WebSphere Security Hardening

+

Search Tips   |   Advanced Search


WebSphere Security Hardening

Environment
Task Resource Status Cfg Syst PreProd Prod Notes
Put the Web server in the DMZ without WAS


Comp Comp Comp
Separate our production network from our intranet


Comp Comp Comp
Do not put ODR in the DMZ






Use HTTPS from the browser


Comp Comp Comp
Apply latest patches and fixes


Pend Pend Pend
Enable application security






Liberty profile: ldapRegistry vs quickStartSecurity vs. basicRegistry






Restrict access to WebSphere MQ messaging






Harden the Web server and host






Harden proxies






Certificate validation






Don't run samples in production






Protect configuration files and private keys






Encrypt WAS to LDAP link






Ensure LTPA encryption keys are changed periodically






Don't specify passwords on the command line






Use more salt for file-based VMM passwords






Use longer key lengths for generated certificates






Create separate administrative user IDs






Leverage administrative roles






Encrypt Web server to Web container link






Encrypt WebSphere MQ messaging links






Encrypt distribution and consistency services (DCS) transport link






Protect application server to database link






Restrict cookies to HTTP only






Train users to properly understand certificate warnings






Limit size of HTTP data






Carefully limit trusted signers






Enforce CSIv2 transport SSL use






Port filtering






SSL Hostname verification on outbound SSL connection






Disable unused ports






Disable password caching






Infrastructure-based preventative measures






Enable security integration






Use available authentication data for unprotected URIs






Restrict cookies to HTTPS sessions






Set X-Frame-Options to SAMEORIGIN






Configure portal to run as a non-privileged account






Block public internet access to administrative pages






Prevent HTTP TRACE requests to the server






Redirect IIS home to portal






Secure LtpaToken2 cookie






IBMJCE setup






Custom error pages






Protocol and cipher suites restrictions: IIS






Protocol and cipher Suites restrictions: WAS






Remove JREs left by web server and plug-in installers






Only accept requests from known Web servers






Trust association interceptors






Enable FIPS 140-2 or SP800-131 compliance







Put the Web server in the DMZ without WebSphere Application Server

In a typical DMZ configuration, there is an outer firewall, the DMZ network containing as little as possible, and an inner firewall protecting the production internal network.

  1. Inbound network traffic from outside is terminated in the DMZ.
  2. Limit the type of traffic and number of open ports from the DMZ to the intranet.
  3. Harden components running in the DMZ. Follow the principle of least function and low complexity.

Place Web servers and secure proxy servers in the DMZ. Place WAS application servers inside the inner firewall. The only port that must be opened on the inner firewall is the HTTP(S) port for the target application servers.


Separate production network from intranet using firewalls

Separate production networks from internal network using firewalls.


Do not put the ODR in the DMZ

WAS V8.5 includes the on demand router (ODR), previously only available in WebSphere eXtreme Scale. Placement of the ODR in the DMZ is not supported.

The figure above shows the placement of the Java-based ODR server, and contrasts that with the on demand routing abilities available with the Application Optimization (AO) feature of IBM DataPower SOA Appliances. While the Java ODR is not to be placed in the DMZ, the DataPower SOA appliance is a hardened device suitable for placement in the DMZ.


Use HTTPS from the browser to the web server

HTTPS is encrypts passwords, user activities, session cookies, and LTPA security cookies.


Apply latest patches and fixes

Review latest fix packs for WAS.

Monitor the security bulletin site.

See WAS security.


Enable application security

By default, WAS full profiles are defined with administrative security enabled. Administrative security encrypts WAS internal links between the deployment manager and the application servers, and traffic from the administrative clients (Web and command line) to the deployment manager.

To enable application security, go to the global security panel and select...

Enabling application security alone does not make applications secure. It merely makes it possible for applications to leverage security features provided by the application server (including Java EE security).

In a V8.5 Liberty profile, application security is enabled by including the appSecurity-1.0 element to the profile's server.xml file.


Liberty profile: ldapRegistry vs quickStartSecurity vs. basicRegistry

To support developers who want to test that their application works with security, a quickStartSecurity registry can be used containing a single userid with a password. The basicRegistry permits multiple users and groups to be defined. Both these security registries are contained within server.xml.

Beyond testing environments, Liberty profiles should be configured to use the ldapRegistry feature.


Restrict access to WebSphere MQ messaging

WebSphere MQ by default does not perform any user authentication when using client/server mode. When we specify a user ID and password on the connection factory for WebSphere MQ, those values are ignored by WebSphere MQ.

One option is to implement a custom WMQ authentication plug-in on the WebSphere MQ server side to validate the user ID and password sent by WAS. A second, and likely simpler technique is to configure WebSphere MQ to use SSL with client authentication and then ensure that only the WAS server possesses acceptable certificates for connecting to WebSphere MQ.

To properly harden WebSphere MQ, substantial additional steps are required.


Harden the Web server and host

See Apache hardening information and Building Secure Servers with LINUX.

There are two ways that a Web server can be managed:


Harden proxies

Secure proxies are typically not appropriate for proxying Web services traffic because they cannot block the types of threats that are possible when transmitting XML. To provide secure Web services, or any XML-based protocol, use an XML firewall such as WebSphere DataPower.


Certificate revocation

To revoke compromised certificates, we can use...

Online Certificate Status Protocol (OCSP) Requires setting additional system properties, as documented in the Java Certification Path API Programmer's Guide
Certificate Revocation List (CRL) Found via a single end point or distribution point information embedded in the certificate.
Self Signed Certificates To revoke, delete the corresponding signer.

The Liberty profile does not support OCSP or Certificate Revocation List.


Certificate validation

Web servers validate certificates sent by web clients. The web server plug-in forwards certificate information from the Web server to the application server. The information forwarded is used to map certificates to a Java EE identity. Alas, the information is just a description of the certificate (information available in the public certificate). If an intruder can connect directly to the Web container, bypassing the Web server, the intruder could forge certificate information and trick the runtime, enabling them to become anyone. To block this vulnerability there are two cases to consider.

To configure the Liberty web container to ignore certificate headers from clients, include the webcontainer trust element to the profile's server.xml file...

To support certificate authentication to the Web server and the Web container, a custom TAI or application code will need to be developed to leverage IBM specific features that make it possible for code running in the Web container to determine if the certificate information available via the Java EE APIs is that of someone connecting directly to the Web container (and thus trustworthy) or derived from HTTP headers (in which case not inherently trustworthy).


Don't run samples in production

Samples bundled with WAS are not intended for use in a production environment. In particular, the snoop servlet can provide a lot of information about our system. The server1 application server by default contains the samples.


Protect configuration files and private keys

During development, maximum security is neither necessary nor productive. During production, we lock down WAS as much as possible.

