Merge branch 'release' of github.com:OpenLiberty/open-liberty into FI…

…PSwork
OpenLiberty · Dec 5, 2024 · bce29d1 · bce29d1
2 parents e1710ed + 4d57e9b
commit bce29d1
Show file tree

Hide file tree

Showing 85 changed files with 563 additions and 234 deletions.
diff --git a/dev/cnf/dependabot/check_this_in_if_it_changes/pom.xml b/dev/cnf/dependabot/check_this_in_if_it_changes/pom.xml
@@ -3214,7 +3214,7 @@
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
       <artifactId>org.eclipse.persistence.core</artifactId>
-      <version>5.0.0-B03</version>
+      <version>5.0.0-B04</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
@@ -3234,7 +3234,7 @@
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
       <artifactId>org.eclipse.persistence.jpa.jpql</artifactId>
-      <version>5.0.0-B03</version>
+      <version>5.0.0-B04</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
@@ -3254,7 +3254,7 @@
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
       <artifactId>org.eclipse.persistence.jpa.modelgen.processor</artifactId>
-      <version>5.0.0-B03</version>
+      <version>5.0.0-B04</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
@@ -3274,7 +3274,7 @@
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
       <artifactId>org.eclipse.persistence.jpa</artifactId>
-      <version>5.0.0-B03</version>
+      <version>5.0.0-B04</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
@@ -3284,7 +3284,7 @@
     <dependency>
       <groupId>org.eclipse.persistence</groupId>
       <artifactId>org.eclipse.persistence.json</artifactId>
-      <version>5.0.0-B03</version>
+      <version>5.0.0-B04</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.platform</groupId>

diff --git a/dev/cnf/oss_dependencies.maven b/dev/cnf/oss_dependencies.maven
@@ -638,21 +638,21 @@ org.eclipse.persistence:org.eclipse.persistence.asm:9.7.1
 org.eclipse.persistence:org.eclipse.persistence.core:2.7.15
 org.eclipse.persistence:org.eclipse.persistence.core:3.0.4
 org.eclipse.persistence:org.eclipse.persistence.core:4.0.3
-org.eclipse.persistence:org.eclipse.persistence.core:5.0.0-B03
+org.eclipse.persistence:org.eclipse.persistence.core:5.0.0-B04
 org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:2.7.15
 org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:3.0.4
 org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:4.0.3
-org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:5.0.0-B03
+org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:5.0.0-B04
 org.eclipse.persistence:org.eclipse.persistence.jpa.modelgen.processor:2.7.15
 org.eclipse.persistence:org.eclipse.persistence.jpa.modelgen.processor:3.0.4
 org.eclipse.persistence:org.eclipse.persistence.jpa.modelgen.processor:4.0.3
-org.eclipse.persistence:org.eclipse.persistence.jpa.modelgen.processor:5.0.0-B03
+org.eclipse.persistence:org.eclipse.persistence.jpa.modelgen.processor:5.0.0-B04
 org.eclipse.persistence:org.eclipse.persistence.jpa:2.7.15
 org.eclipse.persistence:org.eclipse.persistence.jpa:3.0.4
 org.eclipse.persistence:org.eclipse.persistence.jpa:4.0.3
-org.eclipse.persistence:org.eclipse.persistence.jpa:5.0.0-B03
+org.eclipse.persistence:org.eclipse.persistence.jpa:5.0.0-B04
 org.eclipse.persistence:org.eclipse.persistence.json:4.0.3
-org.eclipse.persistence:org.eclipse.persistence.json:5.0.0-B03
+org.eclipse.persistence:org.eclipse.persistence.json:5.0.0-B04
 org.eclipse.platform:org.eclipse.osgi:3.21.0
 org.eclipse.transformer:org.eclipse.transformer.bnd.analyzer:0.5.0
 org.eclipse.transformer:org.eclipse.transformer.cli:0.5.0

