What is new in this release of Liberty
This release introduces key enhancements to Liberty.
What's new
Many of the latest features for Liberty are now documented on the Open Liberty website. For more information about new Liberty features and capabilities, see the Open Liberty blog.
The Liberty features topic lists the features available in Liberty products and highlights recently introduced features with a fix pack icon. Recent fix packs provide the following key enhancements:
- Java SE 22 support for archive installations
- The 24.0.0.4 release adds
support for Java™ Platform, Standard Edition (Java SE) Version 22. You can use Java SE 22 with Liberty 24.0.0.4 or
later. Java SE 22 is a non-Long-Term-Support (LTS) version of
Java. Liberty runs on any of the Java SE
versions that are listed in the Supported Java Releases table on the Open Liberty
website. For more information, see Updating the
Liberty
Java runtime environment or software development kit
and the Open Liberty blog.
The IBM i platform supports only Java SE 8, Java SE 11, and Java SE 17. Java SE 21 and Java SE 22 are not yet supported on IBM i.
- Debug performance issues with default verbose garbage collection
-
Enabling verbose garbage collection for your Java runtime can help you debug memory leaks and other performance bottlenecks. Starting in 24.0.0.3, verbose garbage collection is enabled by default when you use IBM Java or IBM Semeru Runtimes as your Java implementation.
Up to 10 verbosegc.XXX.log rolling log files are created in your log directory, with 1024 GC cycles per file, where
XXX
represents the sequence number of the log file. Previously, verbose garbage collection for Liberty was not enabled by default, regardless of the Java implementation. For more information, see the Open Liberty website. - Enhance security with back-channel logout for OpenID Connect clients and servers
-
Back-channel logout allows OpenID Connect servers to directly notify OpenID Connect clients of a user logout so each OpenID Connect client can also log the user out locally.
Previously, OpenID Connect servers could notify OpenID Connect clients that a user logged out only by using iframes that were embedded in the OpenID Connect client’s web page. If the web page wasn’t active, the OpenID Connect client wasn’t notified of the logout that occurred on the OpenID Connect server. Back-channel logout solves this problem through direct communication between the OpenID Connect server and clients. For more information, see the Open Liberty blog.
- Java 21 Support for Installation Manager
- Installation Manager supports Java 21 in Liberty environments. This update builds upon the existing Java 21 support for archive installations, which was introduced in version 23.0.0.11. For more information, see Installing, updating, and uninstalling the Java SDK.
- Red Hat OpenShift Container Platform 4.15
-
Support for Red Hat OpenShift Container Platform 4.15 is added in 24.0.0.3.
- Configure Liberty InstantOn for applications that manage users and groups with SCIM
- Liberty InstantOn, which improves startup
times for containerized applications, now supports the System for Cross-domain Identity Management feature
(
scim-1.0
). For more information, see Faster startup for containerized applications with Liberty InstantOn and Configuring SCIM for user and group member management. - Negatively acknowledge messages with MicroProfile Reactive Messaging 3.0 and MicroProfile Streams Operators 3.0
- The MicroProfile Reactive
Messaging 3.0 and MicroProfile Streams Operators 3.0 features introduce new functions, including
negative acknowledgments, emitters, and backpressure support. Previously, MicroProfile Reactive
Messaging could only positively acknowledge messages. If a problem existed with the payload or if
exceptional behavior occurred, no mechanism was available to indicate or to handle the problem if it
occurred within the stream. The updated feature and
liberty-kafka
connector can send or handle these events. For more information, see the Open Liberty blog and Optimizing asynchronous communication with MicroProfile Reactive Messaging on the Open Liberty website.
- Use InstantOn with more Liberty features
- InstantOn supports a subset of Liberty features. InstantOn now supports features that enable Jakarta and Java XML Web Services and Jakarta and Java Mail functions, and more versions of previously supported features. For more information, see the Open Liberty website.
- Verify the authenticity of the Liberty public key
- WebSphere Liberty uses its private key to
digitally sign each Liberty release. You can
use the Liberty public key to check the
signature, verify that the package was released by IBM, and that it was not modified since its
release. Starting in version 24.0.0.1, you can also verify the authenticity of the Liberty public key by using a provided
certificate (
.cer
) file. For more information, see Verifying Liberty release packages. - WebSphere Liberty operator 1.3.1
-
Update to the new 1.3.1 release of WebSphere Liberty operator. Version 1.3.1 adds security fix updates for operating system packages and API libraries.
