From ff6a7594808c5dd35e98a20248ab35abb70e18fe Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Mon, 11 May 2026 14:06:47 -0400
Subject: [PATCH 1/4] Add GENERATE_LTPA_KEYS_PASSWORD check

---
 README.md                                                  | 7 +++++++
 releases/26.0.0.5/full/helpers/runtime/docker-server.sh    | 6 ++++++
 .../26.0.0.5/kernel-slim/helpers/runtime/docker-server.sh  | 6 ++++++
 releases/latest/full/helpers/runtime/docker-server.sh      | 6 ++++++
 .../latest/kernel-slim/helpers/runtime/docker-server.sh    | 6 ++++++
 5 files changed, 31 insertions(+)

diff --git a/README.md b/README.md
index 35502bf8..2e9c4dc8 100644
--- a/README.md
+++ b/README.md
@@ -108,6 +108,13 @@ The following container image build variables are now **deprecated**. You should
 Single Sign-On can be optionally configured by adding Liberty server variables in an xml file, by passing environment variables (less secure),
 or by passing Liberty server variables in through the Liberty operator. See [SECURITY.md](SECURITY.md).
 
+The following runtime environment variables control security-related behavior:
+
+* `GENERATE_LTPA_KEYS_PASSWORD` (environment variable, 26.0.0.5+)
+  * Description: Automatically generates a secure random password for LTPA keys and exports it as the `ltpa_keys_password` environment variable. This prevents the LTPA service from failing with error `CWWKS4118E` when no LTPA keys password is configured.
+  * Default: `"true"`.
+  * Note: If `ltpa_keys_password` is already set, automatic generation is skipped. Set to `"false"` to disable.
+
 ## OpenJ9 Shared Class Cache (SCC)
 
 OpenJ9's SCC allows the VM to store Java classes in an optimized form that can be loaded very quickly, JIT compiled code, and profiling data. Deploying an SCC file together with your application can significantly improve start-up time. The SCC can also be shared by multiple VMs, thereby reducing total memory consumption.
diff --git a/releases/26.0.0.5/full/helpers/runtime/docker-server.sh b/releases/26.0.0.5/full/helpers/runtime/docker-server.sh
index 51a6b252..0d4ea47e 100755
--- a/releases/26.0.0.5/full/helpers/runtime/docker-server.sh
+++ b/releases/26.0.0.5/full/helpers/runtime/docker-server.sh
@@ -100,6 +100,12 @@ fi
 
 importKeyCert
 
+
+if [ "${GENERATE_LTPA_KEYS_PASSWORD:-true}" = "true" ] && [ -z "$ltpa_keys_password" ]; then
+  export ltpa_keys_password=$(openssl rand -base64 32 2>/dev/null)
+  echo "Generated ltpa_keys_password for LTPA configuration"
+fi
+
 # Infinispan Session Caching
 if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
  echo "INFINISPAN_SERVICE_NAME(original): ${INFINISPAN_SERVICE_NAME}"
diff --git a/releases/26.0.0.5/kernel-slim/helpers/runtime/docker-server.sh b/releases/26.0.0.5/kernel-slim/helpers/runtime/docker-server.sh
index 51a6b252..0d4ea47e 100755
--- a/releases/26.0.0.5/kernel-slim/helpers/runtime/docker-server.sh
+++ b/releases/26.0.0.5/kernel-slim/helpers/runtime/docker-server.sh
@@ -100,6 +100,12 @@ fi
 
 importKeyCert
 
+
+if [ "${GENERATE_LTPA_KEYS_PASSWORD:-true}" = "true" ] && [ -z "$ltpa_keys_password" ]; then
+  export ltpa_keys_password=$(openssl rand -base64 32 2>/dev/null)
+  echo "Generated ltpa_keys_password for LTPA configuration"
+fi
+
 # Infinispan Session Caching
 if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
  echo "INFINISPAN_SERVICE_NAME(original): ${INFINISPAN_SERVICE_NAME}"
diff --git a/releases/latest/full/helpers/runtime/docker-server.sh b/releases/latest/full/helpers/runtime/docker-server.sh
index 51a6b252..0d4ea47e 100755
--- a/releases/latest/full/helpers/runtime/docker-server.sh
+++ b/releases/latest/full/helpers/runtime/docker-server.sh
@@ -100,6 +100,12 @@ fi
 
 importKeyCert
 
+
+if [ "${GENERATE_LTPA_KEYS_PASSWORD:-true}" = "true" ] && [ -z "$ltpa_keys_password" ]; then
+  export ltpa_keys_password=$(openssl rand -base64 32 2>/dev/null)
+  echo "Generated ltpa_keys_password for LTPA configuration"
+fi
+
 # Infinispan Session Caching
 if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
  echo "INFINISPAN_SERVICE_NAME(original): ${INFINISPAN_SERVICE_NAME}"
diff --git a/releases/latest/kernel-slim/helpers/runtime/docker-server.sh b/releases/latest/kernel-slim/helpers/runtime/docker-server.sh
index 51a6b252..0d4ea47e 100755
--- a/releases/latest/kernel-slim/helpers/runtime/docker-server.sh
+++ b/releases/latest/kernel-slim/helpers/runtime/docker-server.sh
@@ -100,6 +100,12 @@ fi
 