diff --git a/dev/com.ibm.rls.jdbc/src/com/ibm/rls/jdbc/LogAccessTagger.java b/dev/com.ibm.rls.jdbc/src/com/ibm/rls/jdbc/LogAccessTagger.java
@@ -0,0 +1,17 @@
+/*******************************************************************************
+ * Copyright (c) 2024 IBM Corporation and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License 2.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *******************************************************************************/
+package com.ibm.rls.jdbc;
+
+/**
+ * Switch on
+ */
+public class LogAccessTagger {
+
+}
diff --git a/...om.ibm.rls.jdbc/src/com/ibm/ws/recoverylog/custom/jdbc/impl/SQLMultiScopeRecoveryLog.java b/...om.ibm.rls.jdbc/src/com/ibm/ws/recoverylog/custom/jdbc/impl/SQLMultiScopeRecoveryLog.java
@@ -312,6 +312,9 @@ public class SQLMultiScopeRecoveryLog implements LogCursorCallback, MultiScopeLo
     private int _throttleWaiters;
     private final static int _waiterThreshold;
 
+    // Switch on SQL comments for testing
+    private static Boolean _tagSQL;
+
     static {
         int waiterThreshold = 6;
         try {
@@ -331,6 +334,17 @@ public Integer run() {
         _waiterThreshold = waiterThreshold;
         if (tc.isDebugEnabled())
             Tr.debug(tc, "Throttle waiter threshold set to ", _waiterThreshold);
+
+        try {
+            _tagSQL = AccessController.doPrivileged(
+                                                    new PrivilegedExceptionAction<Boolean>() {
+                                                        @Override
+                                                        public Boolean run() {
+                                                            return Boolean.getBoolean("com.ibm.ws.recoverylog.custom.jdbc.tagSQL");
+                                                        }
+                                                    });
+        } catch (PrivilegedActionException e) {
+        }
     }
 
     private boolean _throttleEnabled;
@@ -2709,7 +2723,7 @@ private void assertLogOwnershipAtOpenWithLatching(Connection conn) throws SQLExc
      */
     private void assertLogOwnershipAtOpenPeerLocking(Connection conn) throws SQLException, InternalLogException {
         if (tc.isEntryEnabled())
-            Tr.entry(tc, "assertLogOwnershipAtOpenPeerLocking", new java.lang.Object[] { conn, this });
+            Tr.entry(tc, "assertLogOwnershipAtOpenPeerLocking", conn, this);
 
         boolean takeLock = false;
         Statement readForUpdateStmt = null;
@@ -2718,7 +2732,7 @@ private void assertLogOwnershipAtOpenPeerLocking(Connection conn) throws SQLExce
 
         try {
             readForUpdateStmt = conn.createStatement();
-            readForUpdateRS = readHADBLock(readForUpdateStmt, _logIdentifierString);
+            readForUpdateRS = readHADBLock(readForUpdateStmt, _logIdentifierString, "--assertLogOwnershipAtOpenPeerLocking");
             if (readForUpdateRS.next()) {
                 // We found the HA Lock row
                 String storedServerName = readForUpdateRS.getString(1);
@@ -2967,10 +2981,8 @@ private void insertLockingRow(Connection conn, String fullTableName, short servi
                               fullTableName +
                               " (SERVER_NAME, SERVICE_ID, RU_ID, RUSECTION_ID, RUSECTION_DATA_INDEX, DATA)" +
                               " VALUES (?,?,?,?,?,?)";
-        if (tc.isDebugEnabled())
-            Tr.debug(tc, "Insert LOCKING row using - " + insertString);
 
-        int ret;
+        final int ret;
         try (PreparedStatement specStatement = conn.prepareStatement(insertString)) {
             specStatement.setString(1, _currentProcessServerName);
             specStatement.setShort(2, serviceId);
@@ -2982,10 +2994,8 @@ private void insertLockingRow(Connection conn, String fullTableName, short servi
             ret = specStatement.executeUpdate();
         }
 
-        if (tc.isDebugEnabled())
-            Tr.debug(tc, "Have inserted HA LOCKING ROW with return: " + ret);
         if (tc.isEntryEnabled())
-            Tr.exit(tc, "insertLockingRow");
+            Tr.exit(tc, "insertLockingRow", ret);
     }
 