- MicroProfile 6.1 support
- The 23.0.0.12 release adds support for the MicroProfile programming model version 6.1, which aligns with Jakarta EE 10. MicroProfile 6.1 is a minor release. It includes new versions of the MicroProfile Config, MicroProfile Telemetry, and MicroProfile Metrics features.If you are updating your application from using MicroProfile 6.0 features to using MicroProfile 6.1 features, changes in API behavior might require you to update your application code. For more information, see Differences between MicroProfile 6.1 and 6.0 on the Open Liberty website and the Open Liberty blog.
- Configure the MicroProfile OpenAPI endpoint path
- MicroProfile OpenAPI
generates and serves OpenAPI documentation for Restful Web Services (or JAX-RS) applications that
are deployed to Liberty. OpenAPI
documentation is served from the
/openapi
endpoint and a user interface for browsing this documentation is served from the/openapi/ui
endpoint. With MicroProfile OpenAPI 3.1 in Liberty 23.0.0.12 and later, you can configure the paths for these endpoints by adding configuration to yourserver.xml
file. For more information, see the Open Liberty website. - Support LTPA keys rotation without a planned outage
- In 23.0.0.12 and later, Liberty can automatically generate new primary LTPA keys files while it continues to use validation keys files to validate LTPA tokens. With this update, you can rotate LTPA keys without any disruption to the application user experience. Previously, application users had to log in to their applications again after the Liberty server LTPA keys were rotated. For more information, see the Open Liberty website.
- Send the resource parameter with an authorization request that uses the authorization code flow
- Authorization requests can be made by using either the implicit flow or the authorization code flow. When requests use the implicit flow, all tokens are returned from the authorization endpoint and the token endpoint is not used. When requests use the authorization code flow, all tokens are returned from the token endpoint. Previously, Liberty sent the resource parameter only during an implicit flow request. If your request needed the resource parameter but could use only the authorization code flow, the request failed. This update enables the resource parameter to be sent with the authorization code flow. For more information, see the Open Liberty blog.
- Obtain the role information from the OpenID Connect access token
- ID tokens are JSON Web Tokens that conform to the OpenID Connect specification. Previously, Open ID Connect user role information could be obtained only from this ID token. If role information was not provided within the ID token, then the information was not found. This update provides checks to attempt to obtain role information from the Access Token if it is not found within the ID token. For more information, see the Open Liberty website.
- Liberty Maven plug-in 3.10 and Liberty Gradle plug-in 3.8
- New releases for Liberty Maven and Gradle plug-ins are now available. These releases include Java 21 support and the ability to deploy Spring Boot 3 applications. For more information, see the Liberty Maven plug-in 3.10 release notes and the Liberty Gradle plug-in 3.8 release notes.
- Liberty Tools 23.0.12 for Eclipse IDE, IntelliJ IDEA, and Visual Studio Code
- Liberty Tools support the latest available releases of Eclipse IDE, IntelliJ IDEA, and Visual Studio Code. This release also includes various enhancements and fixes. For more information, see the following release notes:
- Add computed vendor metrics to your dashboards with MicroProfile Metrics 3.0, 4.0, and 5.0
-
A set of computed vendor metrics is available when you enable the MicroProfile Metrics 3.0, 4.0, or 5.0 feature, without any additional configuration on your part. You can add these metrics directly to your dashboards in various monitoring tools.
Previously, you calculated these metrics from the
Time
andTotal
counts that were provided for various monitoring components. For example, to obtain a response time per request metric, you calculated it by using the array of time series data that is provided by the MicroProfile Metrics feature. However, not all monitoring tools support such complex time-series expressions. For more information, see the Open Liberty blog. - Bug fixes in version 23.0.0.11
- The development team made several significant bug fixes in version 23.0.0.11. For more information, see the Open Liberty blog.
- Red Hat OpenShift Container Platform 4.14
-
Support for Red Hat OpenShift Container Platform 4.14 is added in 23.0.0.11.
