Proxy security level properties

Proxy security level properties

These settings describe the attributes and policies that define the security level of a secured proxy server. The overall security level of the secured proxy server is set to the weakest level of security assigned to any of the individual settings.
To view this admin console page ...
Servers > Proxy Servers > myserver > Custom security settings. This panel will only be available for a secure proxy server profile that has been registered with the AdminAgent.

Current security level

A qualitative security level based on an evaluation of the current security related configuration values.
The possible values for Current DMZ Security are high, medium, low. During creation of the secured proxy server, default configurations of high, medium and low are available. we are also able to customize these security settings resulting in the Current DMZ Security level being calculated by the system. Each custom setting has an assigned value of high, medium or low. The overall security level is equal to value of the setting that is considered the least secure. For example, to have an overall security level of high, all settings must be configured to the values associated with a high level of security. If any of the settings are configured with a less secure value, the overall security level is the value of that setting.

Administration

Table 1. Administration options

Option Used as the default value in the predefined security levels Description
Local administration The default value for the Medium and the High security levels Administration of the secure proxy server can only be performed using wsadmin commands performed locally on the system.
Remote administration The default value for the Low security level Specifies that remote administration of the secure proxy server is permitted.

Routing

Table 2. Routing options

Option Used as the default value in the predefined security levels Description
Static routing The default value for the High security level The proxy server will make routing determinations from routing information based on flat files on the file system. This is for HTTP only
Dynamic routing The default value for the Low and the Medium security levels The proxy server will dynamically discover the best route to a destination and distribute to servers with like protocols.

Start-up permissions

Table 3. Start-up permission options

Option Used as the default value in the predefined security levels Description
Run as an unprivileged user The default value for the Medium and the High security levels The server process will revert to a predefined unprivileged user after start-up has completed.
Run as a privileged user The default value for the Low security level The server process does not revert to an unprivileged user after startup. It is a requirement that the proxy server start under a privileged user as it initializes privileged ports. Ports lower than 1024 are considered privileged ports. Under this setting, the effective user of the server process continues to be the privileged user. This setting does not provide additional hardening to the access of the server process to the local operation system resources. This is considered a low security level setting.

Custom Error Page Policy

Table 4. Error page options

Option Used as the default value in the predefined security levels Description
Local error page handling The default value for the Low, the Medium and the High security levels Specifies that error responses will be generated from flat custom error page files stored locally on the local file system.
Remote error page handling None Specifies to route error responses to a remote custom application deployed on a back-end server. This application will generate a custom response for the error

Local error page handling

Handle errors generated by the proxy server
Specifies if errors generated by the proxy server should be handled with the custom static error pages stored on the local file system. If this is not selected then the default error messages will be used instead of any custom error pages.
Handle errors generated by appservers
Specifies if errors generated by the backend server should be handled with the custom static error pages stored on the local file system. If this is not selected then the default error messages will be used instead of any custom error pages.
Error mappings
Error codes to match with specific static error pages stored on the file system. Use a relative file path under the configured static file document root to assign a custom error file to be used for a specific error code or group of error codes. The wildcard character, * , is used to assign error files to groups of error codes.

Remote error page handling

Error page generation application URI
Specifies the URI for the custom error page generation application.
Handle errors generated by the proxy server
Specifies if errors generated by the proxy server should be handled with the custom error application deployed on the appserver. If this is not selected then the default error messages will be used instead of any custom error pages.
Handle errors generated by appservers
Specifies if errors generated by the backend server should be handled with the custom error application deployed on the appserver. If this is not selected then the default error messages will be used instead of any custom error pages.
Headers to forward to Error page Application
List of the headers from the original request to forward to the error page generation application.
HTTP status codes that are to be recognized as errors
Specifies a list of the status codes in a response that should be directed to the error page generation application.

Related concepts

WebSphere DMZ Secure Proxy Server for IBM WAS
DMZ Secure Proxy Server for IBM WAS start up user permissions
DMZ Secure Proxy Server for IBM WAS routing considerations
DMZ Secure Proxy Server for IBM WAS administration options
Error handling security considerations for the DMZ Secure Proxy Server for IBM WAS

Related tasks

Tuning the security properties for the DMZ Secure Proxy Server for IBM WAS

Option	Used as the default value in the predefined security levels	Description
Local administration	The default value for the Medium and the High security levels	Administration of the secure proxy server can only be performed using wsadmin commands performed locally on the system.
Remote administration	The default value for the Low security level	Specifies that remote administration of the secure proxy server is permitted.

Option	Used as the default value in the predefined security levels	Description
Static routing	The default value for the High security level	The proxy server will make routing determinations from routing information based on flat files on the file system. This is for HTTP only
Dynamic routing	The default value for the Low and the Medium security levels	The proxy server will dynamically discover the best route to a destination and distribute to servers with like protocols.

Option	Used as the default value in the predefined security levels	Description
Run as an unprivileged user	The default value for the Medium and the High security levels	The server process will revert to a predefined unprivileged user after start-up has completed.
Run as a privileged user	The default value for the Low security level	The server process does not revert to an unprivileged user after startup. It is a requirement that the proxy server start under a privileged user as it initializes privileged ports. Ports lower than 1024 are considered privileged ports. Under this setting, the effective user of the server process continues to be the privileged user. This setting does not provide additional hardening to the access of the server process to the local operation system resources. This is considered a low security level setting.

Option	Used as the default value in the predefined security levels	Description
Local error page handling	The default value for the Low, the Medium and the High security levels	Specifies that error responses will be generated from flat custom error page files stored locally on the local file system.
Remote error page handling	None	Specifies to route error responses to a remote custom application deployed on a back-end server. This application will generate a custom response for the error