WebSphere Portal Security hardening


  1. Overview
  2. Enable security integration
  3. Use available authentication data for unprotected URIs
  4. Restrict cookies to HTTPS sessions
  5. Set X-Frame-Options to SAMEORIGIN
  6. Configure portal to run as a non-privileged account
  7. Block public internet access to administrative pages
  8. Block HTTP TRACE requests to the server
  9. Redirect IIS home to portal
  10. Secure LtpaToken2 cookie
  11. IBMJCE setup
  12. Custom error pages
  13. Internal SSL approach
    1. IIS
    2. WAS
    3. Test using browser
    4. Test using OpenSSL
  14. See also


Overview

The following are post-installation hardening tasks for securing a web portal environment. Components include WebSphere Portal v8, WebSphere Application Server v8.5, and IIS v7.


Enable security integration

To enable session security integration, in the WebSphere Integrated Solutions Console, click...

By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files.


Use available authentication data for unprotected URIs

Enable WAS to create a security context on requests to unprotected URIs if valid credentials such as an LtpaToken or LtpaToken2 cookie are available on the request:


Restrict cookies to HTTPS sessions

Go to...

...and enable "Restrict cookies to HTTPS sessions"

After setting this, connect to portal using HTTPS protocol. Using an HTTP connection will throw permission exceptions when using portlets such as the WCM authoring portlet and the Manage Pages portlet.

Firebug will show whether this is enabled via the isSecure data in the cookie.


Set X-Frame-Options to SAMEORIGIN

  1. On each IIS web server host, go to...

      Control Panel\System and Security\Administrative Tools\Internet Information Services Manager

    From IIS Manager, select...

      Sites | Default Web Site | HTTP Response Headers | Add

  2. Set...

    Do this for all IIS web servers.

  3. Once saved, changes are written to web.config...

      <system.webServer>
        ...
      
        <httpProtocol>
          <customHeaders>
            <add name="X-Frame-Options" value="SAMEORIGIN" />
          </customHeaders>
        </httpProtocol>
      
        ...
      </system.webServer>
      

  4. Restart IIS to load change.

    Open a 'cmd" prompt as an administrative user

    ...and run...

      iisreset

  5. Use Firebug to verify setting.

    See also: Mitigating framesniffing with the X-Frame-Options header


Configure portal to run as a non-privileged account

  1. Create service account, for example, SERVICE-PORTAL, on local machine or domain.

  2. Grant folder access to service account. For example..

      Directory Access NOTES
      C:\IBM Full Control Inherit to all child files and directories
      C:\MyCo Read & Execute, List, Read Inherit to all child files and directories
      C:\MyCo\App_Logs Full Control Inherit to all child files and directories
      C:\scratch Full Control Inherit to all child files and directories

    1. Right-click on directory, and select properties from context menu.
    2. Select Security Tab
    3. Select Edit button
    4. Select Add, enter account name, and accept
    5. On return to the security tab, select account, then select the Access match the table above, and select okay.

    This should inherit the permissions to all the child files and directories. Verify, as sometimes this not happen consistently.

  3. Update Portal Windows services with service account and password

    1. Stop all IBM WAS services

      For standalone services this will be the singled IBM Portal Windows service, for a cluster this will be the DMGR, search, node agent and the IBM Portal Windows Services

      • DMGR Node Services

      • Portal Node(s)

    2. In Service applet select the IBM service properties, the select "Log On" tab, and provide service account name and password. For the first service you will be prompted for allowing the account to run as a service, select okay.

    3. Provide service credentials

    4. Accept "Grant Log On As A Service" right

    5. Restart Services


Block public internet access to administrative pages

  1. Log on to the Web server computer as an administrator.

  2. Install URLRewriteModule feature

    To install Microsoft URL Rewrite Module 2.0 for IIS 7:

      msiexec /I rewrite_amd64

    To uninstall, right-click on rewrite_amd64, then choose uninstall

  3. Correct the load order of IIS modules

    1. Make a copy of applicationHost.config

        C:\Windows\System32\inetsrv\config\applicationHost.config

    2. Edit applicationHost.config

        notepad C:\Windows\System32\inetsrv\config\applicationHost.config

    3. Search for RewriteModule in the <GlobalModules> section, and move the line to be above above the IsapiFilterModule module.

    4. Save the file.

    5. Restart IIS

      Restart using Internet Information Services Manager. If that does not work, restart from command-line.

  4. Open Internet Services Manager

      Start | Settings | Control Panel | Administrative Tools | Internet Services Manager

  5. Go to the Server view

  6. Click...

  7. Block access to...

      */04_Sj9CPykssy0xPLMnMz0vMAfGjzOKd3R09TMx9DAwMLIzMDTzNff1DPXwCDN39zfQLsh0VAd7eW54!/*
      *MYAPP-Administration*
      *MYAPPThemeStatic/WEB-INF*

    The first, obfuscated URL context, goes to an administrative page. This URL context is the same across all portal environments.