- WebSphere Liberty operator 1.3.0
-
Update to the new 1.3.0 release of WebSphere Liberty operator. Version 1.3.0 adds security fix updates for operating system packages and API libraries.
- Verify feature signatures with the featureUtility command
-
In version 23.0.0.10 and later, the featureUtility command verifies feature signatures before it installs a feature into the Liberty runtime.
Previously, the featureUtility command verified only checksum data, which verified the integrity of the feature, but not the authenticity. Integrity verification ensures that the feature was not tampered with. Authenticity verification ensures the feature either originated from the Liberty development team or is a user-created feature. The featureUtility command checks both the authenticity and the integrity of features that are downloaded from the Maven Central repository. For more information, see the featureUtility documentation on the Open Liberty website.
- Java SE 21 support for archive installations
- The 23.0.0.10 release
adds support for Java Platform, Standard Edition (Java SE) Version 21. You can use Java SE 21 with Liberty 23.0.0.10 or
later. Liberty runs on any of the Java SE
versions that are listed in the Supported Java Releases table on the Open Liberty
website. For more information, see Updating the
Liberty
Java runtime environment or software development kit
and the Open Liberty blog.
The IBM i platform supports only Java SE 8, Java SE 11, and Java SE 17. Java SE 21 is not yet supported on IBM i.
- Deploy Spring Boot 3.x applications to Liberty
- The Spring Boot Support 3.0 feature (springBoot-3.0) provides complete support for running a Spring Boot 3.0 application on Liberty. It also provides the capability to thin the application when you create applications in containers. Prior releases of Liberty supported Spring Boot 1.5 and Spring Boot 2.0 applications. For more information, see the Open Liberty website.
- Authenticate Open ID Connect clients with a private key JSON Web Token (JWT)
- OpenID Connect clients
are required to provide authentication data to the OpenID Connect provider when they invoke the
provider’s token endpoint. Clients can authenticate by using several different methods, but most of
those methods require a client secret. The
private_key_jwt
authentication method enables clients to use asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients that use this authentication method are not required to have a client secret. For more information, see the Open Liberty website. - Use different LTPA or JWT cookies for different applications
- Starting in version 23.0.0.9, you can set the path for Lightweight Third Party Authentication
(LTPA) and JSON Web Token (JWT) cookie paths to the application context root. Set the
useContextRootForSSOCookiePath
attribute in thewebAppSecurity
element totrue
. With this configuration, you can use different LTPA or JWT tokens for different applications. In previous versions, the cookie path was set to a forward slash (/
) so that any request made to any path on the domain included the cookie. For more information, see the webAppSecurity element. - Red Hat® OpenShift® Container Platform 4.10
-
Extended support has ended for Red Hat OpenShift Container Platform 4.10. For more information, see Red Hat OpenShift Container Platform Lifecycle Policy.
- Java SE 11 end of support moved from 24.0.0.10 to 26.0.0.10
- The Liberty end of support date for Java SE 11 is October 2026. The end of support date was October 2024. For more information, see Removal notices.
- Prevent authorization code interception attacks with PKCE support for OpenID Connect clients
- OpenID Connect clients in Liberty now support Proof Key for Code Exchange (PKCE) (RFC 7636). PKCE is an extension of the OAuth 2.0 specification that protects OAuth 2.0 public clients against authorization code interception attacks. In specific scenarios, a malicious application can intercept a legitimate OAuth 2.0 public client authorization code and use it to obtain access and ID tokens on behalf of the client. PKCE introduces steps and request parameters to prevent such interception attacks. For more information, see the Open Liberty blog.
- Ensure that sufficient features are installed when you use the
featureUtility installFeature
command - In this release, the
featureUtility installFeature
command is updated to better manage dependencies among the features that it installs. This command now installs all versions of any dependencies that the requested feature requires, which might install a larger number of features in some circumstances. However, the relatedfeatureUtility installServerFeatures
is the recommended way to install features as it always installs exactly the minimum set of features that are needed for the server configuration. For more information, see the Open Liberty blog. - WebSphere Liberty operator 1.2.2
-
Update to the new 1.2.2 release of WebSphere Liberty operator. Version 1.2.2 adds security fix updates for operating system packages and API libraries.