Limit file system access to WAS's files by leveraging operating system file permissions. In general, almost no one should have read or write access to most of the WAS information. In particular, the WAS configuration files (<root>/config) contain configuration information as well as passwords.

Password encryption for WebSphere security files

We can configure our own custom password encoder to whatever protection we deem appropriate. To do this we implement the plugin interface...

...and then specify two custom security properties in security.xml. We can also set these in PropFilePasswordEncoder.bat. The two properties are:

Encrypting these WAS passwords may not provide any meaningful protection over and above what is provided by encoding. If someone has access to the file containing the passwords, neither encoding nor encryption prevents someone for accessing the password. Anyone with file access to the encrypted password still has access to the raw password. That's because the key/certificate used for encryption must be stored on the file system so that the WAS process can decrypt the password and send it to wherever it is needed. Anyone with access to the file system has access to both the file with the (encrypted) passwords and the keys, which can then be used to decrypt the password.

Avoid incidental sharing of these keys. For example, do not use the same keys in production as in other environments. Many people will have access to development and test machines and their private keys. Guard the production keys carefully.

If we do not carefully control who has write access to the file system, a user can subvert the product security controls (such as auditing) by simply hand editing the configuration files.


Encrypt WAS to LDAP link

When using an LDAP registry, WAS verifies a user's password using the standard ldap_bind. This requires that WAS send the user's password to the LDAP server. If that request is not encrypted, a hacker could use a network sniffer to steal the passwords of users authenticating (including administrative passwords!). Most LDAP directories support LDAP over SSL, and WebSphere Application Server can be configured to use this.

  1. Create a new SSL configuration just for LDAP.

  2. On the LDAP user registry panel, check the option...

      SSL enabled

  3. Place the signing key for the LDAP server's certificate into the trust store.

To enable LDAP SSL for the Liberty profile, include elements in the server's server.xml...


Ensure LTPA encryption keys are changed periodically

WAS encrypts various user tokens (including the LTPA cookie) using what are known as the LTPA encryption keys. As with any cryptographic keys, these should be changed periodically. Depending on our WAS version and patch level, automatic key generation might be on or off by default; the more recent the version, the more likely it is off by default. To avoid possible outages, ensure that this feature is off.

LTPA keys are generated when security is enabled for a Liberty server for the first tie.

We should ensure that our LTPA keys are changed periodically. For full profiles, we can do this by either enabling the automatic LTPA key replacement, or we can manually regenerate the keys or via the commands...

For the Liberty profile, create a new profile, enable security, start the server, then copy the newly generated ${server.config.dir}/resources/security/ltpa.keys file.

Make sure that we consider the problems of LTPA keys becoming inconsistent:

Therefore, plan to change our LTPA keys during a scheduled outage. Distribute the new keys to all nodes in the cell, and to all external systems/cells during this outage window.

Do not enable automatic LTPA key updates...

Manually generate new LTPA keys


Don't specify passwords on the command line

Once security is enabled, the WAS administrative tools require that we authenticate in order to function. The obvious way we would think to do this is to specify the user ID and password on the command line as parameters to the tools. Do not do this. This exposes our administrative password to anyone looking over our shoulder. And, on many operating systems, anyone that can see a list of processes can see the arguments on the command line. Also, previous commands are visible in the command history, including those password arguments. Instead, we should ensure that the administrative tools prompt for a user ID and password. Be aware that in all currently supported versions of WebSphere Application Server this is the default, so no explicit actions are needed to insure that this occurs.

If we find it annoying that the command line tools prompt graphically for a user ID and password, we can override this behavior and force the tools to use a simple text-based prompt. To do this, we must change the loginSource from prompt to stdin by editing the appropriate configuration file. By default, the administrative tools use SOAP and thus the soap.client.props file should be edited. If we are using RMI, edit sas.client.props. Look for the loginSource property in the appropriate file and change it to specify stdin.

This item does not apply to the Liberty profile in V8.5.


Salt the file-based Federated Repository registry

Users in a Federated Repository registry and the built-in file repository have their userids and passwords stored in...

These passwords are one-way hashed, which means that we cannot derive the actual password from the hashed value. The hashes are computed with some cryptographic salt. In WAS V8.0 and 8.5 it is possible to specify the length of that salt and the hashing algorithm used. This file should be protected by OS-defined access control lists so only privileged OS users should be able to read the file. To prevent against password cracking attacks via rainbow tables, consider increasing the amount of salt or using a stronger hashing function.

This item does not apply to the Liberty profile in V8.5.


Use longer key lengths for generated certificates

In WAS V8.0 the default key length used for generated certificates changed from 1024 to 2048. The admin console supports choosing the key length. The supported key length range is 512-16384 (must be a multiple of 8).

This item does not apply to the Liberty profile in V8.5.


Create separate administrative user IDs

When security is configured (except for Liberty profiles), a single primary administrative ID is initially configured. This ID is effectively the equivalent of root in WAS and can perform any administrative operation. Ideally, this ID should not be used after initial configuration.

To specify additional users or groups that should be granted administrative authority, go to the system administration console Users (or Groups) section. Each individual person can authenticate as himself or herself when administering WAS. All administrative actions that result in changes to the configuration of WAS are audited by the deployment manager, including the identity of the principal that made the change. Use the auditing framework to provide detailed information on administrative actions. Audit records are more useful if each administrator has a separate identity.

The approach of giving individual administrators their own separate administrative access can be particularly handy in an environment where central administrators administer multiple WAS cells. We can configure all of these cells to share a common registry, and thus the administrators can use the same ID and password to administer each cell, while each cell has its own local "root" ID and password.

The primary administrative ID should not be confused with the security server ID, which is used for server to server communication. The server ID does not have to exist in the registry, or even have a password. By default, the server ID is only used for internal communication. We can specify a server ID and password if needed, however this is not recommended except when absolutely necessary, for example, when working with a mixed version cell (including V6.0 and earlier) or cross cell SSO with V6.0 or earlier


Leverage administrative roles

The full (non-Liberty) profiles of WAS allows for a variety of administrative roles depending on the version: Administrator, Operator, Monitor, Configurator, AdminSecurityManager, iscadmins, Deployer, Auditor. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need. For example, we can give the less senior administrators just the ability to start and stop servers and the night operators just the ability the watch the system (monitor).

Three interesting roles:

This item does not apply to the Liberty profile in V8.5. The Liberty profile has only a single Administrator security role to which multiple principals can be bound.


Encrypt Web server to Web container link

Even if we have chosen not to authenticate the link from the Web server to the Web container, we might want to consider encrypting it. The Web server plug-in transmits information from the Web server to the Web container over HTTP. If the request arrived at the Web server using HTTPS, the plug-in will forward the request on using HTTPS by default. If the request arrived over HTTP, HTTP will be used by the plug-in. These defaults are appropriate for most environments. There is, however, one possible exception.

