ID: Support LTPA rotation without requiring planned outage

[utle]

Today if customer want to change the LTPA keys file, they have to stop and restart the server and also existing tokens have to re-authenticate.

This feature support customer to rotate the LTPA keys without outage planning and existing tokens still valid for SSO.

[dmuelle]

Hi @utle - do you have any more information about the updates for this issue? Our doc freeze is 9/14 so the sooner we can the info the better.

[Zech-Hein]

Hi @dmuelle,

we are working on the beta blog now here: OpenLiberty/open-liberty#26138

we're going to want to make a new doc page, I think either under "security" or "security >Single Sign-On" called something like "LTPA keys rotation"

We're trying to put everything we have on the beta blog issue so far, and would like any feedback you can provide

we'll want the new doc page to contain all the info from the beta blog

[dmuelle]

@Zech-Hein sounds good. You can add me as a reviewer when the beta blog draft PR is available. I'll work with you on getting that ready and then use it to write the doc for GA. Thanks

[Zech-Hein]

Hi @dmuelle

The draft of the BETA blog is here: https://blogs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/blog/2023/09/26/23.0.0.10-beta.html#ltpa

And the PR for it is here: https://github.com/OpenLiberty/blogs/pull/3341/files

[dmuelle]

Hi @Zech-Hein, the draft for this update is ready for review:

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/appSecurity-5.0.html#validationkeys

I think we need to provide some info about validationKeys password- is this the same password as the primary keys file? How is the password used?

Let me know if you see anything else that needs an edit. Thanks!

[dmuelle]

Hi @utle @Zech-Hein - just circling back on technical review for this feature update. When tyou have a chance to review the update and questions in me previous comment, let me know what further edits are needed. Thanks

[Zech-Hein]

Hi @dmuelle, going through the draft now, a few notes to start with:

1. We updated monitorDirectory to be monitorValidationKeysDir now.
2. We updated notUseAfterDate to be validUntilDate now.

blog post issue for reference: OpenLiberty/open-liberty#27048

[mshah0722]

There’s a typo in 2 spots where the closing tag is wrong:

<ltpa/> 

It should be:

</ltpa>

[Zech-Hein]

There’s a typo in 2 spots where the closing tag is wrong:

<ltpa/> 

It should be:

</ltpa>

I had that incorrect on the blog post issue as well, I corrected it now.

[Zech-Hein]

@dmuelle Also we just added another section about a new updateTrigger attribute being added to the ltpa element. It may make sense to list the updateTrigger info under a different section outside of the rotating keys steps. As it is no applicable to ltpa in general, not just the new validation keys.

UpdateTrigger is something that already existed for other elements like keystore, applicationMonitor, and config. We were trying to find a good doc page to link to for explaining how to use the mbean option for updateTrigger. The closest we found were:
https://www.ibm.com/docs/en/was-liberty/base?topic=SSEQTP_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_setup_dyn_upd.htm
https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-ssl-configuration-attributes

not sure if you knew of any that might be worth linking?

UpdateTrigger attribute added to LTPA element

LTPA keys files can be reloaded by the server if the updateTrigger attribute is set to polled or mbean. It is polled by default. If set to polled, then the server monitors the keys files for changes based on the rate set in the monitorInterval attribute. If the updateTrigger attribute is set to mbean then the server will reload the keys files when it receives notification from the WebSphere:service=com.ibm.ws.kernel.filemonitor.FileNotificationMBean MBean. For example:

<ltpa monitorValidationKeysDir="true" updateTrigger="mbean"/>

If updateTrigger is set to disabled then no file monitoring will occur.

[Zech-Hein]

We updated
If the monitorInterval attribute is set to 0, the default value, the directory is not monitored.

To
Note that monitoring is only enabled when the updateTrigger is set to polled and the monitorInterval is set to a duration greater than 0. The default value of updateTrigger is polled and the default value of monitorInterval is 0.

[dmuelle]

@Zech-Hein

UpdateTrigger is something that already existed for other elements like keystore, applicationMonitor, and config. We were trying to find a good doc page to link to for explaining how to use the mbean option for updateTrigger. The closest we found were:
https://www.ibm.com/docs/en/was-liberty/base?topic=SSEQTP_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_setup_dyn_upd.htm
https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-ssl-configuration-attributes

not sure if you knew of any that might be worth linking?

We dont link the Open Liberty docs back to IBM Docs, but there are a few places where updateTrigger is explained in OL doc. The closest to the link you posted is here: Server configuration overview: Dynamic updates. It's also briefly mentioned in Performance tuning for Open Liberty: Reduce idle server CPU time. Would either of those sections make sense for the new information?

Also, whatever description of updateTrigger is in the feature metatype will appear in the doc for the LTPA config element.

[dmuelle]

All other edits mentioned so far are now available for review on the draft site:

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/appSecurity-5.0.html#validationkeys

[Zech-Hein]

We are looking for a doc section that shows how to use the FileNotificationMBean for UpdateTrigger="mbean" for Liberty in general, not just for LTPA. setting "mbean" is just the setting to enable it, but using it is an entirely separate snippet of code.

There seems to be a hole in our docs for this, the only example we have found so far is from a z/OS connect doc: https://www.ibm.com/docs/en/zos-connect/zosconnect/3.0?topic=demand-invoking-filenotificationmbean-from-java-program

Maybe we could open up an issue for a FileNotificationMBean example to be added somewhere on openliberty.io/docs?

Ut had also found these two IBM docs:
https://www.ibm.com/docs/en/was-liberty/base?topic=jmx-working-mbeans-liberty
https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-list-provided-mbeans

but those don't have an example for FileNotificationMBean, just a small javadoc section.

they do list examples here: https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-examples-accessing-mbean-attributes-operations
I think it would be helpful if we had the FileNotificationMBean example added there.

We can leave that work as a separate TODO outside the scope of this feature

[dmuelle]

sounds good- please open a doc issue that describes the missing info. We would only add the content on the OL side, but we can point to it from the relevant IBM docs topics. The exception would be if there is z/Os specific info, that would get updated on the IBM Docs side.

[Zech-Hein]

towards the bottom under 3. where we say
"Open Liberty automatically generates a new primary keys file to validate new LTPA tokens"

maybe could be reworded to
"Open Liberty automatically generates a new primary keys file to create and validate new LTPA tokens"

[dmuelle]

Thanks @Zech-Hein - fixed in #7107

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/appSecurity-5.0.html#validationkeys

[Zech-Hein]

Thanks David, looks good!

[dmuelle]

Hi @ramkumar-k-9286 - this issue is ready for peer review:

https://docs-draft-openlibertyio.mqj6zf7jocq.us-south.codeengine.appdomain.cloud/docs/latest/reference/feature/appSecurity-5.0.html#validationkeys