What is new in this release of Liberty

What's new

Many of the latest features for Liberty are now documented on the Open Liberty website. For more information about new Liberty features and capabilities, see the Open Liberty blog.

The Liberty features topic lists the features available in Liberty products and highlights recently introduced features with a fix pack icon. Recent fix packs provide the following key enhancements:

Deploy Spring Boot 3.x applications to Liberty

The Spring Boot Support 3.0 feature (springBoot-3.0) provides complete support for running a Spring Boot 3.0 application on Liberty. It also provides the capability to thin the application when you create applications in containers. Prior releases of Liberty supported Spring Boot 1.5 and Spring Boot 2.0 applications. For more information, see the Open Liberty website.

Authenticate Open ID Connect clients with a private key JSON Web Token (JWT)

OpenID Connect clients are required to provide authentication data to the OpenID Connect provider when they invoke the provider’s token endpoint. Clients can authenticate by using several different methods, but most of those methods require a client secret. The private_key_jwt authentication method enables clients to use asymmetric keys to create signed JSON Web Tokens (JWTs) to authenticate instead of client secrets. OpenID Connect clients that use this authentication method are not required to have a client secret. For more information, see the Open Liberty website.

Use different LTPA or JWT cookies for different applications

Starting in version 23.0.0.9, you can set the path for Lightweight Third Party Authentication (LTPA) and JSON Web Token (JWT) cookie paths to the application context root. Set the useContextRootForSSOCookiePath attribute in the webAppSecurity element to true. With this configuration, you can use different LTPA or JWT tokens for different applications. In previous versions, the cookie path was set to a forward slash (/) so that any request made to any path on the domain included the cookie. For more information, see the webAppSecurity element.

Red Hat® OpenShift® Container Platform 4.10

Extended support has ended for Red Hat OpenShift Container Platform 4.10. For more information, see Red Hat OpenShift Container Platform Lifecycle Policy.

Java SE 11 end of support moved from 24.0.0.10 to 26.0.0.10

The Liberty end of support date for Java SE 11 is October 2026. The end of support date was October 2024. For more information, see Removal notices.

Prevent authorization code interception attacks with PKCE support for OpenID Connect clients

OpenID Connect clients in Liberty now support Proof Key for Code Exchange (PKCE) (RFC 7636). PKCE is an extension of the OAuth 2.0 specification that protects OAuth 2.0 public clients against authorization code interception attacks. In specific scenarios, a malicious application can intercept a legitimate OAuth 2.0 public client authorization code and use it to obtain access and ID tokens on behalf of the client. PKCE introduces steps and request parameters to prevent such interception attacks. For more information, see the Open Liberty blog.

Ensure that sufficient features are installed when you use the featureUtility installFeature command

In this release, the featureUtility installFeature command is updated to better manage dependencies among the features that it installs. This command now installs all versions of any dependencies that the requested feature requires, which might install a larger number of features in some circumstances. However, the related featureUtility installServerFeatures is the recommended way to install features as it always installs exactly the minimum set of features that are needed for the server configuration. For more information, see the Open Liberty blog.

WebSphere Liberty operator 1.2.2

Update to the new 1.2.2 release of WebSphere Liberty operator. Version 1.2.2 adds security fix updates for operating system packages and API libraries.

Bug fixes in version 23.0.0.7

The development team made several significant bug fixes in version 23.0.0.7. For more information, see the Open Liberty blog.

WebSphere Liberty container images

The symlink of /liberty in WebSphere® Application Server Liberty official images has changed from /opt/ibm to /opt/ibm/wlp.

WebSphere Liberty operator 1.2.1

Update to the new 1.2.1 release of WebSphere Liberty operator. Version 1.2.1 adds security fix updates for operating system packages and API libraries.

Faster startup with Liberty InstantOn

Liberty InstantOn uses the Checkpoint/Restore In Userspace (CRIU) feature of the Linux kernel to provide faster startup times for MicroProfile and Jakarta EE applications. Starting with version 23.0.0.6, all X86-64/AMD64 UBI Liberty container images are enabled for InstantOn. For more information, see Faster startup for containerized applications with Open Liberty InstantOn on the Open Liberty website.