 importKeyCert
 
+
+if [ "${GENERATE_LTPA_KEYS_PASSWORD:-true}" = "true" ] && [ -z "$ltpa_keys_password" ]; then
+  export ltpa_keys_password=$(openssl rand -base64 32 2>/dev/null)
+  echo "Generated ltpa_keys_password for LTPA configuration"
+fi
+
 # Infinispan Session Caching
 if [[ -n "$INFINISPAN_SERVICE_NAME" ]]; then
  echo "INFINISPAN_SERVICE_NAME(original): ${INFINISPAN_SERVICE_NAME}"

From adfd72d815d22e7b76f025ce7f3e5784f29a4fbf Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Tue, 12 May 2026 15:17:13 -0400
Subject: [PATCH 2/4] Update README.md

---
 README.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 2e9c4dc8..ff9c08fc 100644
--- a/README.md
+++ b/README.md
@@ -80,6 +80,10 @@ This section describes the optional build variables that can be enabled via the
   *  XML Snippet Location: [hazelcast-sessioncache.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/hazelcast-sessioncache.xml)
 * `VERBOSE`
   *  Description: When set to `true` it outputs the commands and results to stdout from `configure.sh`. Otherwise, default setting is `false` and `configure.sh` is silenced.
+* `GENERATE_LTPA_KEYS_PASSWORD` (environment variable, 26.0.0.5+)
+  * Description: Automatically generates a secure random password for LTPA keys and exports it as the `ltpa_keys_password` environment variable. This prevents the LTPA service from failing with error `CWWKS4118E` when no LTPA keys password is configured.
+  * Default: `"true"`.
+  * Note: If `ltpa_keys_password` is already set, automatic generation is skipped. Set to `"false"` to disable.
 
 ### Deprecated Build Variables
 
@@ -108,12 +112,6 @@ The following container image build variables are now **deprecated**. You should
 Single Sign-On can be optionally configured by adding Liberty server variables in an xml file, by passing environment variables (less secure),
 or by passing Liberty server variables in through the Liberty operator. See [SECURITY.md](SECURITY.md).
 
-The following runtime environment variables control security-related behavior:
-
-* `GENERATE_LTPA_KEYS_PASSWORD` (environment variable, 26.0.0.5+)
-  * Description: Automatically generates a secure random password for LTPA keys and exports it as the `ltpa_keys_password` environment variable. This prevents the LTPA service from failing with error `CWWKS4118E` when no LTPA keys password is configured.
-  * Default: `"true"`.
-  * Note: If `ltpa_keys_password` is already set, automatic generation is skipped. Set to `"false"` to disable.
 
 ## OpenJ9 Shared Class Cache (SCC)
 

From 8e28663ab04327f65fc1f94c63fbec33faac703a Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Tue, 12 May 2026 15:17:47 -0400
Subject: [PATCH 3/4] Update README.md

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index ff9c08fc..c8307cb1 100644
--- a/README.md
+++ b/README.md
@@ -112,7 +112,6 @@ The following container image build variables are now **deprecated**. You should
 Single Sign-On can be optionally configured by adding Liberty server variables in an xml file, by passing environment variables (less secure),
 or by passing Liberty server variables in through the Liberty operator. See [SECURITY.md](SECURITY.md).
 
-
 ## OpenJ9 Shared Class Cache (SCC)
 
 OpenJ9's SCC allows the VM to store Java classes in an optimized form that can be loaded very quickly, JIT compiled code, and profiling data. Deploying an SCC file together with your application can significantly improve start-up time. The SCC can also be shared by multiple VMs, thereby reducing total memory consumption.

From e86968c4433a5437231a7612ecff04b7d7551a01 Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Tue, 12 May 2026 15:20:35 -0400
Subject: [PATCH 4/4] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c8307cb1..2de50707 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,7 @@ This section describes the optional build variables that can be enabled via the
   *  XML Snippet Location: [hazelcast-sessioncache.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/hazelcast-sessioncache.xml)
 * `VERBOSE`
   *  Description: When set to `true` it outputs the commands and results to stdout from `configure.sh`. Otherwise, default setting is `false` and `configure.sh` is silenced.
-* `GENERATE_LTPA_KEYS_PASSWORD` (environment variable, 26.0.0.5+)
+* `GENERATE_LTPA_KEYS_PASSWORD` (26.0.0.5+)
   * Description: Automatically generates a secure random password for LTPA keys and exports it as the `ltpa_keys_password` environment variable. This prevents the LTPA service from failing with error `CWWKS4118E` when no LTPA keys password is configured.
   * Default: `"true"`.
   * Note: If `ltpa_keys_password` is already set, automatic generation is skipped. Set to `"false"` to disable.