     //------------------------------------------------------------------------------
@@ -3683,12 +3693,18 @@ public void closeConnectionAfterBatch(Connection conn, int initialIsolation) thr
 
     // helper method
     private ResultSet readHADBLock(Statement lockingStmt, String logIdentifierString) throws SQLException {
+        return readHADBLock(lockingStmt, logIdentifierString, "");
+    }
+
+    // helper method
+    private ResultSet readHADBLock(Statement lockingStmt, String logIdentifierString, String sqltag) throws SQLException {
         // Use RDBMS SELECT FOR UPDATE to lock table for recovery
         String queryString = "SELECT SERVER_NAME, RUSECTION_ID" +
                              " FROM " + _recoveryTableName + logIdentifierString + _recoveryTableNameSuffix +
                              (DBProduct.Sqlserver == dbProduct ? " WITH (ROWLOCK, UPDLOCK, HOLDLOCK)" : "") +
                              " WHERE RU_ID=-1" +
-                             (DBProduct.Sqlserver == dbProduct ? "" : " FOR UPDATE");
+                             ((DBProduct.Sqlserver == dbProduct ? "" : " FOR UPDATE") +
+                              (_tagSQL ? sqltag : ""));
         if (tc.isDebugEnabled())
             Tr.debug(tc, "Attempt to select the HA LOCKING ROW for UPDATE - " + queryString);
         return lockingStmt.executeQuery(queryString);
@@ -3955,7 +3971,7 @@ private void assertDBTableExists(Connection conn, String logIdentifierString) th
             try {
                 touchStmt = conn.createStatement();
                 // This is just a touch test to see if we need to create the table (surely we could use  DatabaseMetaData.getTables)
-                touchRS = readHADBLock(touchStmt, logIdentifierString);
+                touchRS = readHADBLock(touchStmt, logIdentifierString, "--assertDBTableExists");
 
                 if (touchRS != null)
                     try {
@@ -4446,7 +4462,8 @@ boolean internalClaimRecoveryLogs(Connection conn, boolean isHomeServer) throws
                              " FROM " + _recoveryTableName + "PARTNER_LOG" + _recoveryTableNameSuffix +
                              (DBProduct.Sqlserver == dbProduct ? " WITH (ROWLOCK, UPDLOCK, HOLDLOCK)" : "") +
                              " WHERE RU_ID=-1" +
-                             (DBProduct.Sqlserver == dbProduct ? "" : " FOR UPDATE");
+                             ((DBProduct.Sqlserver == dbProduct ? "" : " FOR UPDATE") +
+                              (_tagSQL ? "--internalClaimRecoveryLogs" : ""));
         if (tc.isDebugEnabled())
             Tr.debug(tc, "Attempt to select the HA LOCKING ROW for UPDATE using - " + queryString);
 

diff --git a/...pserver.features/visibility/public/mpTelemetry-1.0/io.openliberty.mpTelemetry-1.0.feature b/...pserver.features/visibility/public/mpTelemetry-1.0/io.openliberty.mpTelemetry-1.0.feature
@@ -11,6 +11,7 @@ IBM-API-Package: \
   io.opentelemetry.api.baggage.propagation;type="third-party",\
   io.opentelemetry.api;type="third-party",\
   io.opentelemetry.api.trace;type="third-party",\
+  io.opentelemetry.api.trace.propagation;type="third-party",\
   io.opentelemetry.api.common;type="third-party",\
   io.opentelemetry.context;type="third-party",\
   io.opentelemetry.context.propagation;type="third-party",\

diff --git a/...pserver.features/visibility/public/mpTelemetry-1.1/io.openliberty.mpTelemetry-1.1.feature b/...pserver.features/visibility/public/mpTelemetry-1.1/io.openliberty.mpTelemetry-1.1.feature
@@ -11,6 +11,7 @@ IBM-API-Package: \
   io.opentelemetry.api.baggage.propagation;type="third-party",\
   io.opentelemetry.api;type="third-party",\
   io.opentelemetry.api.trace;type="third-party",\
+  io.opentelemetry.api.trace.propagation;type="third-party",\
   io.opentelemetry.api.common;type="third-party",\
   io.opentelemetry.context;type="third-party",\
   io.opentelemetry.context.propagation;type="third-party",\

