IBM Security Scanner for WebSphere Application Server

 

Introduction

IBM Security Scanner for WebSphere Application Server  is a command-line Java tool that checks for some of the potential security vulnerabilities caused by improper or incorrect WebSphere Application Server security configuration. The tool produces an HTML report that contains the security configuration checks performed, the status of each check, a corrective action if necessary and a link to the information center task related to the corrective action. The tool runs on WebSphere Application Server Versions 5.x and 6.0.x.

The IBM WebSphere Developer Technical Journal article WebSphere Application Server V5 Advanced Security and System Hardening identifies many of the checks that are performed and why they are important. Although the article refers to WebSphere Application Server Version 5, the information applies to version 6.0.x as well.

What the tool does

It scans static WebSphere Application Server (Base and Network Deployment only) security configuration files to look for potential vulnerabilities
It attempts to identify security configuration changes that could strengthen the security of the WebSphere Application Server

What the tool does not do

The tool does not check for  runtime penetration vulnerabilities. 
The tool is not a general purpose WebSphere Application Server configuration diagnostic tool intended to aid in the problem determination of configuration problems.
The tool is not a fail safe guarantee that system is totally secure.
The tool does not do network, host, physical, or operating system security vulnerability analysis.

Important Note: This tool can only point out WebSphere Application Server configuration items which, if corrective action is taken, may improve the overall security of the WebSphere Application server. IBM makes no claim or guarantee that the tool detects all possible security configuration issues or that if corrective action is taken for the items it does detect, that the WebSphere Application Server system will be completely secure from any or all possible threats. Network security, operating system security, physical security, in addition to WebSphere Application Security, should all be considered.

License Agreement 

License agreement files are provided in multiple languages within the tool. Refer to the paragraph on "Files present within the Tool" to find out where the license files are located

Tool Support

As mentioned in the license agreement, this tool has no warranty and comes with no formal support.  It is provided "as is".  However, any feedback on the tool provided at the download site will be appreciated.

WebSphere Application Server Security Configuration Items Checked

The following table enumerates the WebSphere Application Server Security Configurations checked for by the tool

Core Security Configuration Items Checked

Description of the Check

Global Security

Checks if Global Security is enabled on the WebSphere Application Server installation

Certificates

The expiration date of certificates used by WebSphere Application Server is displayed. The tool also checks if the certificate is a default certificate that is shipped as part of the product.
 

CORBA Namespace

Checks whether CORBA Namespace is protected

SSL between WebSphere Application Server and LDAP

Checks if SSL is enabled between WebSphere Application Server and LDAP sever

Authentication Mechanism

Checks to see the authentication mechanism being used

Encryption for Distributed Replication Service (DRS)

Checks if encryption is enabled for DRS

 

Sample Applications

Checks if sample applications are installed

Administrative User Ids

Checks to see if multiple administrative userids are defined

Extended Security Configuration Items Checked

Description of the Check

 

Administrative Roles

Checks to see if multiple administrative roles are defined

WebContainer HTTPS

Checks if the WebContainer has HTTPS transports defined

Java2 security

Checks to see if Java2 security is enabled and if it is enabled, it checks if overly generous Java2 permissions are set

 

History

30 June 2005: IBM Security Scanner for WebSphere Application Server version 1.0 Published at the IBM Support site.

 

Prerequisites

The tool runs on the following versions of WebSphere Application Server

The tool runs on the following operating systems

Limitations

The following are limitations of the tool

Files present within the tool

The tool reads various WebSphere Application Server configuration files and related WebSphere Application Server installed artifacts in order to perform the security checks. This tool also depends upon and uses many of the libraries of the installed WebSphere Application Server. The tool is packaged as a zip file, wsst.zip. This zip file contains the following files:

    1. The classesToRun property determines which security checks to perform. Remove a particular class name from this list in order to skip the security check
    2. The viewClass determines the format of output generated. The only valid value for this is com.ibm.wsst.HtmlView
    3. The third property, outputFile is to specify the output file. The default value, outputFile=default creates an output in the format report_Date_Time.html

Installation and Launch Instructions

OS/400, Windows, UNIX and zOS

Complete the following steps to install the tool on OS/400, Windows, UNIX and zOS

