Proxy security level properties
These settings describe the attributes and policies that define the security level of a secured proxy server. The overall security level of the secured proxy server is set to the weakest level of security assigned to any of the individual settings. To view this console page, click Servers > Proxy Servers > server_name > Custom security settings. This panel will only be available for a secure proxy server profile that has been registered with the AdminAgent.
Current security level
A qualitative security level based on an evaluation of the current security related configuration values.
The possible values for Current DMZ Security are high, medium, low. During creation of the secured proxy server, default configurations of high, medium and low are available. We are also able to customize these security settings resulting in the Current DMZ Security level being calculated by the system. Each custom setting has an assigned value of high, medium or low. The overall security level is equal to value of the setting that is considered the least secure. For example, to have an overall security level of high, all settings must be configured to the values associated with a high level of security. If any of the settings are configured with a less secure value, the overall security level is the value of that setting.
Administration
Option Used as the default value in the predefined security levels Description Local administration The default value for the Medium and the High security levels Specifies that administration of the secure proxy server can only be performed using wsadmin commands performed locally on the system. Remote administration The default value for the Low security level Specifies that remote administration of the secure proxy server is permitted.
Routing
Option Used as the default value in the predefined security levels Description Static routing The default value for the High security level The proxy server will make routing determinations from routing information based on flat files on the file system. This is for Hypertext Transfer Protocol (HTTP) only Dynamic routing The default value for the Low and the Medium security levels The proxy server will dynamically discover the best route to a destination and distribute to servers with like protocols.
Start-up permissions
Option Used as the default value in the predefined security levels Description Run as an unprivileged user The default value for the Medium and the High security levels The server process will revert to a predefined unprivileged user after start-up has completed. Run as a privileged user The default value for the Low security level The server process does not revert to an unprivileged user after startup. It is a requirement that the proxy server start under a privileged user as it initializes privileged ports. Ports lower than 1024 are considered privileged ports. Under this setting, the effective user of the server process continues to be the privileged user. This setting does not provide additional hardening to the access of the server process to the local operation system resources. This is considered a low security level setting.
Custom Error Page Policy
Option Used as the default value in the predefined security levels Description Local error page handling The default value for the Low, the Medium and the High security levels Specifies that error responses will be generated from flat custom error page files stored locally on the local file system. Remote error page handling None Specifies to route error responses to a remote custom application deployed on a back-end server. This application will generate a custom response for the error
Local error page handling
- Handle errors generated by the proxy server
Specifies if errors generated by the proxy server should be handled with the custom static error pages stored on the local file system. If this is not selected then the default error messages will be used instead of any custom error pages.
- Handle errors generated by application servers
Specifies if errors generated by the backend server should be handled with the custom static error pages stored on the local file system. If this is not selected then the default error messages will be used instead of any custom error pages.
- Error mappings
Error codes to match with specific static error pages stored on the file system. We can use a relative file path under the configured static file document root to assign a custom error file to be used for a specific error code or group of error codes. The wildcard character, * , is used to assign error files to groups of error codes.
Remote error page handling
- Error page generation application URI
Specifies the URI for the custom error page generation application.
- Handle errors generated by the proxy server
Specifies if errors generated by the proxy server should be handled with the custom error application deployed on the application server. If this is not selected then the default error messages will be used instead of any custom error pages.
- Handle errors generated by application servers
Specifies if errors generated by the backend server should be handled with the custom error application deployed on the application server. If this is not selected then the default error messages will be used instead of any custom error pages.
- Headers to forward to Error page Application
List of the headers from the original request to forward to the error page generation application.
- HTTP status codes that are to be recognized as errors
List of the status codes in a response that should be directed to the error page generation application.
Related concepts
WebSphere DMZ Secure Proxy Server for IBM WebSphere Application Server DMZ Secure Proxy Server for IBM WebSphere Application Server start up user permissions DMZ Secure Proxy Server for IBM WebSphere Application Server routing considerations DMZ Secure Proxy Server for IBM WebSphere Application Server administration options Error handling security considerations for the DMZ Secure Proxy Server for IBM WebSphere Application Server