- Bug fixes in version 23.0.0.7
- The development team made several significant bug fixes in version 23.0.0.7. For more information, see the Open Liberty blog.
- WebSphere Liberty container images
-
The symlink of
/liberty
in WebSphere® Application Server Liberty official images has changed from/opt/ibm
to/opt/ibm/wlp
.
- WebSphere Liberty operator 1.2.1
-
Update to the new 1.2.1 release of WebSphere Liberty operator. Version 1.2.1 adds security fix updates for operating system packages and API libraries.
- Faster startup with Liberty InstantOn
- Liberty InstantOn uses the Checkpoint/Restore In Userspace (CRIU) feature of the Linux kernel to provide faster startup times for MicroProfile and Jakarta EE applications. Starting with version 23.0.0.6, all X86-64/AMD64 UBI Liberty container images are enabled for InstantOn. For more information, see Faster startup for containerized applications with Open Liberty InstantOn on the Open Liberty website.
- Bug fixes in version 23.0.0.5
- The development team made a number of significant bug fixes in version 23.0.0.5. For more information, see the Open Liberty blog.
- WebSphere Liberty operator 1.2.0
-
Update to the new 1.2.0 release of WebSphere Liberty operator. Version 1.2.0 adds support for Linux on Power® (ppc64le) or Linux on IBM Z (s390x) platform.
The template used to build application container images was updated in version 23.0.0.4. For more information, see Creating container application images.
- Bug fixes in version 23.0.0.4
- The development team made a number of significant bug fixes in version 23.0.0.4. For more information, see the Open Liberty blog.
- Java SE 20 support
- The 23.0.0.3 release adds support for Java Platform, Standard Edition (Java SE) Version 20. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. Java SE 20 is not a long-term supported release. Standard support is scheduled to end in September 2023. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.
- Jakarta EE 10 support
- The 23.0.0.3 release adds support for the Jakarta EE platform, version 10.0. You can run Jakarta EE 10 applications by using Java SE 8, 11, or 17. Jakarta EE 10 support on Open Liberty includes new feature versions for many Liberty features that support Jakarta EE APIs. If you are updating your application from using Jakarta EE 9.1 features to using Jakarta EE 10 features, changes in API behavior might require you to update your application code. For more information, see Differences between Jakarta EE 10 and 9.1 on the Open Liberty website and the Open Liberty blog.
- MicroProfile 6.0 support
- The 23.0.0.3 release adds
support for the MicroProfile programming
model version 6.0, which aligns with Jakarta EE 10. MicroProfile 6.0 is a major release. It
includes Jakarta EE 10 Core Profile and replaces MicroProfile OpenTracing with MicroProfile
Telemetry. Therefore, MicroProfile OpenTracing moves out of the umbrella release and becomes a
stand-alone specification. This release also introduces the new versions of the MicroProfile
OpenAPI, MicroProfile JSON Web Token, and MicroProfile Metrics features.
If you are updating your application from using MicroProfile 5.0 features to using MicroProfile 6.0 features, changes in API behavior might require you to update your application code. For more information, see Differences between MicroProfile 6.0 and 5.0 on the Open Liberty website and the Open Liberty blog.
- Set a timeout for the server stop command
- The server
stop command includes a default 30 second waiting period for confirmation that the server
is stopped. Starting in version 23.0.0.2, a
--timeout
option is available for this command to increase the duration of the waiting period. For more information, see the server stop command documentation on the Open Liberty website. - Test server connections with the Admin Center Server Config tool
- Starting in 23.0.0.2, you can test the connection to server resources from Admin Center by using the Server Config tool. For more information, see the Admin Center documentation on the Open Liberty website.
- WebSphere Liberty operator 1.1.0
-
Support for Red Hat OpenShift Container Platform 4.12 is added in 23.0.0.1.
- Bug fixes in version 23.0.0.1
- The development team made a number of significant bug fixes in version 23.0.0.1. For more information, see the Open Liberty blog.
- WebSphere Liberty operator 1.1.0
-
Update to the new 1.1.0 release of WebSphere Liberty operator. Version 1.1.0 adds support for Semeru Cloud Compiler and updated instructions for installing in an air gap environment.