In some environments, sensitive information is added to the request after it has arrived on the network. For example, some authenticating proxy servers (such as WebSEAL) augment requests with password information. Custom code in the Web server might do something similar. If that's the case, we should take extra steps to protect the traffic from the Web server to the Web container.

To force the use of HTTPS for all traffic from the plug-in, simply disable the HTTP transport from the Web container on every application server and then regenerate and deploy the plug-in. We must disable both the WCInboundDefault and the HttpQueueInboundDefault transport chains. Now, the plug-in can only use HTTPS and so it will use it for all traffic regardless of how the traffic arrived at the Web container.

To ensure HTTPS only to the Web container in the Liberty profile, include an httpEndpoint element in the server's server.xml that includes an httpsPort attribute, but does not include an httpPort attribute...


Encrypt WebSphere MQ messaging links

If we are using WebSphere MQ rather than the default messaging provider, we should of course use SSL to WebSphere MQ. See Related topics for more information on that. In WAS V7, WebSphere MQ client SSL configuration is a first class construct and can be done using the admin console much like other SSL configuration.

This item does not apply to the Liberty profile in V8.5.


Encrypt distribution and consistency services (DCS) transport link

Core groups rely on DCS, which uses a reliable multicast message (RMM) system for transport. RMM can use one of several wire transport technologies. Depending on our environment, sensitive information might be transmitted over DCS. For example, data in DynaCache and the security subject cache are transmitted using DCS. To ensure this, select a transport type of channel framework and DCS-Secure as channel chain for each core group

Be aware that DCS always authenticates messages when global security is enabled. Once the transport is encrypted, we then have a highly secure channel.

Once we have done this, all services that rely on DCS are now using an encrypted and authenticated transport. Those services are DynaCache, memory-to-memory session replication, core groups, Web services caching, and stateful session bean persistence.


Protect application server to database link

Just as with any other network link, confidential information can be written to or read from the database. Most databases support some form of network encryption and we should leverage it.

Here is an IBM DB2 example.

This item does not apply to the Liberty profile in V8.5.


Restrict cookies to HTTP only

If hackers are able to compromise a Web application by inserting malicious JavaScript into the browser (this is commonly known as cross-site scripting), then they can do any number of malicious actions and the application is essentially compromised. One of the many malicious things they can do is steal sensitive cookies such as the LTPA cookie. Most recent Web browsers support a concept known as HTTP Only cookies.

WAS provides two ways to ensure that the LTPA cookie is marked as HTTP Only. The first way is enabled by setting this security custom property to true:

This feature only protects the LTPA cookie with the HTTP Only flag. For a properly written application that leverages Java EE security and enables session security (discussed later), that should be sufficient.

A second feature, also shipped in fixpack 7.0.0.9, makes it possible to set the HTTP Only flag on arbitrary cookies. This feature is preferable to the first feature as it is more flexible and more complete. With this APAR, the cookies to protect are controlled by a Web container property, com.ibm.ws.webcontainer.httpOnlyCookies. That property is a comma separated listed of cookies to protect (with * indicating all cookies). In V7.0 (with 7.0.0.9 applied) this feature is disabled by default. To exploit it, we must explicitly set the property. In both versions 8.0 and 8.5 this attribute is enabled by default for the LtpaToken2, JSESSIONID, and WASReqUrl cookies, and no further action is required unless we want to apply it to other cookies. Be aware that users migrating from earlier versions might experience application breakage as a result of this change in default behavior.

By default, the LtpaToken2 (SSO), and the WASReqURL cookies are set to be HTTP only in the Liberty profile. To explicitly set this in the server's server.xml, include a webAppSecurity element that includes an httpOnlyCookies attribute...

By default, the HTTP session is also set to be HTTP only in the Liberty profile. To explicitly set this in the server's server.xml, include an httpSession element that includes an cookieHttpOnly attribute, such as that shown in the example in Listing 8.

Listing 8. Restricting HTTP Session cookies to HTTP only in Liberty

Caution: While these features may seem to be a solution for cross-site scripting, they are not. If a hacker can execute arbitrary code in our browser, he can do far more damage than just steal our cookies. They can actually see everything on the browser screen and capture every key stroke -- far more disturbing than stealing a cookie.


Train users to properly understand certificate warnings

When using SSL for communication, a key element of the secure exchange is validation of the server's certificate against the client trust store. Should the server present a certificate that is not trustworthy because the corresponding signer is not in the trust store, most clients (Web browsers, SSH, wsadmin, and so on) will prompt the user to decide what to do. These clients typically warn the user about the unknown certificate and present a fingerprint (typically SHA) for the certificate and ask should I trust this? Unfortunately, most users blindly click yes. That's a terrible decision. If we do this, we have no idea what server we are talking to. And, in the case of WebSphere Application Server administrative clients, the next thing we will do is send our administrative user ID and password to an unknown source.

Instead, administrators (and ideally end users) should examine the fingerprint information and determine if it is the correct fingerprint. The admin tools provide a way to see the fingerprint for certificates. Selecting a personal certificate in the admin console displays its fingerprint.

Users (particularly administrators) should be made aware of the fingerprint information and then, ideally, should validate it when prompted by a client, be it a Web browser or wsadmin.

Web server certificate warning, Part 1

Web server certificate warning, Part 2

wsadmin certificate warning... 

./wsadmin.bat
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host localhost is not found in trust store 
	C:/IBM/WebSphere/AppServer/profiles/AppSrv02/etc/trust.p12
Here is the signer information (verify the digest value matches what 
	is displayed at the server):
Subject DN:    CN=keysbotzum, O=IBM, C=US
Issuer DN:     CN=keysbotzum, O=IBM, C=US
Serial number: 1151337276
Expires:       Tue Jun 26 11:54:36 EDT 2007
SHA-1 Digest:  53:43:75:86:A8:C3:55:15:98:35:54:E7:49:B7:15:AF:16:A9:53:6F
MD5 Digest:    29:36:B1:9C:22:5A:36:AD:78:B3:7E:FD:D3:B1:B4:19
Add signer to the trust store now? (y/n)<

Even if we don't follow this advice, at least when we get this challenge the first time, import the certificate into the client trust store. If we get message again, find out why! The prompt should not happen again until the certificate is changed. If we get that prompt unexpectedly, something could be terribly wrong.


Limit size of HTTP data

A common Denial Of Service (DOS) attack is to send an application very large HTTP headers, a large number of HTTP headers, or a large request body. We strongly believe in defense in depth. Ideally, an intrusion detection system, a firewall, a WebSphere DataPower SOA Appliance, or even the web server in front of the application server should be protecting our WAS from these size-based HTTP attacks. There are also controls in WAS to protect itself from these kinds of attacks.

