2025 IBM Corporation and others. |
| 2 | +// Licensed under Creative Commons Attribution-NoDerivatives |
| 3 | +// 4.0 International (CC BY-ND 4.0) |
| 4 | +// https://creativecommons.org/licenses/by-nd/4.0/ |
| 5 | +// |
| 6 | +// Contributors: |
| 7 | +// IBM Corporation |
| 8 | +// |
| 9 | +:page-description: The Bring your own AES-256 key feature allows you to supply a Base64-encoded 256-bit AES key for password encryption in Open Liberty. By providing a pre-generated key, you can avoid deriving a key from a passphrase during server startup and improve performance when encrypted values are processed. |
| 10 | +:seo-title: Bring your own AES-256 key for Liberty passwords |
| 11 | +:page-layout: general-reference |
| 12 | +:page-type: general |
| 13 | + |
| 14 | + |
| 15 | += Bring your own AES-256 key for Liberty passwords |
| 16 | + |
| 17 | +The Bring your own AES-256 key feature allows you to supply a Base64-encoded 256-bit AES key for password encryption in Open Liberty. By providing a pre-generated key, you can avoid deriving a key from a passphrase during server startup and improve performance when encrypted values are processed. |
| 18 | + |
| 19 | +In earlier versions, Open Liberty supported the `wlp.password.encryption.key` variable, which accepted a password and derived an AES key by repeatedly hashing the password with a salt over many iterations. This derivation increased CPU cost overhead and slowed server startup. |
| 20 | + |
| 21 | +By specifying the `wlp.aes.encryption.key` configuration variable with a Base64-encoded 256-bit AES key, you bypass key derivation. The encoded password format remains unchanged, which supports migrations from traditional WebSphere Application Server (tWAS). Future migration tooling will allow tWAS encryption keys to be exported for use with Liberty. |
| 22 | + |
| 23 | +== Generate a 256-bit AES key |
| 24 | + |
| 25 | +You can obtain a 256-bit AES key from your security infrastructure or generate one by using the `securityUtility generateAESKey` command. |
| 26 | + |
| 27 | +To generate a random AES key, run the following command. |
| 28 | + |
| 29 | +[source,sh] |
| 30 | +---- |
| 31 | +securityUtility generateAESKey |
| 32 | +---- |
| 33 | + |
| 34 | +To derive a key from a passphrase, specify the `--key` option. |
| 35 | + |
| 36 | +[source,sh] |
| 37 | +---- |
| 38 | +securityUtility generateAESKey --key=<password> |
| 39 | +---- |
| 40 | + |
| 41 | +Optionally, To generate a key and automatically create an XML configuration file, use the following example. |
| 42 | + |
| 43 | +[source,sh] |
| 44 | +---- |
| 45 | +securityUtility generateAESKey --createConfigFile=myAesConfig.xml |
| 46 | +---- |
| 47 | + |
| 48 | +== Configure the AES key in Liberty |
| 49 | + |
| 50 | +To configure the AES key directly in your `server.xml` file, add the following variable definition. |
| 51 | + |
| 52 | +[source,xml] |
| 53 | +---- |
| 54 | +<variable name="wlp.aes.encryption.key" value="<your_aes_key>" /> |
| 55 | +---- |
| 56 | + |
| 57 | +Or to load the AES key from an external configuration file (such as the one generated by `generateAESKey --createConfigFile`), include the file by using the following configuration. |
| 58 | + |
| 59 | +[source,xml] |
| 60 | +---- |
| 61 | +<include location="/path/to/aesConfig.xml" /> |
| 62 | +---- |
| 63 | + |
| 64 | +== Encode passwords with the AES key |
| 65 | + |
| 66 | +You can encode passwords that use the AES-256 key by running the `securityUtility encode` command. |
| 67 | + |
| 68 | +To specify the Base64-encoded key directly, use the following options. |
| 69 | + |
| 70 | +[source,sh] |
| 71 | +---- |
| 72 | +securityUtility encode --encoding=aes --base64Key=<your_base64_key> <password> |
| 73 | +---- |
| 74 | + |
| 75 | +To use an XML or Java properties file that contains the AES key variable, specify the `--aesConfigFile` option: |
| 76 | + |
| 77 | +[source,sh] |
| 78 | +---- |
| 79 | +securityUtility encode --encoding=aes --aesConfigFile=<xml_or_properties_file> <password> |
| 80 | +---- |
| 81 | + |
