Skip to content

Updates to 25.0.0.9-GA blog #4518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
navaneethsnair1 merged 1 commit into from
Sep 8, 2025
Merged

Updates to 25.0.0.9-GA blog #4518

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions posts/2025-09-09-25.0.0.9.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,9 @@ image::img/blog/blog_btn_stack.svg[Ask a question on Stack Overflow, align="cent
[#ECDH_ES]
== Add ECDH-ES support to JWT Builder

Open Liberty enhances its JSON Web Token 1.0 (`jwt-1.0`) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the `jwtBuilder` configuration. This update allows application developers to use Elliptic Curve Cryptography to determine the Content Encryption Key (CEK) of a JSON Web Encryption (JWE) token, providing a modern alternative to the previously supported RSA-OAEP with enhanced security.
Open Liberty enhances its JSON Web Token 1.0 (`jwt-1.0`) feature by introducing support for ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static) as a key management algorithm in the `jwtBuilder` configuration. This update allows application developers to use Elliptic Curve Cryptography to determine the Content Encryption Key (CEK) of a JSON Web Encryption (JWE) token. By offering a modern alternative to the previously supported RSA-OAEP, the enhancement delivers improved security through ECDH-ES.

To use ECDH-ES, developers must define an Elliptic Curve (EC) public key in the `keyManagementKeyAlias` attribute. The EC public and private key pair can be generated using the securityUtility or the keytool, for example:
To use ECDH-ES, developers must define an Elliptic Curve (EC) public key in the `keyManagementKeyAlias` attribute. The EC public and private key pair can be generated using the `securityUtility` or the `keytool`, for example:

----
./securityUtility createSSLCertificate --sigAlg=SHA256withECDSA --keySize=256 --server=myServer --validity=3650 --password=password
Expand All @@ -169,7 +169,7 @@ To use ECDH-ES, developers must define an Elliptic Curve (EC) public key in the
keytool -genkeypair -alias eccert -keyalg EC -groupname secp256r1 -validity 3650 -storetype pkcs12 -keystore myKeystore.p12 -storepass password
----

ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a `jwtBuilder` element of `JSON Web Token 1.0` (jwt-1.0) feature. Reference the EC public key used by the ECDH-ES key management algorithm by its alias in `keyManagementKeyAlias`, and specify the keystore using the `trustStoreRef` attribute.
ECDH-ES can be configured under the `keyManagementKeyAlgorithm` attribute in a `jwtBuilder` element of JSON Web Token 1.0 (`jwt-1.0`) feature. Reference the EC public key used by the ECDH-ES key management algorithm by its alias in `keyManagementKeyAlias`, and specify the keystore using the `trustStoreRef` attribute.

Sample `server.xml` configuration:
[source, xml]
Expand All @@ -180,7 +180,7 @@ Sample `server.xml` configuration:
trustStoreRef="myTrustStore" ... />
----

For more details on configuring `jwtBuilder`, check the link:https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Liberty documentation].
For more information on configuring `jwtBuilder`, see the link:https://openliberty.io/docs/latest/reference/config/jwtBuilder.html[Open Liberty documentation].

// DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC>

Expand Down