Include Liberty base FIPS140-3 profile in WLP installs

abutch3r · abutch3r · commit f2abae3bec66 · 2025-10-02T14:46:55.000+01:00
Add new task that copies the base Liberty platform into lib directory.
As this is the base Liberty profile, it is included within the Lib directory as the file is owned by the product.

Included as part of PackageLibertyWithFeatures as the new task works for wlp-embeddable and ol-dev images which include the entire `wlp` directory, but the file is not pulled in as part of the OL GA, NOSHIP or BETA Images without a copy as we do for the relevant licenses and notices files
diff --git a/dev/build.image/build.gradle b/dev/build.image/build.gradle
@@ -48,6 +48,13 @@ task copyPropertiesToBuildImage (type:Copy) {
            tokens: [PRODUCT_VERSION: bnd.libertyRelease, PRODUCT_EDITION: bnd.productEdition, PRODUCT_LICENSE_TYPE: bnd.productLicenseType])
 }
 
+task copyFips1403PropertiesToBuildImage( type: Copy) {
+    dependsOn jar
+    from project.file('publish/wlp/security')
+    into project.file('wlp/lib/security/fips140_3')
+    include 'FIPS140-3-Liberty.properties'
+}
+
 task copyPublicKeyToBuildImage (type:Copy) {
     dependsOn jar
     from project.file('publish')
@@ -154,6 +161,7 @@ jar {
 assemble {
     dependsOn publishTemplates
     dependsOn copyPropertiesToBuildImage
+    dependsOn copyFips1403PropertiesToBuildImage
     dependsOn addServiceFingerprint
     dependsOn copyReadmeToBuildImage
     dependsOn copyBetaLicenseToBuildImage
@@ -317,6 +325,12 @@ class PackageLibertyWithFeatures extends DefaultTask {
                 into "$outputTo/wlp"
             }
 
+            project.copy {
+                from project.file('wlp')
+                include 'lib/security/fips140_3/FIPS140-3-Liberty.properties'
+                into "$outputTo/wlp"
+            }
+
             if(isBeta) {
                 //Now add the BETA_NOTICES file
                 project.copy {
diff --git a/dev/build.image/publish/wlp/security/FIPS140-3-Liberty.properties b/dev/build.image/publish/wlp/security/FIPS140-3-Liberty.properties
@@ -0,0 +1,28 @@
+# org.objectweb.asm.commons.SerialVersionUIDAdder: Allow for SHA-1 to generate SerialVersionUID's to conform Java specification
+# org.eclipse.persistence.internal.libraries.asm.commons.SerialVersionUIDAdder: Allow for SHA-1 to generate SerialVersionUID's to conform Java specification
+# org.apache.yoko.rmi.impl.ValueDescriptor: Alloww for SHA-1 to generate the hash code for the RepositoryId
+# com.ibm.ws.wsoc.util.Utils: Allow SHA-1 for the generation of the Sec-WebSocket-Accept header
+# com.ibm.security.certclient.util.PkUtils: Allof for SHA-1 to generate of certificate Key Identifier(KID) value
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.desc.name = OpenJCEPlusFIPS Cryptographic Module FIPS 140-3 for Liberty
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.extends = RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Strongly-Enforced
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.1 = com.ibm.crypto.plus.provider.OpenJCEPlusFIPS [+ \
+    {MessageDigest, SHA-1, *, FullClassName:org.objectweb.asm.commons.SerialVersionUIDAdder}, \
+    {MessageDigest, SHA-1, *, FullClassName:org.eclipse.persistence.internal.libraries.asm.commons.SerialVersionUIDAdder}, \
+    {MessageDigest, SHA-1, *, FullClassName:org.apache.yoko.rmi.impl.ValueDescriptor}, \
+    {MessageDigest, SHA-1, *, FullClassName:com.ibm.ws.wsoc.util.Utils}, \
+    {MessageDigest, SHA-1, *, FullClassName:com.ibm.security.certclient.util.PkUtils}]
+
+# For Collectives
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.7 = com.ibm.ws.collective.security.internal.provider.CollectiveProvider
+
+# For WebServices / SAML (uses JCE underneath)
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.8 = org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.9 = org.apache.wss4j.dom.transform.STRTransformProvider
+# Reserved Providers in case new providers are required
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.10 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.11 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.12 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.13 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.14 = io.openliberty.PLACEHOLDER
+RestrictedSecurity.OpenJCEPlusFIPS.FIPS140-3-Liberty.jce.provider.15 = io.openliberty.PLACEHOLDER
+
