OpenLiberty · navaneethsnair1 · Sep 2, 2025 · Sep 2, 2025
diff --git a/posts/2025-09-09-25.0.0.9.adoc b/posts/2025-09-09-25.0.0.9.adoc
@@ -1,19 +1,19 @@
 ---
 layout: post
-title: "ECDH-ES support added to JwtBuilder"
+title: "ECDH-ES support added to JwtBuilder in 25.0.0.9"
 # Do NOT change the categories section
 categories: blog
 author_picture: https://avatars3.githubusercontent.com/IsmathBadsha
 author_github: https://github.com/IsmathBadsha
-seo-title: ECDH-ES support added to JwtBuilder - OpenLiberty.io
+seo-title: ECDH-ES support added to JwtBuilder in 25.0.0.9 - OpenLiberty.io
 seo-description: 'This release introduces ECDH-ES support in JwtBuilder.'
 blog_description: 'This release introduces ECDH-ES support in JwtBuilder.'
 open-graph-image: https://openliberty.io/img/twitter_card.jpg
 open-graph-image-alt: Open Liberty Logo
 ---
-= ECDH-ES support added to JwtBuilder
+= ECDH-ES support added to JwtBuilder in 25.0.0.9
 Ismath Badsha <https://github.com/IsmathBadsha>
-:imagesdir: /
+:imagesdir: /s
 :url-prefix:
 :url-about: /
 //Blank line here is necessary before starting the body of the post.
@@ -66,16 +66,10 @@ This release introduces ECDH-ES support in JwtBuilder.
 
 In link:{url-about}[Open Liberty] 25.0.0.9:
 
-* <<ECDH-ES, Add ECDH-ES support to JwtBuilder>>
+* <<ECDH_ES, Add ECDH-ES support to JwtBuilder>>
 * <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
-
-// // // // // // // //
-// If there were updates to guides since last release, keep the following, otherwise remove section.
-// // // // // // // //
-Along with the new features and functions added to the runtime, we’ve also made <<guides, updates to our guides>>.
-
 // // // // // // // //
 // In the preceding section:
 // Replace the TAG_X with a short label for the feature in lower-case, eg: mp3
@@ -161,30 +155,37 @@ image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="cent
 // Blog issue: https://github.com/OpenLiberty/open-liberty/issues/32660
 // Contact/Reviewer: tloodu
 // // // // // // // // 
-[#ECDH-ES]
+[#ECDH_ES]
 == Add ECDH-ES support to JwtBuilder
 
-Open Liberty has enhanced its JSON Web Token 1.0 (`jwt-1.0`) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the JwtBuilder configuration. This update allows application developers to use Elliptic Curve Cryptography for encrypting the Content Encryption Key (CEK) of a JWE, providing a modern alternative to the previously supported RSA-OAEP with enhanced security.To use ECDH-ES, developers must define an Elliptic Curve public key in the keyManagementKeyAlias attribute.The EC public and private key pair can be generated using securityUtility or keytool, for example:
-  - `./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password`
-  - `keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password`
-ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a JwtBuilder element of `JSON Web Token 1.0` (`jwt-1.0`) feature.The EC public key used for encryption must be referenced by its alias in `keyManagementKeyAlias`, and the keystore must be specified using the `trustStoreRef` attribute.
-Sample server.xml configuration:
+Open Liberty has enhanced its JSON Web Token 1.0 (`jwt-1.0`) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the JwtBuilder configuration. This update allows application developers to use Elliptic Curve Cryptography for encrypting the Content Encryption Key (CEK) of a JWE, providing a modern alternative to the previously supported RSA-OAEP with enhanced security. 
 
-[source,xml]
+To use ECDH-ES, developers must define an Elliptic Curve public key in the `keyManagementKeyAlias` attribute. The EC public and private key pair can be generated using securityUtility or keytool, for example:
++
+```
+./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password
+```
++
+```
+keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password
+```
+
+ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a JwtBuilder element of `JSON Web Token 1.0` (jwt-1.0) feature. The EC public key used for encryption must be referenced by its alias in `keyManagementKeyAlias`, and the keystore must be specified using the `trustStoreRef` attribute.
+
+Sample server.xml configuration:
++
+[source, xml]
 ----
 <jwtBuilder
     keyManagementKeyAlgorithm="ECDH-ES"
     keyManagementKeyAlias="myECPublicKey"
     trustStoreRef="myTrustStore" ... />
 ----
-For more details on configuring `JwtBuilder` and using ECDH-ES, refer to the https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Liberty documentation].
+
+For more details on configuring `JwtBuilder` and using ECDH-ES, check the link:https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Liberty documentation].
 
-
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
-
-For more details, check the LINK[LINK_DESCRIPTION].
-
 // // // // // // // //
 // In the preceding section:
 // Replace TAG_X/SUB_TAG_X with the given tag of your secton from the contents list
@@ -210,19 +211,19 @@ For more details, check the LINK[LINK_DESCRIPTION].
 |5.3
 |Denial of service
 |18.0.0.2-25.0.0.8
-|Affects the `feature:servlet-3.1`, `feature:servlet-4.0`, `feature:servlet-5.0` and `feature:servlet-6.0` features
+|Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features
 
 |https://www.cve.org/CVERecord?id=CVE-2025-48976[CVE-2025-48976]
 |7.5
 |Denial of service
 |17.0.0.3-25.0.0.8
-|Affects the `feature:servlet-3.1`, `feature:servlet-4.0`, `feature:servlet-5.0` and `feature:servlet-6.0` features
+|Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0` and `servlet-6.0` features
 
 |https://www.cve.org/CVERecord?id=CVE-2025-36124[CVE-2025-36124]
 |5.9
 |Bypass security
 |17.0.0.3-25.0.0.8
-|Affects the `feature:wasJmsServer-1.0`, `feature:wasJmsSecurity-1.0`, `feature:wasJmsClient-2.0`, `feature:messagingServer-3.0`, `feature:messagingSecurity-3.0` and `feature:messagingClient-3.0` features
+|Affects the `wasJmsServer-1.0`, `wasJmsSecurity-1.0`, `wasJmsClient-2.0`, `messagingServer-3.0`, `messagingSecurity-3.0` and `messagingClient-3.0` features
 |===
 // // // // // // // //
 // In the preceding section:
@@ -288,22 +289,6 @@ We’ve spent some time fixing bugs. The following sections describe just some o
 // // // // // // // //
 
 
-// // // // // // // //
-// If there were updates to guides since last release, keep the following, otherwise remove section.
-// Check with Gilbert Kwan, otherwise Michal Broz or YK Chang
-// // // // // // // //
-[#guides]
-== New and updated guides since the previous release
-As Open Liberty features and functionality continue to grow, we continue to add link:https://openliberty.io/guides/?search=new&key=tag[new guides to openliberty.io] on those topics to make their adoption as easy as possible.  Existing guides also receive updates to address any reported bugs/issues, keep their content current, and expand what their topic covers.
-
-// // // // // // // //
-// In the following section, list any new guides, or changes/updates to existing guides.  
-// The following is an example of how the list can be structured (similar to the bugs section):
-// * link:{url-prefix}/guides/[new/updated guide].html[Guide Title]
-//  ** Description of the guide or the changes made to the guide.
-// // // // // // // //
-
-
 == Get Open Liberty 25.0.0.9 now
 
 Available through <<run,Maven, Gradle, Docker, and as a downloadable archive>>.