The default maximum size of any single HTTP header is 32768 bytes. This can be set to a different value.

The default maximum number of HTTP headers is 50. This can be set to a different limit.

Another common DOS attack is to send a request resulting in a long running GET request. The ServerIOTimeoutRetry property in the WebSphere Application Server Plug-in can limit the number of retries on any request. This can reduce the effect of such a long running request. See the Information Center for details.

If we wish to limit the maximum size of any request body, this can also be set. For details, see the Information Center


Carefully limit trusted signers

When using certificate authentication (client or server), we need to understand that each signer in the trust store represents a trusted provider of identity information (a certificate). We should trust as few signers as possible. Otherwise, it is possible that two signers might issue certificates that map to the same user identity. That would create a serious security hole in our architecture.

We should review the trust stores on the clients and servers and remove any signers which are not needed. By default, the trust stores contain far fewer trusted signers than in previous releases, in keeping with the goal of being secure by default. There are, however, still a few signer issues we might wish to address:


Hostname verification on outbound SSL connections

When an SSL client opens an SSL connection to an SSL server, the server sends its certificate to the client. The expectation is that the SSL server's certificate will contain the hostname in its common name. Some clients confirm the common name on the certificate presented matches the hostname in the URL (for example, web browsers perform this check). This is called hostname verification.

In certain situations, a failure of this verification can be indicative of an SSL man-in-the-middle attack:

To enable hostname verification, set security custom property...

The hostname verification is performed as required by RFC 2818 Section 3.1 Server Identity...

Considerations when this property is set:

In other words, while enabling this property can strengthen our security posture against man-in-the-middle attacks, our SSL certificates and hostname resolution must be impeccable. If it is not, our cell might no longer communicate over SSL because the internal communications might fail hostname verification.


Enforce CSIv2 transport SSL use

(This item is addressed by default in V8, which is a change in behavior. As such, users migrating from earlier versions of WebSphere Application Server who had not enabled CSIv2 SSL should be aware that SSL authentication failures can result in V8 as a result.)

When WAS servers and clients communicate using CSIv2 IIOP, they negotiate the transport security. Whatever is acceptable to both parties is chosen. Generally, that is fine, but we should be aware of one potential weakness. WAS supports CSIv2 over SSL or clear text. By default, both parties will typically negotiate to use SSL, thus ensuring an encrypted communication channel. However, if either party in the negotiation requests clear text, then clear text will be used. We might not even realize our traffic is being sent in the clear! This might happen, for example, if a client was mis-configured. To guarantee that traffic is encrypted (and we should), it is safer to ensure that SSL is always used.

We can ensure that SSL is used for IIOP by indicating that it is required, and not optional, on the CSIv2 inbound transport panel. We should do the same for the CSIv2 Outbound Transport

This item does not apply to the Liberty profile in V8.5, since there is no support for EJBs or for CSIv2.


Port filtering

We can limit who can connect based upon network information. Most of the transports in WAS (with the exception of IIOP) leverage the Channel Framework, which in turn makes it possible to filter inbound traffic based on IP address or DNS name using an inclusion or exclusion list.

Note that IP address forgery is a fairly easy thing to do, and so relying on IP addresses for security is unwise. It is particularly unwise to filter based on IP address at the application layer. Firewalls and switches are better equipped to recognize when packets are coming from IP addresses that could not be valid. They can also check MAC addresses.


Disable unused ports

To minimize the attack surface for potential attacks, we disable unused ports.

Potential candidates...

SAS_SSL_SERVERAUTH_LISTENER_ADDRESS Used for compatibility with WAS V4 and earlier releases. This is the old IIOP security protocol. CSIv2 replaces it as of V5.
SIB_ENDPOINT_* Used by the built-in messaging engine. If we aren't using messaging, then we don't need either.
SIB_MQ_* Used by the messaging engine when connecting with WebSphere MQ.
SIP_* Used by the SIP container.
WC_adminhost* Used for administrative Web browser access. If our application server is not a deployment manager, we should disable these ports. Most application server Web containers are listening on two administrative ports even though there is no administrative application on those servers. This is because servers are usually created based on the server1 template that includes those ports. Disable or remove those ports from all of our application servers.
WC_defaulthost* Default Web container listening ports. Not required if we have custom listener ports.

Different ports require different techniques for disabling them depending on how they are implemented:

Caution: Use extreme care when determining which ports to disable and when actually disabling them. Otherwise, we might inadvertently disable one of the administrative ports, which will leave we without a mechanism to administer the process -- short of deleting and recreating the process (for example, server) definition.


Disable password caching

When password based authentication occurs, the runtime caches the password as a one way hash for future validation. Since the hash is not reversible, there is no danger in the password being captured (even from a memory dump) but this cache does have implications. When future requests arrive that require authentication, and they use the same user ID and password combination, the cached password data (and user information) will be used. This means that if a user's password is changed in the registry, he will still be able to authenticate using the old password until the cache expires (10 minutes by default).

Some consider this to be a security vulnerability. We can disable password caching with the JVM level property setting of...

Once set, passwords will no longer be cached and all password authentications will result in a query of the registry. Keep in mind that this can have significant negative performance implications. If we are using a protocol that is stateless and authenticates on every request (such as WS-security with UserNameTokens), this can generate heavy registry authentication traffic.


Enable security integration

To enable session security integration, in the WebSphere Integrated Solutions Console, click...

By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, you must apply unlimited jurisdiction policy files.


Use available authentication data for unprotected URIs

Enable WAS to create a security context on requests to unprotected URIs if valid credentials such as an LtpaToken or LtpaToken2 cookie are available on the request:


Restrict cookies to HTTPS sessions

Go to...

...and enable "Restrict cookies to HTTPS sessions"

Firebug will show whether this is enabled via the isSecure data in the cookie.

After setting, connect to portal using the HTTPS protocol. Using HTTP protocol will throw permission exceptions when using portlets such as the WCM authoring portlet and the Manage Pages portlet.


Set X-Frame-Options to SAMEORIGIN

To avoid clickjacking attacks, and ensure that content is not embedded into other sites, we disallow browsers from rendering pages in a <frame>, <iframe> or <object>.

  1. On each IIS web server host, go to...

      Control Panel | System and Security | Administrative Tools | Internet Information Services Manager

  2. From IIS Manager, select...

      Sites | Default Web Site | HTTP Response Headers | Add

  3. Set...

    Once saved, changes are written to web.config... 

      <system.webServer>
  ...