  1. Place the wsst.zip file in any directory on the machine that has the WebSphere Application Server installation to be scanned. For example, you could create a “security_scanner” directory under “/usr/IBM/WebSphere/AppServer” or “C:\Program Files\WebSphere\AppServer” and place the zip file under it.
  2. Unzip (or unjar) the wsst.zip file. On unzipping, a directory "wsst" is created containing the files mentioned under "Files present within the tool"
  3. Change the current directory to the directory "wsst" created on unzipping the wsst.zip file.
  4. Edit the script file (wsst.bat for windows or wsst.sh for UNIX and zOS or wsstxx.qsh for OS/400) in the directory "wsst" to change WAS_HOME to point to a WebSphere Application Server installation, for example C:\WebSphere\AppServer or /usr/IBM/WebSphere/AppServer on the same machine. 
      Note:  

Complete the following steps to launch the tool on OS/400, Windows, UNIX and zOS

  1. Run the script file (wsst.bat for Windows, wsst.sh for UNIX, and wsstxx.qsh for OS/400) on the command line from the same directory "wsst" that was created on unzipping wsst.zip.
  2. For all operating systems other than OS/400, the tool prompts for the WebSphere Application Server installation to be scanned, hit <return> to scan the WebSphere Application Server installation pointed to by WAS_HOME in the script file, or input another WebSphere Application Server installation on the same machine to be scanned from the command line. (Note: The version of this WebSphere Application Server to be scanned can be different from the one mentioned in WAS_HOME)
  3. The tool outputs the name of the WebSphere Application Server installation ( for v5.0.x and v5.1.x) or the WebSphere Application Server profile name ( for v6.0.x) being scanned and the name of each security check being performed along with it’s status on system out. For v5.0.x and v5.1.x on OS/400 the tool outputs the Websphere Application Server instance name.
  4.  A report in the format hostname_report_Date_Time.html is generated after the tool completes running. Open the report in the browser to view the result of the scan.

Interpreting the output report

The output report has the name of the WebSphere Application Server installation scanned along with the build details of the installation at the top of the report. Also mentioned at the top of the report are the version of the tool that generated the report and the date and time the report was generated.

 

The report has 3 sections. The first section reports on the security checks performed. The status of each check is either “OK” or “Improvements Possible”. If the status is "OK", then the configuration item does not need improvement or a corrective action. If the status is “Improvements Possible” look for the “Area of Concern” to understand what was detected by the check and why it could be a potential problem. Look at the “Corrective Action” column to see how to address the issue. The “InfoCenter Task Reference” column points to the exact link in InfoCenter that can be followed in order to perform the “Corrective Action”.

 

The second section of the report is “Extended Checks”. These are some of the security configurations found which may or may not be a security concern depending on your setup. The intention of the “Extended Checks” is to make you aware of the status of these security configurations.

 

The third section of the report is present if any errors are detected when performing a check. It reports on the errors encountered when performing a check. If a check cannot be completed due to errors, it does not appear under the first two sections, but appears in the third section along with the error encountered.

 

If the tool is run on a WebSphere Application Server Version 6.0.x or WebSphere Application Server Network Deployment version 6.0.x installation that has multiple profiles, the tool performs all the security checks against each profile. The output report will have 3 sections for each profile (the error section will only appear if errors were encountered).

 

At the end of the report, helpful links are provided. To understand the security configurations and why that they are needed, see the link to the IBM WebSphere Developer Technical Journal article on WebSphere Application Security Hardening appears that refer to in order to understand the security configurations and why they are needed. A link is also provided to the IBM support website that has the latest updates and fixes available.