Bug fixes in version 23.0.0.5

The development team made a number of significant bug fixes in version 23.0.0.5. For more information, see the Open Liberty blog.

WebSphere Liberty operator 1.2.0

Update to the new 1.2.0 release of WebSphere Liberty operator. Version 1.2.0 adds support for Linux on Power® (ppc64le) or Linux on IBM Z (s390x) platform.

The template used to build application container images was updated in version 23.0.0.4. For more information, see Creating container application images.

Bug fixes in version 23.0.0.4

The development team made a number of significant bug fixes in version 23.0.0.4. For more information, see the Open Liberty blog.

Java SE 20 support

The 23.0.0.3 release adds support for Java™ Platform, Standard Edition (Java SE) Version 20. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. Java SE 20 is not a long-term supported release. Standard support is scheduled to end in September 2023. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.

Jakarta EE 10 support

The 23.0.0.3 release adds support for the Jakarta EE platform, version 10.0. You can run Jakarta EE 10 applications by using Java SE 8, 11, or 17. Jakarta EE 10 support on Open Liberty includes new feature versions for many Liberty features that support Jakarta EE APIs. If you are updating your application from using Jakarta EE 9.1 features to using Jakarta EE 10 features, changes in API behavior might require you to update your application code. For more information, see Differences between Jakarta EE 10 and 9.1 on the Open Liberty website and the Open Liberty blog.

MicroProfile 6.0 support

The 23.0.0.3 release adds support for the MicroProfile programming model version 6.0, which aligns with Jakarta EE 10. MicroProfile 6.0 is a major release. It includes Jakarta EE 10 Core Profile and replaces MicroProfile OpenTracing with MicroProfile Telemetry. Therefore, MicroProfile OpenTracing moves out of the umbrella release and becomes a stand-alone specification. This release also introduces the new versions of the MicroProfile OpenAPI, MicroProfile JSON Web Token, and MicroProfile Metrics features.

If you are updating your application from using MicroProfile 5.0 features to using MicroProfile 6.0 features, changes in API behavior might require you to update your application code. For more information, see Differences between MicroProfile 6.0 and 5.0 on the Open Liberty website and the Open Liberty blog.

Set a timeout for the server stop command

The server stop command includes a default 30 second waiting period for confirmation that the server is stopped. Starting in version 23.0.0.2, a --timeout option is available for this command to increase the duration of the waiting period. For more information, see the server stop command documentation on the Open Liberty website.

Test server connections with the Admin Center Server Config tool

Starting in 23.0.0.2, you can test the connection to server resources from Admin Center by using the Server Config tool. For more information, see the Admin Center documentation on the Open Liberty website.

WebSphere Liberty operator 1.1.0

Support for Red Hat OpenShift Container Platform 4.12 is added in 23.0.0.1.

Bug fixes in version 23.0.0.1

The development team made a number of significant bug fixes in version 23.0.0.1. For more information, see the Open Liberty blog.

WebSphere Liberty operator 1.1.0

Update to the new 1.1.0 release of WebSphere Liberty operator. Version 1.1.0 adds support for Semeru Cloud Compiler and updated instructions for installing in an air gap environment.

Run Liberty on Amazon EKS on AWS

You can run WebSphere Liberty on Amazon Web Services (AWS) by using an AWS Partner Solution that is called IBM WebSphere Liberty for Amazon EKS. This AWS Partner Solution installs a WebSphere Liberty operator in an Amazon Elastic Kubernetes Service (EKS) cluster. For more information, see Running WebSphere Liberty on Amazon EKS on AWS.

Configure a maximum age for FFDC files

You can configure Liberty to automatically purge FFDC log files after they reach a configured age by setting the maxFfdcAge logging configuration attribute. Previously, Liberty automatically purged FFDC files only in excess of 500 and the value was not configurable. For more information, see the maxFfdcAge attribute for the logging configuration element.

Bug fixes in version 22.0.0.12

The development team made a number of significant bug fixes in version 22.0.0.12. For more information, see the Open Liberty blog.