- Run Liberty on Amazon EKS on AWS
- You can run WebSphere Liberty on Amazon Web Services (AWS) by using an AWS Partner Solution that is called IBM WebSphere Liberty for Amazon EKS. This AWS Partner Solution installs a WebSphere Liberty operator in an Amazon Elastic Kubernetes Service (EKS) cluster. For more information, see Running WebSphere Liberty on Amazon EKS on AWS.
- Configure a maximum age for FFDC files
- You can configure Liberty to
automatically purge FFDC log files after they reach a configured age by setting the
maxFfdcAge
logging configuration attribute. Previously, Liberty automatically purged FFDC files only in excess of 500 and the value was not configurable. For more information, see themaxFfdcAge
attribute for the logging configuration element.
- Bug fixes in version 22.0.0.12
- The development team made a number of significant bug fixes in version 22.0.0.12. For more information, see the Open Liberty blog.
- Secure applications with distributed security caches
- In version 22.0.0.11 and later, multiple Liberty servers can share distributed caches by using a JCache provider. Before this release, the authentication and logged-out cookie caches were restricted to be local and in-memory. As part of this update, both caches can be stored in a distributed JCache provider. This update can improve performance and failure recovery, reduce the load on backend user registries, and improve the security posture of the server. For more information, see Distributed caching with JCache on the Open Liberty website.
- Expose SPI interfaces as BELL services and inject properties into BELL services
- The Basic extensions using Liberty libraries (BELL) 1.0 feature enables shared libraries to provide implementations of Liberty API interfaces by using Java ServiceLoader configuration files. The 22.0.0.11 release introduces two capabilities for BELL services: SPI visibility and properties configuration and injection. Previously, these capabilities were available only to user feature extensions. User features offer more capabilities than BELL services, but come with a more complex development model. These capabilities allow extension developers greater opportunity to use the simplicity of BELL services. For more information, see Basic Extensions using Liberty Libraries on the Open Liberty website.
- Java SE 19 support
- The 22.0.0.10 release adds support for Java Platform, Standard Edition (Java SE) Version 19. You can use Java SE 19 with Liberty 22.0.0.10 or later. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. Java SE 19 is not a long-term supported release. Standard support is scheduled to end in March 2023. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.
- WebSphere Liberty operator 1.0.2
-
Update to the new 1.0.2 release of WebSphere Liberty operator.
- Use issuer claim to select which Open ID Connect client configuration to use for a JWT inbound propagation request
- In version 22.0.0.10 and
later, Open Liberty can use the issuer claim from a JWT or JWS
access token to select which
openidConnectClient
configuration to use for a JWT inbound propagation request. Before this release, complicated authentication filters were required if more than one issuer was used for the same resource. For more information, see Configure JSON Web Token (JWT) authentication for OpenID Connect on the Open Liberty website.
- Use the Password Utilities feature without forcefully federating user registries
- A new version of the Password Utilities feature,
passwordUtilities-1.1
, is available. This version of the feature does not start the Federated User Registry feature or the Jakarta Connectors feature. When you use this version of the feature, stand-alone user registries are not forcefully federated, which sometimes results in slightly different behavior than the previous version. The previous feature version,passwordUtilities-1.0
, starts the Federated User Registry and Jakarta Connectors features by default. For more information, see Password Utilities-1.1.
- View the stack trace separately from logged messages in logging records
- The stack trace is now
separated from logged messages in logging records so that log analysis tools can present them more
clearly. Previously, any logging record from a Java Logger object that used any of the methods that
accept a
Throwable
parameter appended the stack trace to the existing message field. For more information, see the Open Liberty blog. - Configure time-based log rollover
- You can enable time-based
periodic rollover of Liberty
message.log, trace.log, and
http_access.log log files at their own specified time of day by using two new
optional logging configuration attributes:
rolloverInterval
androlloverStartTime
. For more information, see Time-based log rollover and Time-based HTTP access log rollover on the Open Liberty website. - WebSphere Liberty operator 1.0.1
-
Update to the new 1.0.1 release of WebSphere Liberty operator.