All possible values for each security check

The following tables shows all the possible values for each security check

Core Security Configuration Items Table

Security Configuration Item Name Value of Status
Possible values for Area of Concern Value of Corrective Action
Global Security (High Priority) OK
Global Security is enabled. Only users with specific rights can use the WebSphere Application Server administrative tools to perform any administrative operation
No action required
Improvements Possible Global Security is disabled. By default, WebSphere Application Server uses no security. This means that all network links are insecure and that any user with access to the deployment manager (HTTP to the Web admin console, or SOAP/IIOP to the JMX management ports) can use the WebSphere Application Server administrative tools to perform any administrative operation, up to and including removing existing servers.
Enable Global Security
Certificate Checker (High Priority) OK Certificate for SSLConfig: IBM-2RI44RCU0TCNode01/WebContainerSSLSettings, key file: C:\WebSphere\AppServer\profiles\default\etc\keys\WASWebContainer.jks, alias: waswebcontainer will expire on Thu May 25 14:03:17 CDT 2006
No action required
Improvements Possible Certificate for SSLConfig: IBM-2RI44RCU0TCNode01/DefaultSSLSettings, key file: C:\WebSphere\AppServer\profiles\default\/etc/DummyServerKeyFile.jks, alias: websphere dummy server is a default certificate from IBM and should not be used. The certificate will expire on Wed Oct 13 15:39:20 CDT 2021
Create a new certificate
Improvements Possible Certificate for SSLConfig: IBM-2RI44RCU0TCNode01/WebContainerSSLSettings, key file: C:\WebSphere\AppServer\profiles\default\etc\keys\WASWebContainer.jks, alias: test will expire on Tue Jul 26 10:12:47 CDT 2005 Warning: Certificate expires in less than 90 days!
Create a new certificate
Improvements Possible Certificate for SSLConfig: Client Authentication setting in sas.client.props file, key file: C:/Program Files/WebSphere/DeploymentManager/etc/DummyClientKeyFile.jks, alias: websphere dummy client is a default certificate from IBM and should not be used. The certificate has expired, it expired on Thu Mar 17 14:05:45 CST 2005
Create a new certificate
CORBA Namespace Security (High Priority) OK CORBA Naming roles are configured  No action required
Improvements Possible The CORBA Namespace can be modified by All Authenticated users. Any authenticated user can alter the JNDI namespace.

The default naming security policy is to grant all users read access to the CosNaming space and to grant any authenticated user the privilege to modify the contents of the CosNaming space. You can  restrict user access to the CosNaming space. 

Configure CORBA Naming Roles
Improvements Possible The CORBA Namespace can be modified by Everyone. Anyone can alter the JNDI namespace.

The default naming security policy is to grant all users read access to the CosNaming space and to grant any authenticated user the privilege to modify the contents of the CosNaming space. You can restrict user access to the CosNaming space. 

Configure CORBA Naming Roles
Improvements Possible Global Security is not enabled, therefore security policies are not enforced. As a result, anyone can modify CORBA Namespace.
Enable Global Security and configure  CORBA Naming Roles
SSL usage between LDAP and WebSphere Application Server (Medium Priority) Improvements Possible Global Security is not enabled, cannot check if LDAP user registry is being used Configure a user registry as part of Enabling Global Security
OK User Registry is LDAP. SSL between WebSphere Application Server and LDAP is enabled
This ensures that the communication between WebSphere Application Server and LDAP is encrypted

No action required
Improvements Possible User Registry is LDAP. SSL between WebSphere Application Server and LDAP is disabled
The communication between WebSphere Application Server and LDAP is not encrypted

Enable SSL between WebSphere Application Server and LDAP User Registry
OK User registry being used is not LDAP

No action required
Authentication Mechanism (Medium Priority) Improvements Possible Global Security is not enabled, therefore no authentication mechanism is being used Choose an authentication mechanism as part of Enabling Global Security.
Improvements Possible LTPA Authentication is not enabled. SWAM Authentication is being used. SWAM is weaker than LTPA since it relies on the HTTP Session for maintaining state. SWAM authentication is not forwardable to remote EJBs and cannot be used in distributed environments such WebSphere Application Server Network Deployment.  SWAM is intended for simple, non-distributed, single appserver run-time environments.
Use LTPA Authentication mechanism in distributed environments and for Single Sign On (SSO)
OK LTPA Authentication mechanism is enabled. Lightweight Third Party Authentication (LTPA) is intended for distributed, multiple application server and machine environments. It supports single signon (SSO).

No action required
Encryption for Distributed Replication Service (Medium Priority) OK Data Replication Service(DRS) is not being used to exchange data among  appservers No action required
OK Encryption is enabled on Distributed Replication Service(DRS). This ensures that the data shared among appservers is encrypted.

