OpenLiberty · dmuelle · May 28, 2021 · May 26, 2021 · May 26, 2021 · May 27, 2021
diff --git a/modules/ROOT/pages/admin-center.adoc b/modules/ROOT/pages/admin-center.adoc
@@ -67,7 +67,7 @@ image::ui_login.png[The Admin Center login screen,align="center"]
 
 == Select tools from the Toolbox
 
-After you log in to Admin Center, the browser displays the **Toolbox**, which contains tools such as the **Server Config** and **Explore** tools and a bookmark to link:https://openliberty.io[openliberty.io]. The following screen capture shows the Admin Center **Toolbox**:
+After you log in to Admin Center, the browser displays the **Toolbox**, which contains tools such as the **Server Config** and **Explore** tools and a bookmark to link:https://openliberty.io[openliberty.io]. The following screen capture shows the Admin Center **Toolbox**:
 
 image::ui_toolbox.png[align="center"]
 
@@ -128,14 +128,36 @@ You can add more resource metrics to the **Monitor** view by selecting the **Edi
 [#batch]
 === Manage Java batch jobs with the Java Batch tool
 
-If you configure the feature:batchManagement[display=Batch Management] feature, you can access the **Java Batch** tool. With this tool, you can view the progress and status of your Java batch jobs, manage their instances, and view their log files. The following screen capture shows the **Java Batch** tool:
+If you configure the feature:batchManagement[display=Batch Management] feature, you can access the **Java Batch** tool. With this tool, you can view the progress and status of your Java batch jobs, manage their instances, and view their log files. The following screen capture shows the **Java Batch** tool:
 
 image::ui_javaBatchTool.png[align="center"]
 
 Each batch job has an **Actions** icon, which you can select to stop, restart, or purge the job, and a **View Logs** icon, which you can select to view the job logs. To view details and metrics for a batch job, hover over the **Batch Job Name** and select an option from the tooltip menu.
 
 If batch jobs or job logs are on remote servers, link:/guides/cors.html[configure cross origin region sharing (CORS)] on each remote server. CORS enables Admin Center to request job information from remote servers.
 
+The Batch Management feature requires custom authorization to view and manage batch jobs. To use the Java Batch tool, you must configure a `com.ibm.ws.batch` custom authorization role, in addition to the reader or administrator management role that is required to access the Admin Center. The following `server.xml` file example shows configuration for a `wanda` user who is granted the administrator management role and the batchAdmin custom authorization role:
+
+[source,xml]
+----
+  <administrator-role>
+      <user>wanda</user>
+  </administrator-role>
+
+  <authorization-roles id="com.ibm.ws.batch">
+      <security-role name="batchAdmin">
+          <user name="wanda"/>
+      </security-role>
+  </authorization-roles>
+----
+
+With this configuration, the user has authorization to view and manage any configured Java batch jobs.
+
+A  `com.ibm.ws.batch` custom authorization role can also be combined with the reader management role. This combination still allows full access to the Java Batch tool but provides read-only access to other Admin Center resources.
+
+However, if no custom batch authorization role is configured, even a user in the administrator management role cannot view or manage Java batch jobs. For more information, see https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-securing-batch-environment[Securing the Liberty batch environment].
+
+
 [#openid]
 === Administer Open ID Connect Provider tasks with the OpenID Connect (OIDC) tools
 

diff --git a/modules/ROOT/pages/java-se.adoc b/modules/ROOT/pages/java-se.adoc
@@ -23,6 +23,6 @@ For more information, see https://openliberty.io/blog/2019/02/06/java-11.html[Op
 
 Due to differences between Java SE 8 and Java SE 11, an Open Liberty application that runs on Java SE 8 might not run on Java SE 11. For more information, see https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-C25E2B1D-6C24-4403-8540-CFEA875B994A[Oracle Java SE 11 migration guide].
 
-== Java SE 16
+== Java SE 15
 Open Liberty runs on any recent Java SE 16 release from AdoptOpenJDK, OpenJDK, or Oracle. Java SE 16 is not a long-term supported release and standard support is scheduled to end in September 2021. Keep in mind, if you download your Java SDK from https://adoptopenjdk.net/index.html?variant=openjdk16&jvmVariant=openj9[AdoptOpenJDK], https://www.eclipse.org/openj9/[Eclipse OpenJ9] has a better memory footprint and startup profile than https://openjdk.java.net/groups/hotspot/[HotSpot].
 For more information, see https://openliberty.io/blog/2019/02/06/java-11.html[Open Liberty and Java 11].
diff --git a/modules/ROOT/pages/network-hardening.adoc b/modules/ROOT/pages/network-hardening.adoc
@@ -76,15 +76,15 @@ This configuration element permits proxies by using the specified IP addresses t
 
 [source,xml]
 ----
-<httpDispatcher trustedSensitiveHeaderOrigin=“10.20.30.40, 10.20.50.60” />
+<httpDispatcher trustedSensitiveHeaderOrigin="10.20.30.40, 10.20.50.60" />
 ----
 
 If your Open Liberty deployment doesn't include any proxies, set the following attributes in the `server.xml` file:
 
 [source,xml]
 ----
-<webContainer trusted=“false” /> or
-<httpDispatcher trustedHeaderOrigin=“none” />
+<webContainer trusted="false" /> or
+<httpDispatcher trustedHeaderOrigin="none" />
 ----
 
 The `trusted` attribute on the `webContainer` configuration element enables the application server to use inbound private headers from the web server plug-in.
@@ -110,7 +110,7 @@ Set the following attribute in the `server.xml` file to require that LTPA cookie
 
 [source,xml]
 ----
-<webAppSecurity ssoRequiresSSL='true' />
+<webAppSecurity ssoRequiresSSL="true" />
 ----
 
 As a best practice, replace LTPA keys regularly.
@@ -123,7 +123,7 @@ The following example tells browsers to restrict the use of LTPA cookies to only
 
 [source,xml]
 ----
-<webAppSecurity httpOnlyCookies='true' />
+<webAppSecurity httpOnlyCookies="true" />
 ----
 
 You can also use the `cookieHttpOnly` attribute to help prevent cross-site scripting attacks.
@@ -132,7 +132,15 @@ Browsers that support the `HttpOnly` field don't allow client-side scripts to ac
 
 [source,xml]
 ----
-<httpSession cookieHttpOnly='true' />
+<httpSession cookieHttpOnly="true" />
+----
+
+When a user logs out from an application that is protected by LTPA, the LTPA token value is destroyed on the client side.
+To ensure that an LTPA token cannot be reused on the same server after a user logs out, set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA tokens that are logged out on a server so that a token cannot be reused on the same server after logout:
+
+[source,xml]
+----
+<webAppSecurity trackLoggedOutSSOCookies="true" />
 ----
 
 [#welcome-page-headers]
@@ -163,6 +171,7 @@ Setting the `disableXPoweredBy` attribute to the value of `true` disables the X-
 <webContainer disableXPoweredBy="true" />
 ----
 
+
 [#session-overflow]
 == Session overflow
 Restrict the number of sessions that can be created for applications that use in-memory sessions by disabling HTTP session overflow.