Tune the security properties for the DMZ Secure Proxy Server for IBM WebSphere Application Server
When creating a DMZ Secure Proxy Server for IBM WebSphere Application Server, default security levels of high, medium and low are available. In addition to the predefined configuration levels, we can modify the security settings for the DMZ Secure Proxy Server for IBM WebSphere Application Server. When you choose to customize the settings, a qualitative value of high, medium or low is still assigned to inform you of the overall security level of the DMZ Secure Proxy Server for IBM WebSphere Application Server.
A DMZ Secure Proxy Server for IBM WebSphere Application Server must be installed before these steps can be completed. The DMZ Secure Proxy Server for IBM WebSphere Application Server profile must be registered with the AdminAgent for this panel to be available.
Install the DMZ Secure Proxy Server for IBM WebSphere Application Server in the DMZ rather than the secured zone presents new security challenges. The DMZ Secure Proxy Server for IBM WebSphere Application Server has been equipped with various capabilities to provide protection for meeting these challenges. It addition to the predefined security configurations for the DMZ Secure Proxy Server for IBM WebSphere Application Server we can also tune the settings to customize the protection.
- Click Servers > Proxy Servers > secured_proxy_server_name > Custom security settings to open up the Proxy security settings panel.
- Choose the administration option for the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Local Administration - Security level: medium and high.
This option allows two different types of administration. Managing the DMZ Secure Proxy Server for IBM WebSphere Application Server entirely and loading updated profiles imported from inside the cell are both considered Local Administration.
- Remote Administration- Security level: low
- Choose the routing option for the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Static routing - Security level: high
- Dynamic routing - Security level: low and medium
- Choose the startup permission option for the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Run as an unprivileged user - Security level: medium and high
- Run as privileged user - Security level: low
- Optional: If Run as an unprivileged user is selected, enter the user name or the user group whose identity the server should assume after startup has completed.
- Choose the custom error page policy option for the DMZ Secure Proxy Server for IBM WebSphere Application Server.
- Local error page handling - Security level: high
If we choose to use local error page handling, we need to select which error responses should use custom error messages. Select Handle local errors for responses generated by the proxy server and select Handle remote errors for responses generated by the backend server. Both options may be selected to use custom error messages for local and remote errors. Manage your error code mappings to determine the custom error pages to be used for specific responses.
- Remote error page handling - Security level: low and medium
If we choose to use remote error page handling to include custom errors, we need to select which error responses should be customized. Select Handle local errors for responses generated by the proxy server and select Handle remote errors for responses generated by the backend server. Both options may be selected to use custom error messages for both local and remote errors. Manage the headers that should be sent to the custom error application and what status codes are to be recognized as errors.
Results
You have finished customizing the security settings for the DMZ Secure Proxy Server for IBM WebSphere Application Server. A qualitative value of high, medium or low has been calculated based on the settings we have chosen to demonstrate the Current DMZ Security level.
Subtopics
- DMZ Secure Proxy Server for IBM WebSphere Application Server start up user permissions
The overall security level of the DMZ Secure Proxy Server for IBM WAS can be hardened by reverting the server process to run as an unprivileged user after startup. Although the DMZ Secure Proxy Server for IBM WebSphere Application Server must be started as a privileged user, changing the server process to run as an unprivileged user provides additional protection for local operating resources.
- DMZ Secure Proxy Server for IBM WebSphere Application Server routing considerations
This topic summarizes some of the security implications that must be considered when choosing how the DMZ Secure Proxy Server for IBM WebSphere Application Server will match incoming HTTP requests to an application or routing rule.
- DMZ Secure Proxy Server for IBM WebSphere Application Server administration options
The DMZ Secure Proxy Server for IBM WebSphere Application Server is administered differently than the WebSphere proxy server. The DMZ Secure Proxy Server for IBM WebSphere Application Server is a separate binary installed in the DMZ. Installing the DMZ Secure Proxy Server for IBM WebSphere Application Server in the DMZ requires that administration be managed differently for security reasons. Several administrative options are available for administering the DMZ Secure Proxy Server for IBM WebSphere Application Server to provide different levels of balance between security and usability.
- Error handling security considerations for the DMZ Secure Proxy Server for IBM WebSphere Application Server
The overall security level of the DMZ Secure Proxy Server for IBM WebSphere Application Server is partially determined by the choices made regarding the handling of custom errors.
- Proxy security level properties
These settings describe the attributes and policies that define the security level of a secured proxy server. The overall security level of the secured proxy server is set to the weakest level of security assigned to any of the individual settings.
Related concepts
WebSphere DMZ Secure Proxy Server for IBM WebSphere Application Server
Related tasks
Proxy server setup