Open Liberty, Java Red Hat Runtimes, security

Red Hat Runtimes now supports the new Open Liberty Java runtime. Open Liberty features support for the Automatic Certificate Management Environment (ACME) protocol, which automates the process of obtaining a certificate signed by a certificate authority (CA). The Open Liberty release also includes many bug fixes.

Open Liberty is a fast, lightweight Java runtime for building cloud-native applications and microservices. It is compatible with MicroProfile and Jakarta EE and enables you to include as much or as little of Liberty as you need to support your application. With releases every four weeks and zero migration, it's easier to remain current and avoid technical debt.

In this article, I introduce the new ACME CA Support 2.0 (acmeCA-2.0) feature, including how to use it to install a CA-signed certificate. Visit Open Liberty's GitHub repository to view the list of fixed bugs for this release.

Run your apps using Open Liberty

Use the following coordinates to install Open Liberty with Maven:


For Gradle, use:

dependencies {
    libertyRuntime group: 'io.openliberty', name: 'openliberty-runtime', version: '[,)'

If you're using docker, it's:

FROM open-liberty

Install a signed certificate with ACME CA 2.0

By default, Open Liberty provides a self-signed certificate for transport security (SSL/TLS) support. The self-signed certificate lets you establish transport security right away, but most browsers will mark the certificate as insecure. As a result, users accessing your website will receive a warning or error message.

Having a CA-signed certificate solves this problem, but obtaining one can be costly. In some cases, a signed certificate might not be available during development and testing. A certificate signed by a public certificate authority, such as Let's Encrypt, offers a middle ground.

With Open Liberty, we've added support for the ACME protocol, which automates interactions between a certificate authority and your web server. You can use the new ACME CA 2.0 feature to install a CA-signed certificate for improved testing and user experience.

Add the acmeCA-2.0 feature in your server.xml

In your server.xml, simply provide the directory URI for a certificate authority that uses the ACME 2.0 protocol, along with the domain name for your Open Liberty server. The ACME provider calls back on port 80 to verify domain ownership. Once it has verified ownership, the CA issues a certificate. On starting, the Open Liberty server uses the provided CA directory URI to request the certificate. The CA-signed certificate is installed in the keystore and acts as the default certificate.

To include the ACME CA 2.0 feature in your Open Liberty installation, update your server.xml as follows:


<acmeCA directoryURI="" >

<httpEndpoint host="*" httpPort="80" httpsPort="443" id="defaultHttpEndpoint"/>
<keyStore password="password_for_keystore" id="defaultKeyStore"/>

See the ACME specification (RFC8555) and ACME Wikipedia page for a high-level view of the ACME protocol. See the Let's Encrypt homepage for more information about the ACME protocol and how it works.

Try Open Liberty in Red Hat Runtimes

Open Liberty is part of Red Hat Runtimes and is available to Red Hat Runtimes subscribers. To learn more about deploying Open Liberty applications to Red Hat OpenShift, see our Open Liberty guide, Deploying microservices to OpenShift. Open Liberty is available through Maven, Gradle, docker, and as a downloadable archive.

Last updated: October 6, 2020