Open Standard Enterprise Java and our Secure Future Initiative

Microsoft

Feb 03, 2025

Microsoft's Secure Future Initiative (SFI) is committed to building a secure future. Java is committed to a secure future, present, and past. Combine the two and you have secure eternity. 😜

Microsoft Azure is the best place for enterprise Java workloads. Whether you are using plain Java SE, Spring Boot and its many sub-projects, or a Jakarta EE and MicroProfile runtime, our portfolio of Java support has first class, framework-native, compute offerings and detailed guidance to give you confidence in your choice of Azure for your mission critical Java workloads. This blog post covers the Jakarta EE and MicroProfile part of our Java on Azure portfolio, and specifically how our Secure Future Initiative (SFI) is supported by Jakarta EE and MicroProfile on Azure.

What is Jakarta EE and MicroProfile on Azure?

Our product offering for Jakarta EE and MicroProfile on Azure is partner driven and Azure native. We recognize that our partners are the experts in the Java frameworks that power many Fortune 500 companies [boss magazine 2024-10-25]. Microsoft has partnered with Oracle, IBM, and Red Hat to build a portfolio based on two pillars: 1. Azure portal deployment experiences and 2. step-by-step guidance. These Azure portal deployment experiences are Azure-native and are maintained and supported by each partner. The step-by-step guidance shows users exactly how to implement advanced use-cases using the partner’s Jakarta EE and MicroProfile products. Direct links to the portal experiences and guidance are included later in this blog post. The landing page for Jakarta EE and MicroProfile on Azure is at https://aka.ms/java/ee .

What is the Secure Future Initiative (SFI) and how does it relate to Jakarta EE and MicroProfile on Azure?

The Secure Future Initiative is our name for Microsoft’s comprehensive, top-to-bottom, vision-backed implementation of security for every aspect for all our products. Microsoft has been doing security at scale for half a century, but in November 2023 we launched SFI to give our users and partners a transparent look at exactly how we are delivering on our promise to be the most secure hyperscale cloud. Everything you need to learn about, and follow along with, the SFI can be found on the SFI landing page. The remainder of this section breaks down a few of the ways SFI is implemented in our Jakarta EE and MicroProfile on Azure portfolio.

Jakarta EE and MicroProfile on Azure is not an Azure service. Instead of being a service, users of the portfolio are empowered to run the software in their own tenancy, or even on their own sites with their own hardware, using Azure Local. As such, it’s important to understand how SFI applies to Jakarta EE and MicroProfile on Azure.

SFI is explained in terms of principles, foundations and pillars. The principles are 1. Secure by design. 2. Secure by default and 3. Secure operations. This table breaks down how we implement these principles for each of the Azure portal deployment experiences: Oracle WebLogic Server, IBM Web Sphere Application Server and Liberty, and Red Hat JBoss EAP.

Partner	Secure by design	Secure by default	Secure operations
Oracle WebLogic Server	For AKS the offer is tightly integrated with Oracle Container Registry, which contains the most secure and up-to-date Critical Patch Update releases. For virtual machines, Oracle maintains the base images and allows easy registration with MyOracleSupport to get Critical Patch Updates.	For AKS, the deployment experience requires providing your Oracle Container Registry credentials. Users can easily choose to pull from pre-approved secure patched WebLogic Server images.	For AKS, easy integration with Microsoft Defender for Cloud ensures continually updated threat monitoring. For complete details see, What is Microsoft Defender for Cloud? For Virtual Machines, the Azure Virtual Machine marketplace continually monitors all VM images and notifies vendors of vulnerabilities. Vendors, including Oracle continually update their images based on this guidance.
IBM WebSphere Application Server and Liberty	For AKS, the offer supports deploying fully secure WebSphere Liberty. For virtual machines, IBM maintains the VM images or a quarterly update schedule.	For AKS, the deployment experience makes it easy to use the supported version. For virtual machines, in addition to IBM’s quarterly update process, the deployment action also updates the deployed VM to the latest secure patches from IBM with OWASP and CIS compliance.	For AKS, easy integration with Microsoft Defender for Cloud ensures continually updated threat monitoring. For complete details see, What is Microsoft Defender for Cloud? For Virtual Machines, the Azure Virtual Machine marketplace continually monitors all VM images and notifies vendors of vulnerabilities. Vendors, including Oracle continually update their images based on this guidance.
Red Hat JBoss EAP	For Azure Red Hat OpenShift, security is built into the service as described in Security for Azure Red Hat OpenShift. The portal experience uses the JBoss EAP Operator. The operator is designed to deliver the most secure and supported EAP version to run on OpenShift. For Virtual Machines, Red Hat maintains all the images on a regular update schedule. For more, see Security considerations for Red Hat Enterprise Linux on Azure.	For virtual machines, in addition to Red Hat’s process to continually update the base images, the VM is registered with your Red Hat account at deployment time and the latest patches are applied.	For Virtual Machines, the Azure Virtual Machine marketplace continually monitors all VM images and notifies vendors of vulnerabilities. Vendors, including Oracle continually update their images based on this guidance.

On top of the principles are the foundations: 1. A security first-culture, 2. The ability to integrate with security governance, 3. Continuous security improvement, 4. “Paved paths” that optimize productivity, compliance, and security.

The Jakarta EE and MicroProfile on Azure team has ongoing engineering meetings with the developers at each of our partners. These meetings allow us to reinforce our security-first culture from Microsoft, and allow it to build on the existing security cultures at each of our partners.
Security governance, as described in SFI, is about aligning security efforts with business priorities and technical implementations. One way this is implemented in our portal experiences is by integration with Azure Policy in the use of Tags. All of our offers support tags, for more on tags, see Manage tag governance with Azure Policy.
The first two foundations enable the third. We are constantly revising and improving our portal experiences and guidance with input from the experts in Azure core.
The final foundation, “paved paths” is the most visible manifestation of SFI in the Jakarta EE on Azure portfolio. For more on the paved paths and how they relate to Jakarta EE and MicroProfile on Azure, see the next section.