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>

  4. Restart IIS to load change.

    Open a 'cmd" prompt as an administrative user

    ...and run...

      iisreset

  5. Use Firebug to verify setting.

    See also: Mitigating framesniffing with the X-Frame-Options header


Configure portal to run as a non-privileged account

  1. Create service account, for example, SERVICE-PORTAL, on local machine or domain.

  2. Set folder permissions for the new account.

    1. Right-click on the C:\IBM folder, and select...

        Properties | Security Tab | Edit button Add

    2. Enter account name, then select Accept

    3. On return to the security tab, select...

        Account | Access

    4. Grant Full Control and Inherit to all child files and directories

  3. Update Portal Windows services with service account and password

    1. Stop all IBM WAS services

      For standalone services this will be the singled IBM Portal Windows service, for a cluster this will be the DMGR, search, node agent and the IBM Portal Windows Services

      • DMGR Node Services

      • Portal Node(s)

    2. In Service applet select the IBM service properties, the select "Log On" tab, and provide service account name and password. For the first service you will be prompted for allowing the account to run as a service, select okay.

    3. Provide service credentials

    4. Accept "Grant Log On As A Service" right

    5. Restart each service


Block public internet access to administrative pages

Public internet requests go through load balancer, to web server, to portal. With this procedure we block access to administrative pages from the web server level. Direct requests to portal administrative pages will still be successful.

  1. Log on to the Web server computer as an administrator.

  2. Install URLRewriteModule feature

    To install Microsoft URL Rewrite Module 2.0 for IIS 7:

      msiexec /I rewrite_amd64

    To uninstall, right-click on rewrite_amd64, then choose uninstall

  3. Correct the load order of IIS modules

    1. Make a copy of applicationHost.config

    2. Edit applicationHost.config

        notepad C:\Windows\System32\inetsrv\config\applicationHost.config

    3. Search for RewriteModule in the <GlobalModules> section, and move the line to be above the IsapiFilterModule module.

    4. Save the file.

    5. Restart IIS

  4. Open Internet Services Manager

      Start | Settings | Control Panel | Administrative Tools | Internet Services Manager

  5. Go to the Server view

  6. Click...

  7. Examples of pages to block...

      */04_Sj9CPykssy0xPLMnMz0vMAfGjzOKd3R09TMx9DAwMLIzMDTzNff1DPXwCDN39zfQLsh0VAd7eW54!/*
      *Administration*

    The first, obfuscated URL context, goes to an administrative page. This URL context is the same across all portal environments.

    No IIS restart is required.

  8. Verify page is blocked. For example.

      https://myhost:7443/Administration
      https://myhost:7443/wps/portal/Administration


Prevent HTTP TRACE requests to the server

Perform the following to update request filtering to deny the verb for TRACE...

  1. Open Internet Information Services Manager...

      Control Panel | System and Security | Administrative Tools

  2. Double-click Request Filtering.

  3. In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane.

  4. In the Deny Verb dialog box, enter the HTTP verb to block, and then click OK.

    To prevent HTTP TRACE requests to the server, enter "TRACE" in the dialog box.


Redirect IIS home requests to portal

Edit...

..and add the following after the <head> tag.

Prod... 

<!-- Pleace this snippet right after opening the head tag to make it work properly -->

<!-- This code is licensed under GNU GPL v3 -->
<!-- We are allowed to freely copy, distribute and use this code, but removing author credit is strictly prohibited -->
<!-- Generated by http://insider.zone/tools/client-side-url-redirect-generator/ -->

<!-- REDIRECTING STARTS -->
<link rel="canonical" href="https://myportal.state.gov/wps/portal"/>
<noscript>
        <meta http-equiv="refresh" content="0;URL=https://myportal.state.gov/wps/portal">
</noscript>
<!--[if lt IE 9]><script type="text/javascript">var IE_fix=true;</script><![endif]-->
<script type="text/javascript">
        var url = "https://myportal.state.gov/wps/portal";
        if(typeof IE_fix != "undefined") // IE8 and lower fix to pass the http referer
        {
                document.write("redirecting..."); // Don't remove this line or appendChild() will fail because it is called before document.onload to make the redirect as fast as possible. Nobody will see this text, it is only a tech fix.
                var referLink = document.createElement("a");
                referLink.href = url;
                document.body.appendChild(referLink);
                referLink.click();
        }
        else { window.location.replace(url); } // All other browsers
</script>
<!-- Credit goes to http://insider.zone/ -->
<!-- REDIRECTING ENDS -->

Syst... 

<!-- Pleace this snippet right after opening the head tag to make it work properly -->

<!-- This code is licensed under GNU GPL v3 -->
<!-- We are allowed to freely copy, distribute and use this code, but removing author credit is strictly prohibited -->
<!-- Generated by http://insider.zone/tools/client-side-url-redirect-generator/ -->

<!-- REDIRECTING STARTS -->
<link rel="canonical" href="https://myportalsupport.state.gov:7443/wps/portal"/>
<noscript>
        <meta http-equiv="refresh" content="0;URL=https://myportalsupport.state.gov:7443/wps/portal">
</noscript>
<!--[if lt IE 9]><script type="text/javascript">var IE_fix=true;</script><![endif]-->
<script type="text/javascript">
        var url = "https://myportalsupport.state.gov:7443/wps/portal";
        if(typeof IE_fix != "undefined") // IE8 and lower fix to pass the http referer
        {
                document.write("redirecting..."); // Don't remove this line or appendChild() will fail because it is called before document.onload to make the redirect as fast as possible. Nobody will see this text, it is only a tech fix.
                var referLink = document.createElement("a");
                referLink.href = url;
                document.body.appendChild(referLink);
                referLink.click();
        }
        else { window.location.replace(url); } // All other browsers
</script>
<!-- Credit goes to http://insider.zone/ -->
<!-- REDIRECTING ENDS -->


Secure LtpaToken2 cookie

Set secure flag for LtpaToken2 cookie...

  1. Enable...

      Security | Global Security | Web and Sip Security | Single Sign-On | Requires SSL

  2. Save changes. Sync nodes.

  3. Restart the DMGR, nodeagent(s) and Portal server(s).

  4. Chrome Devtools now shows LtpaToken2 as Secure...

To limit the HTTP Session cookie SSL only in the Liberty profile, include an httpSession element in the server's server.xml that includes the cookieSecure attribute...


IBMJCE setup

For each node, enable IBMJCE Random number generation algorithm...

Edit...

Go to below section in the file...

...and add the second line, and change the line numbers starting from third line. After changes done this section should look like below.

Restart the WebSphere Portal Server


Portal and IIS custom error pages

  1. Overview
  2. Set up error handling in Portal
  3. Customize the error page for WCM portlets
  4. Set up error handling in IIS
  5. Error Code Summary


Overview

This section describes adding custom error handling for a web application. We are configuring HTTP error code handling on both the portal and web server levels. URIs with an /wps portal root context, such as...

