From 73fa215a9f2c224833760f54352dba8739e418d7 Mon Sep 17 00:00:00 2001 From: Riya Arora Date: Tue, 7 Jul 2026 11:16:46 -0400 Subject: [PATCH 1/3] Document AES password encryption for featureUtility Added documentation explaining how to encrypt passwords using securityUtility encode command with AES encryption. Includes the CWWKF1374E warning message that users will see if they use unencrypted passwords. Related to OpenLiberty/open-liberty#35200 --- .../command/featureUtility-commands.adoc | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/modules/reference/pages/command/featureUtility-commands.adoc b/modules/reference/pages/command/featureUtility-commands.adoc index 627931c11..45fc853e0 100644 --- a/modules/reference/pages/command/featureUtility-commands.adoc +++ b/modules/reference/pages/command/featureUtility-commands.adoc @@ -132,6 +132,26 @@ remoteRepo2.user=operator remoteRepo2.password={aes}KM8dhwcv892Ss1sawu9R+ ---- +=== Encrypt repository passwords + +For security, passwords in the `featureUtility.properties` file should be encrypted using the AES encryption algorithm. Use the `securityUtility encode` command to encrypt passwords before adding them to the properties file. + +To encrypt a password, run the following command: + +---- +securityUtility encode --encoding=aes myPassword +---- + +The command outputs the encrypted password in the format `{aes}encryptedValue`. Copy this encrypted value and use it as the password in your `featureUtility.properties` file, as shown in the previous example. + +If you use an unencrypted password in the `featureUtility.properties` file, the `featureUtility` commands display the following warning message: + +---- +CWWKF1374E: The password is not encrypted. Password must be encrypted using the securityUtility command with the AES cryptography algorithm as the recommended --encoding option. +---- + +For more information about the `securityUtility encode` command, see xref:command/securityUtility-encode.adoc[securityUtility encode]. + == Disable Maven Central fallback From 3a1a4ae6a1bd2fc4a462992ebc58c3c718533093 Mon Sep 17 00:00:00 2001 From: Riya Arora Date: Tue, 7 Jul 2026 11:59:04 -0400 Subject: [PATCH 2/3] Add documentation for AES encryption key sources --- .../reference/pages/command/featureUtility-commands.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/reference/pages/command/featureUtility-commands.adoc b/modules/reference/pages/command/featureUtility-commands.adoc index 45fc853e0..953f04275 100644 --- a/modules/reference/pages/command/featureUtility-commands.adoc +++ b/modules/reference/pages/command/featureUtility-commands.adoc @@ -150,6 +150,15 @@ If you use an unencrypted password in the `featureUtility.properties` file, the CWWKF1374E: The password is not encrypted. Password must be encrypted using the securityUtility command with the AES cryptography algorithm as the recommended --encoding option. ---- + +=== Specify the AES encryption key + +By default, featureUtility uses the Liberty default AES encryption key to decrypt passwords. If you encrypted your password with a custom key, you must provide that key to featureUtility using one of the following methods: + +* Set the `WLP_AES_ENCRYPTION_KEY` environment variable. +* Specify the `wlp.password.encryption.key` or `wlp.aes.encryption.key` property in the `featureUtility.properties` file. + +featureUtility also automatically loads the encryption key from the `bootstrap.properties` or `server.env` file of the specified server when running `featureUtility installServerFeatures`. For more information about the `securityUtility encode` command, see xref:command/securityUtility-encode.adoc[securityUtility encode]. From 42a64b5f30ea6dfd6c725db06dca274b493ca7c2 Mon Sep 17 00:00:00 2001 From: Riya Arora Date: Tue, 7 Jul 2026 16:30:34 -0400 Subject: [PATCH 3/3] Address review feedback: simplify encryption docs and move properties to table --- .../command/featureUtility-commands.adoc | 31 +++---------------- 1 file changed, 5 insertions(+), 26 deletions(-) diff --git a/modules/reference/pages/command/featureUtility-commands.adoc b/modules/reference/pages/command/featureUtility-commands.adoc index 953f04275..27da457de 100644 --- a/modules/reference/pages/command/featureUtility-commands.adoc +++ b/modules/reference/pages/command/featureUtility-commands.adoc @@ -82,6 +82,10 @@ a|Configures the outbound HTTP proxy. |`proxyHost`, `proxyPort`, `proxyUser`, and `proxyPassword` a|Configures the outbound HTTPS proxy. +|`WLP_AES_ENCRYPTION_KEY` +|`wlp.password.encryption.key` or `wlp.aes.encryption.key` +|Specifies a custom AES encryption key for decrypting passwords. If not specified, featureUtility uses the Liberty default AES encryption key. featureUtility also automatically loads the encryption key from the `bootstrap.properties` or `server.env` file of the specified server when running `featureUtility installServerFeatures`. + |=== {empty} + @@ -134,32 +138,7 @@ remoteRepo2.password={aes}KM8dhwcv892Ss1sawu9R+ === Encrypt repository passwords -For security, passwords in the `featureUtility.properties` file should be encrypted using the AES encryption algorithm. Use the `securityUtility encode` command to encrypt passwords before adding them to the properties file. - -To encrypt a password, run the following command: - ----- -securityUtility encode --encoding=aes myPassword ----- - -The command outputs the encrypted password in the format `{aes}encryptedValue`. Copy this encrypted value and use it as the password in your `featureUtility.properties` file, as shown in the previous example. - -If you use an unencrypted password in the `featureUtility.properties` file, the `featureUtility` commands display the following warning message: - ----- -CWWKF1374E: The password is not encrypted. Password must be encrypted using the securityUtility command with the AES cryptography algorithm as the recommended --encoding option. ----- - - -=== Specify the AES encryption key - -By default, featureUtility uses the Liberty default AES encryption key to decrypt passwords. If you encrypted your password with a custom key, you must provide that key to featureUtility using one of the following methods: - -* Set the `WLP_AES_ENCRYPTION_KEY` environment variable. -* Specify the `wlp.password.encryption.key` or `wlp.aes.encryption.key` property in the `featureUtility.properties` file. - -featureUtility also automatically loads the encryption key from the `bootstrap.properties` or `server.env` file of the specified server when running `featureUtility installServerFeatures`. -For more information about the `securityUtility encode` command, see xref:command/securityUtility-encode.adoc[securityUtility encode]. +For security, passwords in the `featureUtility.properties` file should be encrypted. The AES encryption algorithm is recommended. Use the `securityUtility encode` command to encrypt passwords before adding them to the properties file. For more information, see xref:command/securityUtility-encode.adoc[securityUtility encode]. == Disable Maven Central fallback