Finally, after the principles and foundations, come the six pillars of SFI. These pillars are very clear and detailed goals and actions that Microsoft uses to secure how it runs Azure and its own mission critical business operations. Because the Jakarta EE and MicroProfile on Azure offers are not an Azure first party service, the pillars are not directly applicable. Even so, Microsoft is making the pillars transparent so you can apply them in your own operations, safe in the knowledge that our fifty years of security experience are baked into every one of them. You can read the pillars at Secure Future Initiative pillars.

What are the paved paths and how do they apply to Jakarta EE and MicroProfile on Azure?

In the context of SFI, paved paths are best practices that optimize productivity, compliance, and security. Because step-by-step guidance is a big part of the Jakarta EE and MicroProfile on Azure portfolio, it makes sense to think of the guidance as paved paths. In fact, we recently audited our entire portfolio for SFI compliance. We focused specifically on usage of the “Resource Owner Password Credential (ROPC)” pattern. Strictly speaking, this pattern comes from the world of OAuth 2.0. We use the term ROPC to include any usage of username and password credentials that could possibly be replaced by a usage of managed identities for Azure resources. Wherever possible, we have replaced the use of ROPC with a more SFI compliant approach that does the same thing. For more details on ROPC, see Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials. For more details on managed identities for Azure resources, see What are managed identities for Azure resources?

The following tables list, for each supported Jakarta EE and MicroProfile on Azure runtime, the portal deployment experiences, corresponding paved paths and some specific notes about SFI compliance.

Oracle WebLogic Server on Azure

Azure compute offer	Deploy it now	Paved paths	SFI notes
AKS	https://aka.ms/wlsaks	Deploy WebLogic Server on Azure Kubernetes Service using the Azure portal - Azure Kubernetes Service WebLogic Server step-by-step guidance Tutorial: Migrate Oracle WebLogic Server to Azure Kubernetes Service (AKS) with geo-redundancy	Use passwordless database connection with managed identities. The username/password approach is still shown in a separate embedded tab. Recommendation to use patched images.
Virtual machines	https://aka.ms/wls-vm-admin https://aka.ms/wls-vm-cluster https://aka.ms/wls-vm-base-images	Quickstart: Deploy WebLogic Server on Azure Virtual Machines (VMs) - Azure Virtual Machines Configure Passwordless Database Connections for Java Apps on Oracle WebLogic Server	Use SSH for VM login.

IBM WebSphere Application Server (traditional)

Azure compute offer	Deploy it now	Paved paths	SFI notes
Virtual machines	https://aka.ms/twas-cluster-portal https://aka.ms/twas-single-portal https://aka.ms/twas-nd-vm-portal	Deploy WebSphere Application Server Cluster on Azure VMs

IBM WebSphere and Open Liberty

Azure compute offer	Deploy it now	Paved paths	SFI notes
AKS	https://aka.ms/liberty-aks	Deploy a Java application with Open Liberty/WebSphere Liberty on an Azure Kubernetes Service (AKS) cluster - Azure Kubernetes Service Tutorial: Migrate WebSphere Liberty/Open Liberty to Azure Kubernetes Service (AKS) with high availability and disaster recovery	Use managed identity for container registry access. Use Service Connector for easy passwordless database connection.
Azure Red Hat OpenShift	https://aka.ms/liberty-aro	WebSphere Liberty and Open Liberty on Azure Red Hat OpenShift
Azure Container Apps	Not applicable	Deploy a Java Application with Open Liberty or WebSphere Liberty on Azure Container Apps	Use managed identity for container registry access. Use Service Connector for easy passwordless database connection.

Red Hat JBoss EAP

Azure compute offer	Deploy it now	Paved paths	SFI notes
Azure Red Hat OpenShift	https://aka.ms/eap-aro-portal	Quickstart: JBoss EAP on Azure Red Hat OpenShift - Azure Red Hat OpenShift Manually Deploy a Java Application with JBoss EAP on an Azure Red Hat OpenShift Cluster	Workload identity not yet supported on Azure Red Hat OpenShift.
Virtual machines	https://aka.ms/eap-vm-vmss-portal https://aka.ms/eap-vm-single-portal https://aka.ms/eap-vm-cluster-portal https://aka.ms/eap-vm-base-images	Tutorial: Install JBoss EAP on Azure Virtual Machines (VMs) manually	Use passwordless database connection with managed identities.

Red Hat Quarkus

Azure compute offer	Paved paths	SFI notes
AKS	Deploy Quarkus on Azure Kubernetes Service - Azure Kubernetes Service	Use passwordless database connection with managed identities. Use Service Connector for easy passwordless database connection.
Azure Container Apps	Deploy a Java Application with Quarkus on Azure Container Apps	Use passwordless database connection with managed identities. Use Service Connector for easy passwordless database connection.
Azure Functions	Deploy serverless Java apps with Quarkus on Azure Functions
Multiple compute offers	Quarkus with Microsoft Entra ID	Use of OIDC is SFI compliant.

Summary

Microsoft has partnered with the leading enterprise Java vendors to build Azure-native deployment experiences and guidance for the most popular enterprise Java products. Through SFI, Microsoft is committed to continually update this portfolio to be the most secure way to run Java at scale in the cloud.

Updated Feb 03, 2025

Version 2.0

Microsoft

Joined July 12, 2019

View Profile

Apps on Azure Blog

Follow this blog board to get notified when there's new activity