Hardening security configurations

In the simplest case, network sniffing can be used to obtain passwords, and those passwords can then be used to mount an application-level attack. The following issues are discussed in IBM WebSphere Developer Technical Journal: WebSphere Application Server V5 advanced security and system hardening:

• Enable administrative security for all WebSphere processes.

  This protects access to the ConfigService interface and managed beans (MBeans).

• Ensure SSL is used whenever possible, and mutual SSL whenever possible. However, mutual SSL requires all clients to supply a trusted personal certificate in order to connect.

• Remove any unnecessary certificate authority (CA) signer certificates from the trust stores.

• Change default keystore passwords during or after profile creation using the AdminTask changeMultipleKeyStorePasswords command.

• Change the LTPA keys periodically. We can configure the automatic regeneration of LTPA keys if necessary.

• Common Secure Interoperability version 2 (CSIv2) inbound Basic authentication is supported in this release of WAS. The authentication default is ' required'.

What to do next

In this release of WAS, more security hardening features of the server are enabled by default. However, if the features are not enabled after migration we can enable them yourself. See the Security hardening features enablement and migration article for more information.

For additional information about hardening security configurations, see the WebSphere Application Server security web page.

Related concepts

Enablement and migration considerations of Security hardening features

Related tasks

Tuning, hardening, and maintaining security configurations