Secure applications with distributed security caches

In version 22.0.0.11 and later, multiple Liberty servers can share distributed caches by using a JCache provider. Before this release, the authentication and logged-out cookie caches were restricted to be local and in-memory. As part of this update, both caches can be stored in a distributed JCache provider. This update can improve performance and failure recovery, reduce the load on backend user registries, and improve the security posture of the server. For more information, see Distributed caching with JCache on the Open Liberty website.

Expose SPI interfaces as BELL services and inject properties into BELL services

The Basic extensions using Liberty libraries (BELL) 1.0 feature enables shared libraries to provide implementations of Liberty API interfaces by using Java ServiceLoader configuration files. The 22.0.0.11 release introduces two capabilities for BELL services: SPI visibility and properties configuration and injection. Previously, these capabilities were available only to user feature extensions. User features offer more capabilities than BELL services, but come with a more complex development model. These capabilities allow extension developers greater opportunity to use the simplicity of BELL services. For more information, see Basic Extensions using Liberty Libraries on the Open Liberty website.

Java SE 19 support

The 22.0.0.10 release adds support for Java Platform, Standard Edition (Java SE) Version 19. You can use Java SE 19 with Liberty 22.0.0.10 or later. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. Java SE 19 is not a long-term supported release. Standard support is scheduled to end in March 2023. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.

WebSphere Liberty operator 1.0.2

Update to the new 1.0.2 release of WebSphere Liberty operator.

Use issuer claim to select which Open ID Connect client configuration to use for a JWT inbound propagation request

In version 22.0.0.10 and later, Open Liberty can use the issuer claim from a JWT or JWS access token to select which openidConnectClient configuration to use for a JWT inbound propagation request. Before this release, complicated authentication filters were required if more than one issuer was used for the same resource. For more information, see Configure JSON Web Token (JWT) authentication for OpenID Connect on the Open Liberty website.

Use the Password Utilities feature without forcefully federating user registries

A new version of the Password Utilities feature, passwordUtilities-1.1, is available. This version of the feature does not start the Federated User Registry feature or the Jakarta Connectors feature. When you use this version of the feature, stand-alone user registries are not forcefully federated, which sometimes results in slightly different behavior than the previous version. The previous feature version, passwordUtilities-1.0, starts the Federated User Registry and Jakarta Connectors features by default. For more information, see Password Utilities-1.1.

View the stack trace separately from logged messages in logging records

The stack trace is now separated from logged messages in logging records so that log analysis tools can present them more clearly. Previously, any logging record from a Java Logger object that used any of the methods that accept a Throwable parameter appended the stack trace to the existing message field. For more information, see the Open Liberty blog.

Configure time-based log rollover

You can enable time-based periodic rollover of Liberty message.log, trace.log, and http_access.log log files at their own specified time of day by using two new optional logging configuration attributes: rolloverInterval and rolloverStartTime. For more information, see Time-based log rollover and Time-based HTTP access log rollover on the Open Liberty website.

WebSphere Liberty operator 1.0.1

Update to the new 1.0.1 release of WebSphere Liberty operator.

Use kustomize to install WebSphere Liberty operator.

Verify code-signed images for WebSphere Liberty operator.

Filter JSON logs on the application name

When application log messages are logged and the application name is known, the application name is now added to the LogRecordContext extension. The key is appName and the value is the application name that the message was logged from. When JSON logging is enabled, a new default JSON field that is called ext_appName is added to the JSON application logs, which specifies the application name that the log message was logged from. Previously, if you used a log analysis tool, you couldn’t filter out application logs, since the JSON fields did not have a field for the application name. For more information, see the JSON log events reference list on the Open Liberty website.

Merge stack traces into a single log event

When a stack trace is logged in Liberty, you can now output the emitted stack trace as a single log event. This update is helpful if you forward your logs downstream to third-party log analysis technologies, such as the Elastic Logstash Kibana (ELK) stack. You can enable this function by configuring either a bootstrap property, an environment variable, or through the server.xml file. Before this update, each line of the stack trace was printed as a separate event. For more information, see the entry for stackTraceSingleEntry in Configuration settings by source on the Open Liberty website.