...will be served a custom error page via from WAS. However, URIs that do not include portal root context, for example...

...will be processed on the web server (IIS)..


Set up error handling in Portal

  1. Extract and backup wps.ear...

      cd C:\IBM\WebSphere\wp_profile\bin
      wsadmin.bat -user wpsadmin -password mypwd -c "$AdminApp export wps C:/scratch/wps.ear"
      cd c:\scratch
      copy wps.ear wps.ear.orig

    If you are deploying from a source to a target environment, you do not need to expand and edit wps.ear. Just copy exported ear to target system, then do import.


  2. Expand the wps.ear...

      C:\IBM\WebSphere\wp_profile\bin\EARExpander.bat -ear wps.ear -operationDir c:/scratch/wps -operation expand -expansionFlags all

    ...and navigate to

      c:/temp/wps/wps.war/WEB-INF/


  3. Edit both web.xml and web_merged.xml, and in each set... 

      <mime-mapping>
    <extension>png</extension> 
<mime-type>image/png</mime-type>
</mime-mapping> 
<error-page>
    <error-code>404</error-code> 
    <location>/html/error404.html</location>
</error-page>
<error-page>
    <error-code>400</error-code> 
    <location>/html/error400.html</location>
</error-page>
<error-page>
    <error-code>401</error-code> 
    <location>/html/error401.html</location>
</error-page>
<error-page>
    <error-code>403</error-code> 
    <location>/html/error403.html</location>
</error-page>
<error-page>
    <error-code>406</error-code> 
    <location>/html/error406.html</location>
</error-page>
<error-page>
    <error-code>429</error-code> 
    <location>/html/error429.html</location>
</error-page>
<error-page>
    <error-code>500</error-code> 
    <location>/html/error500.html</location>
</error-page>
<error-page>
    <error-code>501</error-code> 
    <location>/html/error501.html</location>
</error-page>
<error-page>
    <error-code>502</error-code> 
    <location>/html/error502.html</location>
</error-page>
<error-page>
    <error-code>503</error-code> 
    <location>/html/error503.html</location>
</error-page>
<error-page>
    <error-code>504</error-code> 
    <location>/html/error504.html</location>
</error-page>
<error-page>
    <error-code>505</error-code> 
    <location>/html/error505.html</location>
</error-page>

    Portal 8 uses Servlet 2.5 specification, so we have to specify individual mapping for each required error code.

    See also:


  4. Create directory...

      c:/scratch/wps/wps.war/html

      ...and navigate to that directory.


  5. For each HTTP error code, create and save files...

    For example, error404.html contains... 

      <html>
    <script>
        window.location.href = "/wps/portal/error/error404";
    </script>
</html>

    The java script code in each file redirects error page we will create in the portal hierarchy.


  6. Create static html pages for each http error code.

  7. Create a new label called "Error"...

      Portal Administration | Manage Pages | Content Root | New Label

    Then create WCM pages for each error code...

      Portal Administration | Manage Pages | Content Root | Error | New Page

    ...and set...

      Title error404
      Unique Name e.error404
      Friendly URL name error404 (should match redirection URL in error404.html)
      Theme MYSITE Base Theme
      Type of Page Static Content
      URI of Layout Template of HTML war:MySiteThemeStatic/themes/Portal8.0/layout-templates/MYSITE1Column/


  8. For each page, for User role, assign anonymous user permissions.


  9. For each error page, select...

      Page Properties | Advanced Options | I want to set parameters

    ...and set...

      Parameter Value Description
      topNav hide Hide page from direct navigation
      ibm.portal.sharing.scope.page resourceaggregation.profile profiles/profile_foo_full.json


  10. Create WCM content.

    Go to...

      Libraries | MYSITE_Content_en | Content | Error Pages | New

    ...and create content item for each httpd code

    Example content properties...

    Name: Error404
    Display title: Error404
    Description: 404 Error Page Text
    Type: Content
    Location: MYSITE_Content_en / Error Pages / Error404
    Content Template: MYSITE_Design / AT_Rich_Text
    Mapped Presentation Templates:
    Workflow MYSITE_Design / Direct Workflow

    Verify anonymous user access to page...


    		Administrator Defined Workflow Defined Inheritance
    User None CN=WCMContentApprovers,OU=Roles,DC=MYSITE,DC=COM, [all users], cn=wcmcontentauthors,ou=roles,dc=wps,dc=com [all authenticated portal users], [anonymous portal user]
    Contributor None None WCMContentAuthors, WCMContentApprovers, WCMAdmins, WCMDesigners
    Editor None None None
    Manager None wpsadmin wpsadmin
    Approver None CN=WCMContentApprovers,OU=Roles,DC=MYSITE,DC=COM None


  11. Configure pages

    From Portal Administration, Manage Pages portlet, for each error page...

        Edit Mode

      Select

        Edit Page Layout

      ...and add a Web Content Viewer portlet...

    1. Configure shared settings to point to WCM error content...

        Content Type Content Item
        Content Behavior Select content and path
        Content MYSITE_Content_en / Error Pages / Error404
        Alternate Presentation Template MYSITE_Design / PT_RichText

    2. Pull up error page in browser. For example...

        http://myhost:10039/wps/portal/error/error404

      ...and select...

        Edit Mode

    3. Hover on the page name area, you will see 'Edit'. Click on edit. This will open page properties.

      Important: Make sure you are editing the right page. The value for "Name" should equal your page.

    4. Click on the Advanced tab

    5. In the Page Layout template location, enter one of the below layout locations

      • MYSITE Single Column Layout:

          war:MySiteThemeStatic/themes/Portal8.0/layout-templates/MYSITE1Column/

      • MYSITE 2 Column Layout:

          war:MySiteThemeStatic/themes/Portal8.0/layout-templates/MYSITE2ColumnRight/
          war:MySiteThemeStatic/themes/Portal8.0/layout-templates/MYSITE2ColumnLeft/
          war:MySiteThemeStatic/themes/Portal8.0/layout-templates/MYSITE2Rows2ColumnLeft/

      • MYSITE 3 Column Layout:

          war:MySiteThemeStatic/themes/Portal8.0/layout-templates/MYSITE3Column/

    6. Click on...

        "Update Layout from Template"

      Select C Base Theme and Full profiles.