diff --git a/...pserver.features/visibility/public/mpTelemetry-2.0/io.openliberty.mpTelemetry-2.0.feature b/...pserver.features/visibility/public/mpTelemetry-2.0/io.openliberty.mpTelemetry-2.0.feature
@@ -11,6 +11,7 @@ IBM-API-Package: \
   io.opentelemetry.api.baggage.propagation;type="third-party",\
   io.opentelemetry.api;type="third-party",\
   io.opentelemetry.api.trace;type="third-party",\
+  io.opentelemetry.api.trace.propagation;type="third-party",\
   io.opentelemetry.api.common;type="third-party",\
   io.opentelemetry.api.metrics;type="third-party",\
   io.opentelemetry.api.logs;type="third-party",\

diff --git a/...ws.2.2.webcontainer_fat/publish/servers/LibertyCXFNegativePropertiesTestServer/server.xml b/...ws.2.2.webcontainer_fat/publish/servers/LibertyCXFNegativePropertiesTestServer/server.xml
@@ -24,7 +24,7 @@
 	<javaPermission className="java.security.AllPermission"
 		name="*" actions="*" />
 
-	<webApplication id="" name="libertyCXFProperty" cotext-root="libertyCXFProperty" location="libertyCXFProperty.war">
+	<webApplication id="" name="libertyCXFProperty" context-root="libertyCXFProperty" location="libertyCXFProperty.war">
 		<webservices-bnd> 	
 			<webservice-endpoint-properties enableLoggingInOutInterceptor="true"/>  		
             <service-ref name="services/ImageServicePropertyImplService"

diff --git a/...ws.2.2.webcontainer_fat/publish/servers/LibertyCXFPositivePropertiesTestServer/server.xml b/...ws.2.2.webcontainer_fat/publish/servers/LibertyCXFPositivePropertiesTestServer/server.xml
@@ -24,7 +24,7 @@
 	<javaPermission className="java.security.AllPermission"
 		name="*" actions="*" />
 
-	<webApplication id="" name="libertyCXFProperty" cotext-root="libertyCXFProperty" location="libertyCXFProperty.war">
+	<webApplication id="" name="libertyCXFProperty" context-root="libertyCXFProperty" location="libertyCXFProperty.war">
 		<webservices-bnd> 	
 			<webservice-endpoint-properties enableLoggingInOutInterceptor="true"/>  		
             <service-ref name="services/ImageServicePropertyImplService"

diff --git a/dev/com.ibm.ws.jbatch.open_fat/fat/src/batch/fat/junit/DynamicConfigRuleCheckpoint.java b/dev/com.ibm.ws.jbatch.open_fat/fat/src/batch/fat/junit/DynamicConfigRuleCheckpoint.java
@@ -54,7 +54,7 @@ public static void log(String method, String msg) {
     public static interface ServerSetup<T extends Throwable> {
         /**
          * Setup the server
-         * @return      the checkpointed server
+         * @return the checkpointed server
          * @throws T
          */
         public LibertyServer call() throws T;
@@ -138,7 +138,7 @@ public Statement apply(Statement base, Description desc) {
 
