Hardening security configurations
There are several methods that we can use to protect the WAS infrastructure and applications from different forms of attack. Several different techniques can help with multiple forms of attack. Sometimes a single attack can leverage multiple forms of intrusion to achieve the end goal.
For example, in the simplest case, network sniffing can be used to obtain passwords and those passwords can then be used to mount an application-level attack.
The following issues are discussed in IBM WebSphere Developer Technical Journal: WAS V5 advanced security and system hardening:
- Take preventative measures to protect the infrastructure.
- Make applications less vulnerable to attack.
- At a minimum, ensure administrative security is enabled in all WebSphere processes. This protects access to the admin ConfigService interface and managed beans (MBeans) that enables control over the WebSphere process if it is compromised.
- Ensure SSL is used whenever possible, and mutual SSL whenever possible. However, mutual SSL requires all clients to supply a trusted personal certificate in order to connect.
- Remove any unnecessary CA signer certificates from the trust stores.
- Change default keystore passwords during or after profile creation using AdminTask changeMultipleKeyStorePasswords command.
- Change the LTPA keys periodically. By default, this occurs automatically every 12 weeks. To disable this automatic regeneration, remember to manually generate a new set of keys on occasion.
- Common Secure Interoperability version 2 (CSIv2) inbound Basic authentication is supported in this release of WAS. This means that the authentication process is optional. Consider changing the authentication default to 'required'.
Tuning, hardening, and maintaining security configurations