    No IIS restart is required.

  8. Verify page is blocked. For example.

      https://172.30.1.14:7443/MYAPP-Administration
      https://172.30.1.14:7443/myco/portal/MYAPP-Administration


Block HTTP TRACE requests to the server

Perform the following to update request filtering to deny the verbs for TRACE...

  1. Open Internet Information Services Manager...

      Control Panel | System and Security | Administrative Tools

  2. Go to Default Web Site, then click Request Filtering.

  3. On the Request Filtering pane, click the HTTP verbs tab, and then click "Deny Verb..." in the Actions pane.

  4. On the Deny Verb dialog box, enter the HTTP verb to block, and then click OK.

    To block HTTP TRACE requests to the server, enter "TRACE" in the dialog box.

    Note: Do NOT block DELETE requests. This will break delete attachments functionality.


Redirect IIS home requests to portal

Edit...

..and add the following after the <head> tag.

Prod...

<!-- Pleace this snippet right after opening the head tag to make it work properly -->

<!-- This code is licensed under GNU GPL v3 -->
<!-- You are allowed to freely copy, distribute and use this code, but removing author credit is strictly prohibited -->
<!-- Generated by http://insider.zone/tools/client-side-url-redirect-generator/ -->

<!-- REDIRECTING STARTS -->
<link rel="canonical" href="https://myportal.myco.com/myco/portal"/>
<noscript>
    <meta http-equiv="refresh" content="0;URL=https://myportal.myco.com/myco/portal">
</noscript>
<!--[if lt IE 9]><script type="text/javascript">var IE_fix=true;</script><![endif]-->
<script type="text/javascript">
    var url = "https://myportal.myco.com/myco/portal";
    if(typeof IE_fix != "undefined") // IE8 and lower fix to pass the http referer
    {
	// Don't remove this line or appendChild() will fail because it is called before document.onload to make the redirect as fast as possible. 
	// Nobody will see this text, it is only a tech fix.
        document.write("redirecting..."); 
        var referLink = document.createElement("a");
        referLink.href = url;
        document.body.appendChild(referLink);
        referLink.click();
    }
    else { window.location.replace(url); } // All other browsers
</script>
<!-- Credit goes to http://insider.zone/ -->
<!-- REDIRECTING ENDS -->


Secure LtpaToken2 cookie

Set secure flag for LtpaToken2 cookie...

  1. Enable...

      Security | Global Security | Web and Sip Security | Single Sign-On | Requires SSL

  2. Save changes. Sync nodes.

  3. Restart the DMGR, nodeagent(s) and Portal server(s).

  4. Chrome Devtools now shows LtpaToken2 as Secure...


IBMJCE setup

For each portal node, enable IBMJCE Random number generation algorithm...

Edit...

Go to below section in the file...

...and add the second line, and change the line numbers starting from third line. After changes done this section should look like below.

Restart the WebSphere Portal Server




Portal and IIS custom error pages

  1. Overview
  2. Set up error handling in Portal
  3. Customize the error page for WCM portlets
  4. Set up error handling in IIS
  5. Error Code Summary
  6. See also


Overview

This document describes adding custom error handling for the MYAPP application. We are configuring HTTP error code handling on both the portal and web server levels. URIs with an /myco portal root context, such as...

...will be served a custom error page via from WAS.

URIs that do not include portal root context, for example...

...will be processed on the web server (IIS).


Set up error handling in Portal

  1. Extract and backup wps.ear...

      cd c:\scratch
      C:\IBM\WebSphere\wp_profile\bin\wsadmin.bat -user portaladmin -password mypassword -c "$AdminApp export wps wps.ear"
      copy wps.ear wps.ear.orig

    Alternatively, you can export wps.ear from the WAS console.


  2. Expand the wps.ear...

      C:\IBM\WebSphere\wp_profile\bin\EARExpander.bat -ear wps.ear -operationDir c:/scratch/wps -operation expand -expansionFlags all