     /**
      * Statement class - performs the before/after operations around a
-     * call to the base Statement's evaulate() method (which runs the test).
+     * call to the base Statement's evaluate() method (which runs the test).
      */
     protected class DynamicConfigStatement extends Statement {
 

diff --git a/...com.ibm.ws.jsp/src/com/ibm/ws/jsp/webcontainerext/AbstractJSPExtensionServletWrapper.java b/...com.ibm.ws.jsp/src/com/ibm/ws/jsp/webcontainerext/AbstractJSPExtensionServletWrapper.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 1997, 2022 IBM Corporation and others.
+ * Copyright (c) 1997, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -17,6 +17,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.AccessController;
+import java.security.AllPermission;
 import java.security.CodeSource;
 import java.security.PermissionCollection;
 import java.security.PrivilegedActionException;
@@ -617,28 +618,7 @@ protected void createClassLoader() {
         }
         URL[] urls = null;
         try {
-            PermissionCollection permissionCollection = createPermissionCollection();
-            /*
-            PermissionCollection permissionCollection = Policy.getPolicy().getPermissions(codeSource);
-
-            ClassLoader loader = tcontext.getJspClassloaderContext().getClassLoader();
-            if (loader instanceof ReloadableClassLoader || loader instanceof CompoundClassLoader) {
-                Map csPerms = null;
-                if (loader instanceof ReloadableClassLoader)
-                    csPerms = ((ReloadableClassLoader) loader).getCodeSourcePermissions();
-                else
-                    csPerms = ((CompoundClassLoader) loader).getCodeSourcePermissions();
-                DynamicPolicy policy = DynamicPolicyFactory.getInstance();
-                if (policy != null) {
-                    URL webinfURL = new URL(codeSource.getLocation() + "/WEB-INF/classes/*");
-                    CodeSource webinfCS = new CodeSource(webinfURL, null);
-                    permissionCollection = ((DynamicPolicy) policy).getPermissions(webinfCS, csPerms);
-                }
-            }
-            */
-
-            String sourceDir = jspResources.getGeneratedSourceFile().getParentFile().toString() + File.separator + "*";
-            permissionCollection.add(new FilePermission(sourceDir, "read"));
+            PermissionCollection permissionCollection = createPermissionCollectionImpl();
 
             Container container = tcontext.getServletContext().getModuleContainer();
             ArrayList<URL> urlList = new ArrayList<URL>();
@@ -696,6 +676,27 @@ protected void createClassLoader() {
         }
     }
 
+    private static final PermissionCollection ALLPERMISSIONS;
+    static {
+        AllPermission allPerm = new AllPermission();
+        ALLPERMISSIONS = allPerm.newPermissionCollection();
+        if (ALLPERMISSIONS != null) {
+            ALLPERMISSIONS.add(allPerm);
+        }
+    }
+
+    private PermissionCollection createPermissionCollectionImpl() throws MalformedURLException {
+        if (System.getSecurityManager() == null) {
+            // No need to do anything else when there is no security manager.
+            // This handles cases where the security manager isn't supported (e.g. Java 24).
+            return ALLPERMISSIONS;
+        }
+        PermissionCollection permissionCollection = createPermissionCollection();
+        String sourceDir = jspResources.getGeneratedSourceFile().getParentFile().toString() + File.separator + "*";
+        permissionCollection.add(new FilePermission(sourceDir, "read"));
+        return permissionCollection;
+    }
+
     /* A request to a JSP page that has a request parameter with name jsp_precompile
      * is a precompilation request. This method determines if it is this type of request.*/
     boolean preCompile(HttpServletRequest request) throws ServletException {

diff --git a/dev/com.ibm.ws.security.authorization.jacc.ejb/bnd.bnd b/dev/com.ibm.ws.security.authorization.jacc.ejb/bnd.bnd
@@ -57,4 +57,5 @@ Import-Package: \
 	com.ibm.ws.logging;version=latest,\
 	io.openliberty.security.authorization.internal.jacc.1.5;project=com.ibm.ws.security.authorization.jacc;source=none,\
 	org.jmock:jmock-junit4;strategy=exact;version=2.5.1,\
-	org.jmock:jmock;strategy=exact;version=2.5.1
+	org.jmock:jmock;strategy=exact;version=2.5.1, \
+	com.ibm.ws.kernel.service;version=latest
diff --git a/dev/com.ibm.ws.security.authorization.jacc.web/bnd.bnd b/dev/com.ibm.ws.security.authorization.jacc.web/bnd.bnd
@@ -59,5 +59,6 @@ Import-Package: \
 	com.ibm.ws.kernel.boot;version=latest,\
 	com.ibm.ws.logging;version=latest,\
 	io.openliberty.security.authorization.internal.jacc.1.5;project=com.ibm.ws.security.authorization.jacc;source=none,\
-	com.ibm.websphere.org.osgi.core
+	com.ibm.websphere.org.osgi.core, \
+	com.ibm.ws.kernel.service;version=latest
 