No action required
Improvements Possible Encryption is disabled on Distributed Replication Service(DRS). The data shared among appservers is not encrypted.

Enable Encryption on DRS
Sample Applications (Medium Priority) Improvements Possible WebSphere Sample Applications are installed.

WebSphere Application Server ships with examples to demonstrate various parts of WebSphere Application Server. These samples are not intended for use in a production environment. Some of these samples can provide an intruder with information about your system.

Uninstall Sample Application(s): Application names
OK WebSphere Sample Applications are not installed

WebSphere Application Server ships with examples to demonstrate various parts of WebSphere Application Server. These samples are not intended for use in a production environment. Some of these samples can provide an intruder with information about your system.

No action required
Administrative User IDs (Medium Priority) Improvements Possible Global Security is not enabled, therefore no administrative ids are configured. Create a serverID as part of Enabling Global Security. Then configure additional administrative user ids to protect this server ID and enable more effective audit logging
OK Multiple Administrative user IDs are configured. When WebSphere security is enabled, a single security ID is initially configured as the Security Server ID. Configuring multiple administrative user ids can protect this server ID and enable more effective audit logging

No action required
Improvements Possible Multiple Administrative user IDs are not configured. When WebSphere security is enabled, a single security ID is initially configured as the Security Server ID. Configuring multiple administrative user ids can protect this server ID and enable more effective audit logging

Configure Additional Administrative User IDs

 

Extended Security Configuration Items Table

Security Configuration Item Name Possible values for Findings Value of Possible Action
Administrative Roles Global Security is not enabled, so no administrative roles are being used. WebSphere Application Server allows four administrative roles: Administrator, Operator, Monitor, Configurator. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need.
Create an administrative role as part of Enabling Global Security, then create additional roles.
Multiple Administrative Roles are configured. WebSphere Application Server allows four administrative roles: Administrator, Operator, Monitor, Configurator. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need.
No action required

Multiple Administrative Roles are not configured. WebSphere Application Server allows four administrative roles: Administrator, Operator, Monitor, Configurator. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need.
Configure Additional Administrative Roles
WebContainer HTTPS Checker (Medium Priority) Only HTTP transport is defined between the webserver and the appserver. Communication between the webserver and appserver is over HTTP which is unencrypted and in clear text
Evaluate if HTTP transport is required for your environment. If sensitive information is being transmitted between the web server and the appserver, it is recommended to use HTTPS (SSL) transports between the web server and appserver
HTTPS transports are defined between the webserver and the application server. If you choose HTTPS transport, communication between the webserver and appserver is over HTTPS which is encrypted and secure
No action required
No transports are defined between the webserver and the appserver Set up HTTPS (SSL) transports between the webserver and appserver, in order to have the communication between webserver and appserver be encrypted
Java2 Security Global Security is not enabled, therefore Java2 Security is not being used. Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions of installed applications before allowing them access to certain protected system resources such as file I/O, sockets, and properties.  Enable Global Security, create an appropriate Java2 Security policy for each of the installed applications and enable Java2 Security

If the applications being deployed are trusted, enabling Java 2 security might not be necessary
Java2 Security is enabled.

Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions of installed applications before allowing them access to certain protected system resources such as file I/O, sockets, and properties.

No action required
Java2 Security is disabled. Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions of installed applications before allowing them access to certain protected system resources such as file I/O, sockets, and properties.
Create an appropriate Java2 Security Policy file for each of the installed applications and enable Java2 Security

If the applications being deployed are trusted, enabling Java 2 security might not be necessary
In application "appName", the permission "All Permissions" is granted to codeBase, "codeBase"  This disables the access control mechanism provided by Java 2 Security for this application. The permission "All Permissions" is granted to WebSphere Application Server system applications such as adminconsole.ear and filetransfer.ear.

No action is necessary if application appName is provided with WebSphere Application Server.
If application appName is not a WebSphere Application Server system application, investigate if "All Permissions" is required, or whether a more restrictive set of permissions should be granted.


Trademarks

The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both:

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.


 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.