    ...and navigate to

      c:/scratch/wps/wps.war/WEB-INF/


  3. Edit both web.xml and web_merged.xml, and in each set...

      <mime-mapping>
          <extension>png</extension> 
      <mime-type>image/png</mime-type>
      </mime-mapping> 
      <error-page>
          <error-code>404</error-code> 
          <location>/html/error404.html</location>
      </error-page>
      <error-page>
          <error-code>400</error-code> 
          <location>/html/error400.html</location>
      </error-page>
      <error-page>
          <error-code>401</error-code> 
          <location>/html/error401.html</location>
      </error-page>
      <error-page>
          <error-code>403</error-code> 
          <location>/html/error403.html</location>
      </error-page>
      <error-page>
          <error-code>406</error-code> 
          <location>/html/error406.html</location>
      </error-page>
      <error-page>
          <error-code>429</error-code> 
          <location>/html/error429.html</location>
      </error-page>
      <error-page>
          <error-code>500</error-code> 
          <location>/html/error500.html</location>
      </error-page>
      <error-page>
          <error-code>501</error-code> 
          <location>/html/error501.html</location>
      </error-page>
      <error-page>
          <error-code>502</error-code> 
          <location>/html/error502.html</location>
      </error-page>
      <error-page>
          <error-code>503</error-code> 
          <location>/html/error503.html</location>
      </error-page>
      <error-page>
          <error-code>504</error-code> 
          <location>/html/error504.html</location>
      </error-page>
      <error-page>
          <error-code>505</error-code> 
          <location>/html/error505.html</location>
      </error-page>
      

    Portal 8 uses Servlet 2.5 specification, so we have to specify individual mapping for each required error code.

    See also:


  4. Create directory...

      c:/scratch/wps/wps.war/html

    ...then navigate to that directory.


  5. For each HTTP error code, create and save files...

    For example, error404.html contains...

      <html>
          <script>
          window.location.href = "/myco/portal/error/error404";
          </script>
      </html>
      

    The java script code in each file redirects error page we will create in the portal hierarchy.


  6. From Portal Administration, create pages for each http error code...

    First create a new label called "Error"...

      Portal Administration | Manage Pages | Content Root | New Label

    Then create WCM pages for each error code...

      Portal Administration | Manage Pages | Content Root | Error | New Page

    ...and set...

      Title error404
      Unique Name me.error404
      Friendly URL name error404 (should match redirection URL in error404.html)
      Theme MYAPP Base Theme
      Type of Page Static Content
      URI of Layout Template of HTML war:MYAPPThemeStatic/themes/Portal8.0/layout-templates/MYAPP1Column/


  7. For each page, for User role, assign anonymous user permissions.


  8. For each error page, select...

      Page Properties | Advanced Options | I want to set parameters

    ...and set...

      Parameter Value Description
      topNav hide Hide page from direct navigation
      ibm.portal.sharing.scope.page resourceaggregation.profile profiles/profile_myco_full.json


  9. Create WCM content.

    Go to...

      Libraries | MyApp_Content_en | Content | Error Pages | New

    ...and create content for httpd codes

    Example content properties...

    Name: Error404
    Display title: Error404
    Description: 404 Error Page Text
    Type: Content
    Location: MyApp_Content_en / Error Pages / Error404
    Content Template: MyApp_Design / AT_Rich_Text
    Mapped Presentation Templates:
    Workflow MyApp_Design / Direct Workflow

    Verify anonymous user access to page...


    Administrator Defined Workflow Defined Inheritance
    User None CN=WCMContentApprovers,OU=Roles,DC=MYAPP,DC=COM, [all users], cn=wcmcontentauthors,ou=roles,dc=myco,dc=com [all authenticated portal users], [anonymous portal user]
    Contributor None None WCMContentAuthors, WCMContentApprovers, WCMAdmins, WCMDesigners
    Editor None None None
    Manager None wpsadmin wpsadmin
    Approver None CN=WCMContentApprovers,OU=Roles,DC=MYAPP,DC=COM None


  10. Configure pages

    1. From Portal Administration, go to...

        Manage Pages | Content | Error

      ...and for each error page, select...

        Edit Page Layout

    2. Click the "Add portlets" button, then add a "Web Content Viewer" portlet...

    3. After adding, click on the context menu for the portlet, then select "Edit shared settings"

    4. Configure shared settings to point to WCM error content...

        Content Type Content Item
        Content Behavior Select content and path
        Content MyApp_Content_en / Error Pages / Error404
        Alternate Presentation Template MyApp_Design / PT_RichText

    5. Pull up error page in browser. For example...

        http://172.30.3.29:10039/myco/portal/error/error404

      ...and select...

        Edit Mode

    6. Hover on the page name area, you will see 'Edit'. Click on edit. This will open page properties.

      Important: Make sure you are editing the right page. The value for "Name" should equal your page.

    7. Click on the Advanced tab

    8. In the Page Layout template location, enter one of the below layout locations

      • MYAPP Single Column Layout:

          war:MYAPPThemeStatic/themes/Portal8.0/layout-templates/MYAPP1Column/

      • MYAPP 2 Column Layout:

          war:MYAPPThemeStatic/themes/Portal8.0/layout-templates/MYAPP2ColumnRight/
          war:MYAPPThemeStatic/themes/Portal8.0/layout-templates/MYAPP2ColumnLeft/
          war:MYAPPThemeStatic/themes/Portal8.0/layout-templates/MYAPP2Rows2ColumnLeft/

      • MYAPP 3 Column Layout:

          war:MYAPPThemeStatic/themes/Portal8.0/layout-templates/MYAPP3Column/

    9. Click on...

        "Update Layout from Template"

      Select MYAPP Base Theme and MyCo Full profiles.