WebSphere Liberty operator

Use the WebSphere Liberty operator to deploy and manage applications on Kubernetes-based clusters. Operators are extensions to Kubernetes that provide customized, automated tasks.

Develop GraphQL applications by using Jakarta EE 9.1 components with MicroProfile GraphQL 2.0

The MicroProfile GraphQL-2.0 feature incorporates Jakarta EE 9.1 dependencies. With this version, you can continue to use the same functions that are provided by MicroProfile GraphQL 1.0 with updated Jakarta components, such as CDI 3.0, Jakarta REST 3.0, and JSON-B 2.0. For more information about working with GraphQL on Liberty, see Build GraphQL applications with MicroProfile GraphQL on the Open Liberty website.

Configure specific TLS protocols

You can configure specific TLS protocols instead of configuring them by default. For more information, see the section in the transport security topic on configuring specific TLS protocols.

Generate the schema for a Liberty installation

You can use the schemaGen command to generate the schema for an entire Liberty installation. Before 22.0.0.5, this function was only available by running the java -jar command against the bin/tools/ws-schemagen.jar file. For more information, see the schemaGen command on the Open Liberty website.

Java SE 18 support

The 22.0.0.4 release adds support for Java Platform, Standard Edition (Java SE) Version 18. You can use Java SE 18 with Liberty 22.0.0.4 or later. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. Java SE 18 is not a long-term supported release. Standard support is scheduled to end in September 2022. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.

Automatically detect and process X.509 certificates that are sent in PEM format

Some open source intermediate servers might send X.509 client certificates in the Privacy-Enhanced Mail (PEM) URL-encoded format. In 22.0.0.4 and later, Liberty can automatically detect and process this format. Previously, any request in this format was rejected and the request was canceled. For more information, see the Open Liberty blog.

Enable retries for SQL operations in the transaction recovery logs

Set the enableLogRetries attribute for the transaction configuration element to true to enable retires for SQL operations after a failure to write to the transaction recovery logs. When Liberty detects a failure to write to the transaction recovery logs, it invalidates the logs and disallows further global transactions. Previously, to resume transactional work, you had to restart the server and reload any applications. For more information, see the Open Liberty blog.

Liberty supported on IBM i V7R5

Liberty V22.0.0.3 and later versions are supported on IBM i V7R5 operating systems. For more information, see Minimum supported Java levels.

Define JPA persistence properties at server scope

Use the defaultProperties element in your jpa element configuration to declare default Jakarta Persistence API (JPA) persistence properties to all container-managed persistence contexts. Previously, to set a persistence property for all persistence.xml configuration files, you had to manually update each persistence.xml file in all applications. For more information, see the Open Liberty blog.

MicroProfile programming model support 5.1

Use features in the MicroProfile programming model to develop microservice applications for the enterprise. MicroProfile 5.0 aligns with Jakarta EE 9.1. With this release, applications can use MicroProfile APIs together with Jakarta EE 9.1 APIs. MicroProfile 5.0 has the same functions as MicroProfile 4.1 except for dependency updates that account for changes in Jakarta API package names from javax.* to jakarta.*. For more information, see the Open Liberty blog.

As part of the MicroProfile 5.0 release, the MicroProfile REST Client 3.0 feature (mpRestClient-3.0) is available. With this release, the underlying MicroProfile REST Client implementation for Liberty changes from Apache CXF to RESTEasy. This change results in certain API behavior changes that might require you to update your application code. For more information, see MicroProfile REST Client 3.0 behavior changes on the Open Liberty website.

Document multiple applications with MicroProfile OpenAPI

The MicroProfile OpenAPI feature version 2.0 (mpOpenAPI-2.0) provides configuration properties to select which applications and web modules OpenAPI documentation is generated for. Before this release, OpenAPI documentation was generated for only the first web module of the first application that was deployed on the server. For more information, see Multiple application and multi-module application support with MicroProfile OpenAPI on the Open Liberty website.

