Set LTPA key password as part of Liberty container image startup script

[leochr]

Liberty runtime removed the default LTPA key password in 26.0.0.4. More details are here.

Note that this change doesn't impact users with keysPassword already defined in the <ltpa /> element. For example, the LTPA managed by manageLTPA feature of Liberty Operator is NOT impacted.

Liberty runtime would use keystore_password from server.env, from server creation time, to re-encrypt the LTPA keys in the ltpa.keys file, but server.env is not included with Liberty container images as server is created as part of building official Liberty container images and server.env is not shipped - to avoid shipping the same passwords to all users.

It seems that setting a random password for ltpa_keys_password environment variable as part of the Liberty container startup script, if the env is not already set by user, would avoid the runtime exception, but we need to first confirm with Security team that it won’t override any config from user for LTPA under any scenario as well as test and validate.

We should also add a variable to skip the generation of this password: i.e. GENERATE_LTPA_KEYS_PASSWORD

[leochr]

Thank you for the PRs Kirby.

Adding @arkarkala and @NottyCode to provide an update and get feedback.

Changes to Liberty containers to set a randomly generated value for ltpa_keys_password environment variable, as part of its startup script, is ready.

User provided LTPA key password via server.xml, server.env or their application Deployment or Dockefile would take precedence over the value from the Liberty container startup script.

Precedence from highest to lowest:

1. Server XML <ltpa keysPassword="<content>">
2. server.env containing ltpa_keys_password added by the user
3. Env ltpa_keys_password set in Kubernetes Deployment (or OpenLibertyApplication CR if using the Liberty Operator)
4. Env ltpa_keys_password from application Containerfile
5. Env from Liberty container startup script (we only set this if env is not already set by the user via 3 or 4)

@arkarkala Could you please review the above results/behaviour for LTPA keys password and confirm that its as expected? Is there anything else we didn’t cover?

@NottyCode Please let us know if you have any feedback or concerns.

We are targeting to include this with the 26.0.0.5 containers, planned to be released next Tuesday, May 19th. Refreshing the images of 26.0.0.4 will stop on Monday, but we can consider including this with 26.0.0.4 if you think that it’s necessary.

The container release builds for 26.0.0.5 will be run Monday morning. So please provide feedback by noon EDT tomorrow (Friday, May 15), so we have the rest of tomorrow to make any last-minute changes. Thank you.