  12. Deploy new wps.ear and test

    1. Collapse the changes made back into a new wps.ear file.

        cd C:\scratch
        C:\IBM\WebSphere\wp_profile\bin\EARExpander.bat -ear /scratch/wps.ear -operationDir /scratch/wps -operation collapse

    2. Optional: Make a backup of configuration on dmgr and nodes

        cd c:\IBM\WebSphere\wp_profile\bin
        backupConfig WebSphereConfig_20151202.zip
        startServer.bat WebSphere_Portal

      On portal cluster node, run startNode.bat

    3. Deploy the updated wps.ear back to portal

        cd C:\IBM\WebSphere\wp_profile\bin
        wsadmin.bat -user wpsadmin -password mypwd -c "$AdminApp install C:/scratch/wps.ear {-update -appname wps -deployejb -deployejb.classpath C:/IBM/WebSphere/PortalServer/base/wp.base/shared/app/wp.base.jar}"

    4. Restart portal

    5. Test...

        https://myportalsupport.state.gov:7443/wps/test


Customize the error page for WCM portlets

  1. Go to...

      C:\IBM\WebSphere\wp_profile\installedApps\node_name\PA_WCMLRingPortJSR286.ear\ilwwcm-localrende.war\WEB-INF\jsp\html

  2. Rename error.jsp to error-backup.jsp

  3. Put Prolific's copy of error.jsp in place: error.jsp

  4. Log on to WAS admin console and restart application PA_WCMLRingPortJSR286.

For more information on error.jsp, contact Rajeev Sharma <rajeev.sharma@prolifics.com>


Set up error handling in IIS

Create custom error pages for the following HTTP codes 401, 401, 403, 404, 500, etc...

Copy custom error file to...

For example...

To test...

Syst...

Prod

Error pages are set in Internet Information Services (IIS) Manager, select...

Do NOT edit any settings on this page.

If something goes wrong, review...

More info...


Error Code Summary

We need to support major codes which are relevant and may come in our portal. Note there are numerous other codes but they are not meaningful in context of our system.

Code Description HTML Page
404 Page Not Found error404.html
400 Bad Request error400.html
401 Unauthorized error401.html
403 Forbidden error403.html
405 Method not allowed error405.html
429 Too Many Requests error429.html
500 Internal Server Error error500.html
501 Not Implemented error501.html
502 Bad Gateway error502.html
503 Service Unavailable error503.html
504 Gateway Timeout error504.html
505 Http Version Not Supported error505.html


See Also

  1. Redirecting to a custom error page when HTTP 404 Not Found encountered on non-URL resources
  2. Customizing error pages in portal and WCM applications in a multi-site environment


IIS web server: Protocol and cipher suites restrictions

This configuration is made to turn off deprecated encryption methods and cipher suites for Portal Webserver SChannel. Microsoft IIS uses SChannel for it's SSL encyption support.

Use IISCrypto to set SChannel settings. As a starting point select Best Practices and only enable the following settings.

Enabled protocols

Ciphers

Hashes

Select Cipher Suite tab page and deselect the following...


WebSphere Application Server: Protocol and cipher suites restrictions

By default, the WAS Quality of Protection setting is SSL_TLS, which supports all handshake protocols except for SSLv2 on the server side. To harden, set the only supporred protocol to be TLS v1.2.

See also: How do I configure websphere application server SSL protocol to TLSv1.2 ONLY?

  1. Use backupconfig.sh to make a backup of WAS.

      cd c:\IBM\WebSphere\wp_profile\bin
      backupConfig.bat c:\scratch\backupConfig_20161213.zip
      startServer.bat Websphere_Portal

  2. Install Java 7

  3. Log on to the console and go to...

      Security | SSL certificate and key management | Related Items | SSL configurations | NodedefaultSSLsetting | Quality of protection (QoP)

    The above setting will apply to both inbound and outbound SSL Communication.

  4. On the Quality of protection (QoP) settings panel, select TLSv1.2 from the pull-down list in the box named Protocol.

  5. Click Apply and Save.

  6. Update ssl.client.props.

    On each portal node, edit...

      C:\IBM\WebSphere\wp_profile\properties\ssl.client.props

    ...and set...

      com.ibm.ssl.protocol=TLSv1.2

    Do the same on the dmgr for...

      c:\IBM\WebSphere\AppServer\profiles\Dmgr01\properties\ssl.client.props

    Update...

      C:\IBM\WebSphere\AppServer\profiles\cw_profile\properties\ssl.client.props
      C:\IBM\WebSphere\wp_profile\properties\ssl.client.props

  7. On each web server node, update plugin-cfg.xml and set...

      StrictSecurity="true"

    If this is not done, we may receive GSK_ERROR_SOCKET_CLOSED (gsk rc = 420) errors.

  8. Restart the dmgr using stopManager/startManager

    Stop nodes...

      c:\IBM\WebSphere\wp_profile\bin\stopNode.bat -username -password

  9. Use stopServer to stop all application servers running on the nodes

  10. Synchronize nodes...

      c:\IBM\WebSphere\wp_profile\bin\syncNode.bat dmgr_host soap_port

    soap port is found from dmgr console under...

      System Administration | Deployment manager | Ports | SOAP_CONNECTOR_ADDRESS

    You must run syncNode.bat from the command-line on each federated node, otherwise the nodes will not synchronize in the administrative console.

  11. Start the node agent on each federated node...

      c:\IBM\Websphere\wp_profile\bin\startNode.bat

  12. Check the Sync status of node from console, and then start the application server from console.

  13. Log back on to the QoP settings panel and set cipher suites to SHA384 and SHA256.

  14. Test using browsers

  15. Test using OpenSSL

  16. Test with sslscan.


Test TLS v1.2 using browsers


Test using OpenSSL

We can use openssl s_client connnect to WAS using SSL port like console SSL port or Application server ssl port

For Example...

Once connected to the WAS system, the certificate chain is displayed in the command prompt and the handshake details.


Remove JREs left by Web server and plug-in installers

When we install IBM HTTP Server, the installer leaves behind a JRE. We can remove this JRE, as it provides functions that are not needed by the Web server or plug-in under normal conditions.

When we install the WAS HTTP Server plug-in using the IBM installer, it also leaves behind a JRE. As before, we should remove this post install.

Make a backup copy just in case for future use. For example, zip or tar the JRE, and replace it later when needed for by the update installer when applying fixes.


Only accept requests from known Web servers

The WAS Web server plug-in forwards requests from the Web server to the target application server. By default, if the traffic to the Web server is over HTTPS, then the plug-in will automatically use HTTPS when forwarding the request to an application server, thus protecting its confidentiality.

We can configure the application servers, which contain a small embedded HTTP listener, to only accept requests from known Web servers. This prevents various sneak attacks that bypass any security that might be in front of or in the Web server and creates a trusted network path.