Accept tokens in JSON Web Encryption (JWE) format

In version 22.0.0.1 and later, the OpenID Connect Client 1.0 and Social Media Login 1.0 features support receiving tokens in the JWE format. Both features also add support for the RS384, RS512, HS384, HS512, ES256, ES384, and ES512 signature algorithms. Before this release, these features did not support access or ID tokens in JWE format. For more information, see Accept tokens in JWE format on the Open Liberty website.

Block classes with known vulnerabilities

Applications that are deployed to Liberty might run versions of Log4j2 that are affected by Log4Shell (CVE-2021-44228) and related vulnerabilities. The 22.0.0.1 release adds function that modifies the application and library class loaders to block the loading of the org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability. For more information, see the Open Liberty blog.

Verify the authenticity and integrity of a Liberty release package

Starting with the 22.0.0.1 release, signature files are produced for every package of a Liberty release. You can use these signature files and the corresponding public key to verify the authenticity and integrity of a Liberty release package. For more information, see Verifying Liberty release packages.

Use expansion variables in server.env files

In version 22.0.0.1 and later, you can specify environment variables in the server.env file on Linux systems. These variables are resolved when the server starts. This capability was already available in Liberty on Windows systems. For more information, see Server configuration: Expansion variables on the Open Liberty website.

Specify the JVM working directory

In version 22.0.0.1 and later, you can use the SERVER_WORKING_DIR environment variable to set the Java virtual machine (JVM) working directory location to a location other than the ${WLP_OUTPUT_DIR}/serverName location default. This enhancement gives you more flexibility with the location of the Liberty JVM output. For more information, see Default environment variables on the Open Liberty website.

Customize stale connection identification

In version 22.0.0.1 and later, specify the identifyException element to provide more configuration for a data source that helps identify the vendor-specific SQL states and error codes that are raised by the JDBC driver. For more information, see the Open Liberty blog.

Improvements to deployment descriptor parsing

Version 22.0.0.1 introduces improvements to Liberty deployment descriptor file parsing. These updates relax the rules for resource header elements and improve the error messages that are displayed if problems occur when Liberty parses a resource. For more information, see the Open Liberty blog.

Liberty on Microsoft Azure

You can automatically provision Microsoft Azure resources to move to Liberty and Open Liberty on Azure Red Hat OpenShift and Azure Kubernetes Service. For more information, see IBM WebSphere Product Family on Azure Overview on the Microsoft Azure Marketplace website.

Support for Jakarta EE 9.1

The 21.0.0.12 release adds support for the Jakarta EE platform, version 9.1. You can run Jakarta EE 9.1 applications by using Java SE 8, 11, or 17. Liberty features that support Jakarta EE 9.1 are incremented to new version numbers and, in some cases, new short names. If you are moving applications from Java EE or a previous version of Jakarta EE to Jakarta EE9.1, you might need to update feature versions or short names in your server.xml file. For more information, see Jakarta EE 9.1 feature updates on the Open Liberty website.

Support for Enterprise Beans 4.0

As part of the release Jakarta EE 9.1, the Jakarta Enterprise Beans 4.0 specification includes a few minor changes over the pri version of the specification, Enterprise JavaBeans (EJB) 3.2. All of the Liberty features that support both versions of this specification are still available, but the feature short name is changed from ejb to enterpriseBeans in the 4.0 version. Several API methods are also removed in the 4.0 version. For more information, see Developing EJB applications on Liberty.

Modify HTTP response headers

In 21.0.0.12 and later, you can configure Liberty to modify HTTP response headers. Headers can be appended, overwritten, added, or removed from all responses that are serviced by an HTTP endpoint. This configuration provides more granular control over response headers, so you can modify headers without having to change existing applications or filters. For more information, see the Open Liberty blog.

Migrate JAX-RPC applications to Liberty

Liberty does not support JAX-RPC services or clients. However, in version 21.0.0.11 and later, the Liberty JAX-RPC conversion tool can convert JAX-RPC applications to JAX-WS applications that can run on Liberty. For more information, see Migrating JAX-RPC applications to Liberty.