Use kustomize to install WebSphere Liberty operator.
Verify code-signed images for WebSphere Liberty operator.
- Filter JSON logs on the application name
- When application log
messages are logged and the application name is known, the application name is now added to the
LogRecordContext
extension. The key isappName
and the value is the application name that the message was logged from. When JSON logging is enabled, a new default JSON field that is calledext_appName
is added to the JSON application logs, which specifies the application name that the log message was logged from. Previously, if you used a log analysis tool, you couldn’t filter out application logs, since theJSON
fields did not have a field for the application name. For more information, see the JSON log events reference list on the Open Liberty website. - Merge stack traces into a single log event
- When a stack trace is
logged in Liberty, you can now output the
emitted stack trace as a single log event. This update is helpful if you forward your logs
downstream to third-party log analysis technologies, such as the Elastic Logstash Kibana (ELK)
stack. You can enable this function by configuring either a bootstrap property, an environment
variable, or through the
server.xml
file. Before this update, each line of the stack trace was printed as a separate event. For more information, see the entry forstackTraceSingleEntry
in Configuration settings by source on the Open Liberty website.
- WebSphere Liberty operator
- Use the WebSphere Liberty operator to deploy and manage applications on Kubernetes-based clusters. Operators are extensions to Kubernetes that provide customized, automated tasks.
- Develop GraphQL applications by using Jakarta EE 9.1 components with MicroProfile GraphQL 2.0
- The MicroProfile GraphQL-2.0 feature incorporates Jakarta EE 9.1 dependencies. With this version, you can continue to use the same functions that are provided by MicroProfile GraphQL 1.0 with updated Jakarta components, such as CDI 3.0, Jakarta REST 3.0, and JSON-B 2.0. For more information about working with GraphQL on Liberty, see Build GraphQL applications with MicroProfile GraphQL on the Open Liberty website.
- Configure specific TLS protocols
- You can configure specific TLS protocols instead of configuring them by default. For more information, see the section in the transport security topic on configuring specific TLS protocols.
- Generate the schema for a Liberty installation
- You can use the
schemaGen
command to generate the schema for an entire Liberty installation. Before 22.0.0.5, this function was only available by running thejava -jar
command against the bin/tools/ws-schemagen.jar file. For more information, see the schemaGen command on the Open Liberty website.
- Java SE 18 support
- The 22.0.0.4 release adds support for Java Platform, Standard Edition (Java SE) Version 18. You can use Java SE 18 with Liberty 22.0.0.4 or later. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. Java SE 18 is not a long-term supported release. Standard support is scheduled to end in September 2022. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.
- Automatically detect and process X.509 certificates that are sent in PEM format
- Some open source intermediate servers might send X.509 client certificates in the Privacy-Enhanced Mail (PEM) URL-encoded format. In 22.0.0.4 and later, Liberty can automatically detect and process this format. Previously, any request in this format was rejected and the request was canceled. For more information, see the Open Liberty blog.
Continuous fix pack delivery
WebSphere Application Server Liberty follows a continuous delivery process. Instead of delivering a large amount of content in a new version, new content is delivered gradually as optional installable features in of each fix pack. Because of the Liberty zero-migration policy, you can update to the latest fix pack and then continue to use your existing configuration and applications, with no unexpected change in behavior.
In contrast to WebSphere Application Server traditional, which has different fix packs for each version, Liberty has a single service stream. A Liberty fix pack contains the same content regardless of which product version you purchased. Fix pack 16.0.0.2 is the next Liberty fix pack after 8.5.5.9.
For installation information, see Installing Liberty.
Watch: The Liberty single-stream fix pack delivery video shows how Liberty fix packs are continuously delivered into a single service stream that applies to all product versions. [Transcript]
Fix pack numbering
- Y = year, last 2 digits
- R = release
- M = modification
- F = fix pack release during the year
For example, fix pack 16.0.0.2 refers to year 2016, release 0, modification 0, and the second fix pack of the year. For the third fix pack of 2018, the fix name would be 18.0.0.3.
This numbering change applies only to Liberty. WebSphere Application Server traditional fix packs continue to follow the V.R.M.F numbering scheme, where the letters stand for version, release, modification, and fix pack.