| 82 | +Copy the resulting encrypted value into your Liberty configuration. |
| 83 | + |
| 84 | +[NOTE] |
| 85 | +==== |
| 86 | +For best performance, re-encode all passwords by using the new AES-256 key. Open Liberty supports older password formats, but full migration provides consistent startup performance. |
| 87 | +
|
| 88 | +
|
| 89 | +Liberty commands that support AES encryption accept the following options: |
| 90 | +
|
| 91 | +* `--base64Key` or `--passwordBase64Key`: Provide the Base64-encoded AES-256 key directly. |
| 92 | +
|
| 93 | +* `--aesConfigFile`: Provide a configuration file that defines either `wlp.aes.encryption.key` or `wlp.password.encryption.key`. |
| 94 | +==== |
| 95 | + |
| 96 | +== Updated certificate and key management tasks |
| 97 | + |
| 98 | +The `securityUtility createSSLCertificate` and `securityUtility createLTPAKeys` commands support AES-based encryption options. |
| 99 | + |
| 100 | +To generate an SSL certificate by using a Base64-encoded AES key for encrypting the keystore password, run the following command: |
| 101 | + |
| 102 | +[source,sh] |
| 103 | +---- |
| 104 | +securityUtility createSSLCertificate \ |
| 105 | + --password=password \ |
| 106 | + --passwordEncoding=aes \ |
| 107 | + --aesConfigFile=aesConfig.xml \ |
| 108 | + --server=server1 |
| 109 | +---- |
| 110 | + |
| 111 | +The following example shows how to create LTPA keys by using a configuration file that contains the AES key definition: |
| 112 | + |
| 113 | +[source,sh] |
| 114 | +---- |
| 115 | +securityUtility createLTPAKeys \ |
| 116 | + --passwordEncoding=aes \ |
| 117 | + --aesConfigFile=aesConfig.xml \ |
| 118 | + --password=password \ |
| 119 | + --file=ltpa.keys |
| 120 | +---- |
| 121 | + |
| 122 | +== New securityUtility task |
| 123 | + |
| 124 | +The `generateAESKey` task generates a Base64-encoded 256-bit AES key for the `wlp.aes.encryption.key` variable. |
| 125 | + |
| 126 | +To display command usage, see the following syntax: |
| 127 | + |
| 128 | +[source,sh] |
| 129 | +---- |
| 130 | +securityUtility generateAESKey [options] |
| 131 | +---- |
| 132 | + |
| 133 | +=== Description |
| 134 | + |
| 135 | +Generates a value for the `wlp.aes.encryption.key` configuration variable. If no options are specified, a random AES key is generated. |
| 136 | + |
| 137 | +=== Options |
| 138 | + |
| 139 | +`--createConfigFile=<name>`:: |
| 140 | +Creates an XML file that contains the generated AES key in the `wlp.aes.encryption.key` variable. If this option is omitted, the generated key is written to the console. |
| 141 | + |
| 142 | +`--key=<string>`:: |
| 143 | +Derives an AES key from the provided passphrase. If omitted, a random AES key is generated. |
| 144 | + |
| 145 | +== Configuration reference |
| 146 | + |
| 147 | +The following variable, task, and command options support the Bring your own AES-256 key feature. |
| 148 | + |
| 149 | +[cols="30,70", options="header"] |
| 150 | +|=== |
| 151 | +| Name | Description |
| 152 | + |
| 153 | +| `wlp.aes.encryption.key` |
| 154 | +| Stores a Base64-encoded 256-bit AES key for password encryption. |
| 155 | + |
| 156 | +| `generateAESKey` |
| 157 | +| A `securityUtility` task that generates an AES-256 key and optionally writes it to an XML configuration file. |
| 158 | + |
| 159 | +| `--base64Key=<value>` |
| 160 | +| Specifies a Base64-encoded 256-bit AES key that is used to encrypt and decrypt passwords. Cannot be combined with `--aesConfigFile` or `--key`. |
| 161 | + |
| 162 | +| `--aesConfigFile=<file>` |
| 163 | +| Specifies an XML or properties file that contains either the `wlp.password.encryption.key` or `wlp.aes.encryption.key` variable. Only one variable can be present in a file. Cannot be combined with `--base64Key` or `--key`. |
| 164 | + |
| 165 | +| `--passwordBase64Key=<value>` |
| 166 | +| Used by SSL certificate and LTPA key utilities to encrypt generated passwords by using a Base64-encoded AES-256 key. Cannot be combined with `--aesConfigFile` or `--passwordKey`. |
| 167 | +|=== |
| 168 | + |
0 commit comments