diff --git a/dev/com.ibm.ws.security.authorization.jacc/bnd.bnd b/dev/com.ibm.ws.security.authorization.jacc/bnd.bnd
@@ -37,7 +37,8 @@ instrument.classesExcludes: com/ibm/ws/security/authorization/jacc/internal/reso
 	com.ibm.websphere.appserver.spi.kernel.service;version=latest, \
 	com.ibm.websphere.security;version=latest, \
 	com.ibm.ws.security;version=latest, \
-	com.ibm.ws.org.osgi.annotation.versioning;version=latest
+	com.ibm.ws.org.osgi.annotation.versioning;version=latest, \
+	com.ibm.ws.kernel.service;version=latest
 
 -testpath: \
 	../build.sharedResources/lib/junit/old/junit.jar;version=file, \

diff --git a/.../src/io/openliberty/security/authorization/jacc/internal/proxy/JavaSePolicyProxyImpl.java b/.../src/io/openliberty/security/authorization/jacc/internal/proxy/JavaSePolicyProxyImpl.java
@@ -17,12 +17,14 @@
 
 import javax.security.auth.Subject;
 
+import com.ibm.ws.kernel.service.util.JavaInfo;
 import com.ibm.ws.security.authorization.jacc.common.PolicyProxy;
 
 public class JavaSePolicyProxyImpl implements PolicyProxy {
 
     private static ProtectionDomain nullPd = new ProtectionDomain(new CodeSource(null, (java.security.cert.Certificate[]) null), null, null, null);
     private static CodeSource nullCs = new CodeSource(null, (java.security.cert.Certificate[]) null);
+    private static final boolean isJava24OrLater = JavaInfo.majorVersion() >= 24;
 
     private final Policy policy;
 
@@ -42,7 +44,9 @@ public void refresh() {
 
     @Override
     public void setPolicy() {
-        Policy.setPolicy(policy);
+        if (!isJava24OrLater) {
+            Policy.setPolicy(policy);
+        }
     }
 
     @Override
@@ -54,6 +58,6 @@ public boolean implies(String contextId, Subject subject, Permission permission)
         } else {
             pd = nullPd;
         }
-        return Policy.getPolicy().implies(pd, permission);
+        return (isJava24OrLater ? policy : Policy.getPolicy()).implies(pd, permission);
     }
 }
diff --git a/dev/com.ibm.ws.ssl/resources/OSGI-INF/l10n/metatype.properties b/dev/com.ibm.ws.ssl/resources/OSGI-INF/l10n/metatype.properties
@@ -50,7 +50,7 @@ repertoire.MEDIUM=Cipher suites DES and 40 bit
 repertoire.LOW=Cipher suites without encryption
 repertoire.CUSTOM=Custom list of cipher suites
 repertoire.verifyHostname=Host name verification
-repertoire.verifyHostname.desc=Specifies whether host name verification for outbound connections using a specific SSL configuration is enabled. If set to true, then all outbound SSL connections that use the specified SSL configuration undergo verification of the target server host name against that server's certificate. The attribute is set to true by default.
+repertoire.verifyHostname.desc=Specifies whether host name verification for outbound connections using a specific SSL configuration is enabled. If set to true, then all outbound SSL connections that use the specified SSL configuration undergo verification of the target server host name against that server's certificate.
 repertoire.skipHostnameVerificationForHosts=Skip host name verification for hosts
 repertoire.skipHostnameVerificationForHosts.desc=Specifies the hostname that allow to skip the host name verification for outbound connection using a specific SSL configuration.
 repertoire.trustDefaultCerts=Trust the default certificates