Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Under review
Workspace WebSphere Liberty
Created by Guest
Created on Mar 31, 2026

RELATED IDEAS

Websphere liberty AES256 custom key in xml not secured

Issue Details

From 26.0.0.3 Default key usage is removed from Liberty for usage along with securityUtility command for AES256 encoding of passwords

New Solution delivered in 25.0.0.12 for appending our own custom AES key for encryption of passwords. here is the link below
https://www.ibm.com/docs/en/was-liberty/base?topic=slia-supplying-your-own-aes-256-key-password-encryption

we notice AESKey generated and saving in the XML file is not secured one as below.
<variable name="wlp.aes.encryption.key" value="<base64_key>" />
<include location="/path/to/myAesKey.xml" />

Above value stored in the myAesKey.xml file is not secured, any one who has access will be able to see the aes key though its base64 encoded.

Even though we can control the file with Linux permissions and placing in the secure location, Users who has access to file will be able to edit and view this myAesKey.xml which has AESkey value.

if aeskey value is modified by any means in xml by mistake also, then Complete Application hosted in JVMs will be at threat.

From IBM ,default key wasn't and never revealed the AESkey till date , but here customer solution of aeskey custom key, expecting Users to have AESKey being revealed to everyone !!! why is it so such an flaw design ? Even for Product Users Aeskey Should be secured.

Though at product you are remediating CWE-321: Use of Hard-coded Cryptographic Key / CVE-2025-14923,

and with custom AESkey solution shared will reveal and expose the Endusers AESkey without any protection.

Recommendation from product

Similar to wasnd can we have aeskey value secured and stored with password protected in the keystore file (aesKey.jceks or aesKey.p12 etc) instead of storing in XML file.
https://www.ibm.com/docs/en/was/9.0.5?topic=aes-enabling-password-encryption-server-environment

Please provide any possible secured solution to store the AES key value in the Product instead of xml file.

Idea priority Urgent

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.