To create a trusted network path from the Web server to the application server, we configure the application server Web container SSL configuration to use client authentication. Once we have ensured that client authentication is in use, we ensure that only trusted Web servers can contact the Web container. We either limit the parties that have access by applying the SSL tunnel trick or confirming the direct SSL peer. To apply the SSL tunnel trick, we'll need to:

  1. Create a key store and trust store for the Web container and a key store for the Web server plug-in.

  2. Delete from all key stores (including the trust store) all of the existing signing certificates. At this point, no key store can be used to validate any certificates. That's intentional.

  3. Create a self-signed certificate in the two key stores and export just the certificate (not the private key). Make sure we track when those certificates expire. Once the plug-in certificate expires, it will no longer be able to contact the Web container! Import the certificate exported from the Web container key store into the plug-in key store. Import the plug-in certificate into the Web container trust store. Now, each side contains only a single signing certificate. This means that each can be used to verify exactly one certificate -- the self-signed certificate created for the peer.

  4. Install the newly created key stores into the Web container and Web server plug-in.


Trust association interceptors

WAS TAIs recognize existing authentication information from a Web SSO proxy server, such as Tivoli Access Manager WebSEAL. A TAI extends the trust domain. WAS trusts the TAI and whatever the TAI trusts.

Trust relationships between WAS and WebSEAL...

Password configuration WebSEAL sends user ID and password to the application servers for the junction being configured. The user ID is in the iv-user header. The WebSEAL TAI validates the password against the registry. If the LoginId property is not set on the WebSEAL TAI properties, then the TAI will verify the user ID and password combination sent from WebSEAL and trust it if it is any valid user ID and password combination. This is not a secure configuration because this then implies that any person knowing any valid user ID and password combination can connect to WAS and assert any user's identity. By specifying the LoginId property, the WebSEAL TAI ignores the inbound user ID in the basic auth header, and verifies the LoginId and WebSEAL password combination.
Mutual SSL configuration WebSEAL is configured to use SSL to communicate with WAS. The SSL configuration includes a client certificate whose private key is known only to WebSEAL. Configure the application server Web container to perform client certificate authentication. Alter the trust store to include only the client certificate that WebSEAL is using. This guarantees that requests to the application server Web container are coming only from WebSEAL, and not some intruder. Also remove the non-HTTPS transports from the Web container. Configure the WebSEAL TAI with mutualSSL=true in its properties. The TAI assumes the connection is secure and is using mutually authenticated SSL.


Enable FIPS compliance or SP800-131 or Suite B compliance

There three cryptographic algorithms to choose from when performing encryption....

The United State Government has defined standards with respect to computer security (Federal Information Processing Standards) that cover a number of areas. This standard was known as FIPS 140-2. As part of these standards, they specifically certify particular ciphers as being FIPS compliant and have also certified TLS (but not SSL V3).

The National Institute of Standards and Technology (NIST) has defined a new standard SP800-131 to replace the current FIPS 140-2. The National Security Agency (NSA) similarly developed a new standard called Suite B. These new standards further restrict the choice of ciphers that are used and require that TLS 1.2 be used; while FIPS 140-2 prohibited the use of SSL V3, SP800-131 prohibits the use of TLS 1.0 and TLS 1.1.

Users wishing to restrict their applications to use FIPS 140-2 compliant ciphers and TLS can either manually configure every endpoint, or simply enable FIPS compliance using the admin tools. Once FIPS is enabled, only FIPS compliant cryptography will be used.


Appendix


Overview

Attack types...

Attack Description
Network-based Intruder has low-level access to network packets and attempt to harm the system by altering this traffic or discovering information from these packets. Encryption of WAS internal traffic is less important than encryption of traffic that travels "beyond" WAS.
Machine-based The intruder has access to a host on which WAS is running. Goal is to limit the ability to damage the configuration or to see things that shouldn't be seen.
Application-based external Intruder uses application-level protocols (HTTP, IIOP, JMX, Web services, and so on) to access the application, perhaps via a Web browser or some other client type, and uses this access in an attempt to circumvent the normal use of the application usage. The intruder is executing code from outside of the application itself.
Application-based internal The intruder takes advantage of a rogue application that shares the same WAS infrastructure with valid applications. Mititgated using application isolation:


SSL/TLS

We use the term "SSL" when referring to both SSL and TLS protocols. TLS is used by default if both sides of the connection support TLS.

SSL protects HTTP traffic, IIOP traffic, LDAP traffic, MQ traffic, JDBC traffic, messaging traffic over the SIBus between WebSphere messaging engines, J2C and SOAP traffic. SSL uses of public/private key pairs stored in key stores.

Keys are asymmetric: Information encrypted with the private key can be decrypted using the public key.

Signed certificates have a digital signature asserting that the party possessing the private key corresponds to the signed public key is the party identified by the key.

Validation includes...

Self-signed certificates would need to be distribute manually to each client. It is easier to distribute just one CA certificate that signs many certificates; these CA certificates typically have a longer life, and client applications (such as browsers) typically automatically push out updates or replacements prior to expiry.

The downside to trusting all certificates issued by CAs is if there is a breach of a CA, there is a massive loss of trust.

When a client authenticates itself to a server, the process is similar, although the roles are reversed. In order for a server to authenticate a client the client must possess a private key and corresponding certificate, while the server must possess the corresponding signing certificate or a copy of the client's certificate.


SSL tunnels

Clients present a certificate which is validated by the server against the set of trusted certificate signers. Once validated, the SSL handshake completes. We limit the signers we trust on the server. With self-signed certificates, we can create a situation where there is only one signer: the self-signed certificate. This means that there is only one valid client side private key that can be used to connect to this SSL endpoint: the private key we generated when we created the self-signed certificate in the first place. This is how we can easily limit who can connect to a system over SSL -- even if the server side components don't provide authorization. Only trusted clients can connect over this transport.

WAS manages keys in key store and trust store files. A trust store is a key store that contains only trusted signers. We should place CA certificates and other signing certificates in a trust store. personal certificates with private keys should be stored in the key store.

Most of WAS uses the PKCS12 format. (WAS SSL configurations in fact support three modern key database formats: JKS, JCEKS, and PKCS12.) The IBM HTTP Server and the WAS Web server plug-in use an older key format known as the KDB format (or more correctly the CMS format). The two formats are similar in function but are incompatible in format. Therefore, we must be careful not to mix them up.


Infrastructure-based preventative measures

Protocols are:

WAS V8.5 includes the on demand router (ODR), previously only available in IBM WebSphere Virtual Enterprise. The ODR introduces some new network links that must be considered. Moreover, Intelligent Management for web servers in WebSphere Application Server V8.5.5 adds a native HTTP server alternative to the ODR: the ODLlib and the ODRLib require ports to the deployment manager and node agents.


See also

  1. Overview and approach to security hardening
  2. Advanced security hardening in WebSphere Application Server V7, V8 and V8.5, Part 2: Advanced security considerations