Use Kubernetes secrets as Liberty configuration variables

In Liberty 21.0.0.11 and later, configuration variables can be automatically populated from Kubernetes secrets without having to expose them as environment variables. Before 21.0.0.11, to access these secrets in Liberty from configuration variables, they had to be exposed as environment variables in a Kubernetes pod. For more information, see the Open Liberty blog.

Install WebSphere Liberty features on an Open Liberty server

Some WebSphere Application Server Liberty features are not available for Open Liberty servers. Open Liberty users with an active WebSphere Application Server Liberty license can install WebSphere Application Server Liberty features from a Maven repository by specifying the featuresbom property. For more information, see Installing WebSphere Liberty features on an Open Liberty server.

Print the ephemeral port of the client for each incoming HTTP request to the HTTP access log

In version 21.0.0.11 and later, the %{remote}p HTTP access log format option provides a lightweight way to correlate to network trace and investigate network errors or performance issues. Before version 21.0.0.11, the main way to correlate HTTP requests to network trace was to use WebContainer trace. For more information, see HTTP access logging on the Open Liberty website.

Java SE 17 support

The 21.0.0.10 release adds support for Java Platform, Standard Edition (Java SE) Version 17. You can use Java SE 17 with Liberty 21.0.0.10 or later. Liberty runs on any of the Java SE versions that are listed in the Supported Java Releases table on the Open Liberty website. For more information, see Updating the Liberty Java runtime environment or software development kit and the Open Liberty blog.

Install IBM Semeru Runtime Certified Edition, Version 11 with IBM® Installation Manager

An online product repository is available to download and install IBM Semeru Runtime Certified Edition, Version 11 with IBM Installation Manager. For more information, see Online product repositories for Liberty offerings.

MicroProfile programming model support 4.1

Use features in the MicroProfile programming model to develop microservice applications for the enterprise. MicroProfile 4.1 is based on Jakarta EE 8. For more information, see the Open Liberty blog.

Verify the health of your microservices with MicroProfile Health Check 3.1

MicroProfile Health 3.1 introduces the Startup health check, which allows applications to define startup probes that are used for initial verification of the application before the Liveness probe takes over. This health check is useful for applications that require extra startup time on their first initialization. For more information, see Health checks for microservices.

Recover server transactions with peer recovery

You can configure Liberty servers to automatically recover transactions on behalf of other servers. For more information, see Transaction recovery in a cloud environment.

Achieve consistency across message, trace, and console logs with the new TBASIC logging format

A new log format is available in version 21.0.0.9. The TBASIC log format creates a consistent output format across the message, trace, and console logs. Previously, the output for the trace log differed from the output of the message and console logs. For more information, see the Open Liberty blog.

Programmatically determine the status of an endpoint

In version 21.0.0.9, the isActive method is added to the ServerEndpointControlMBean MBean. You can use this method to determine whether an endpoint exists, whether it is started, and whether it is paused. Previously, this MBean had no way to determine whether an endpoint existed and was started. For more information, see the API documentation.

Continuous fix pack delivery

WebSphere Application Server Liberty follows a continuous delivery process. Instead of delivering a large amount of content in a new version, new content is delivered gradually as optional installable features in of each fix pack. Because of the Liberty zero-migration policy, you can update to the latest fix pack and then continue to use your existing configuration and applications, with no unexpected change in behavior.

In contrast to WebSphere Application Server traditional, which has different fix packs for each version, Liberty has a single service stream. A Liberty fix pack contains the same content regardless of which product version you purchased. Fix pack 16.0.0.2 is the next Liberty fix pack after 8.5.5.9.

For installation information, see Installing Liberty.

Watch: The Liberty single-stream fix pack delivery video shows how Liberty fix packs are continuously delivered into a single service stream that applies to all product versions. [Transcript]

Fix pack numbering

For example, fix pack 16.0.0.2 refers to year 2016, release 0, modification 0, and the second fix pack of the year. For the third fix pack of 2018, the fix name would be 18.0.0.3.

This numbering change applies only to Liberty. WebSphere Application Server traditional fix packs continue to follow the V.R.M.F numbering scheme, where the letters stand for version, release, modification, and fix pack.