  11. Deploy new wps.ear and test

    1. Collapse the changes made back into a new wps.ear file.

        cd C:\scratch
        C:\IBM\WebSphere\wp_profile\bin\EARExpander.bat -ear /scratch/wps.ear -operationDir /scratch/wps -operation collapse

    2. Optional: Make a backup of configuration on dmgr and nodes

        cd c:\IBM\WebSphere\wp_profile\bin
        backupConfig WebSphereConfig_20151202.zip
        startServer.bat WebSphere_Portal

      On portal cluster node, run startNode.bat

    3. Deploy the updated wps.ear back to portal

        cd C:\IBM\WebSphere\wp_profile\bin
        wsadmin.bat -user portaladmin -password mypassword -c "$AdminApp install C:/scratch/wps.ear {-update -appname wps -deployejb -deployejb.classpath C:/IBM/WebSphere/PortalServer/base/wp.base/shared/app/wp.base.jar}"

    4. Restart portal

      Test. For example, from local VM...


Customize the error page for WCM portlets

  1. Go to...

      C:\IBM\WebSphere\wp_profile\installedApps\node_name\PA_WCMLRingPortJSR286.ear\ilwwcm-localrende.war\WEB-INF\jsp\html

    For example, on PreProd portal node...

      C:\IBM\WebSphere\wp_profile\installedApps\PREPRD-DMGRCell01\PA_WCMLRingPortJSR286.ear\ilwwcm-localrende.war\WEB-INF\jsp\html

  2. Rename error.jsp to error.jsp.orig

  3. Drop in new error.jsp file.

  4. Log on to WAS admin console and restart application PA_WCMLRingPortJSR286.


Set up error handling in IIS

Copy custom error files to target IIS servers, into...

For example...

To test...

Error pages are set in Internet Information Services (IIS) Manager, select...

Do NOT edit any settings on this page.

If something goes wrong, review...

More info...


Error Code Summary

We need to support major codes which are relevant and may come in MyCo Portal. Note there are numerous other codes but they are not meaningful in context of our System.

Table below summarizes codes and possible methods to test implementation.

Code Description HTML Page To test
404 Page Not Found error404.html https://myhost:10029/myco/business/foo
https://myhost:10029/myco/test
https://myhost:10029/test
400 Bad Request error400.html UrlSegmentMaxLength registry setting on web server
401 Unauthorized error401.html Change file perm on static resource to non-readable?
403 Forbidden error403.html
405 Method not allowed error405.html
429 Too Many Requests error429.html
500 Internal Server Error error500.html
501 Not Implemented error501.html
502 Bad Gateway error502.html
503 Service Unavailable error503.html
504 Gateway Timeout error504.html
505 Http Version Not Supported error505.html


See Also

  1. Redirecting to a custom error page when HTTP 404 Not Found encountered on non-URL resources
  2. Customizing error pages in portal and WCM applications in a multi-site environment




Internal SSL approach

Do NOT enable TLS v1.2 on any systems on which it not currently not supported. For example, Active Directory currently only supports TLS 1.0. WebSphere Application Server supports TLS v1.2 only after upgrading from Java 6 to Java 7.


IIS web server: Protocol and cipher suites restrictions

This configuration is made to turn off deprecated encryption methods and cipher suites for Portal Webserver SChannel. Microsoft IIS uses SChannel for it's SSL encyption support.

Use IISCrypto to set SChannel settings. As a starting point select Best Practices and only enable the following settings.

Enabled protocols

Ciphers

Hashes

Select Cipher Suite tab page and deselect the following...


WebSphere Application Server: Protocol and cipher suites restrictions

Default Quality of Protection setting for portal environments is SSL_TLS, which supports all handshake protocols except for SSLv2 on the server side. We want the only supporred protocol to be TLS v1.2.

  1. Use backupconfig.sh to make a backup of WAS.

      cd c:\IBM\WebSphere\wp_profile\bin
      backupConfig.bat c:\scratch\backupConfig_20161213.zip
      startServer.bat Websphere_Portal

  2. Install Java 7

  3. Log on to the console and go to...

      Security | SSL certificate and key management | Related Items | SSL configurations | NodedefaultSSLsetting | Quality of protection (QoP)

    The above setting will apply to both inbound and outbound SSL Communication.

  4. On the Quality of protection (QoP) settings panel, select TLSv1.2 from the pull-down list in the box named Protocol.

  5. Click Apply and Save.

  6. Update ssl.client.props.

    On each portal node, edit...

      C:\IBM\WebSphere\wp_profile\properties\ssl.client.props

    ...and set...

      com.ibm.ssl.protocol=TLSv1.2

    Do the same on the dmgr for...

      c:\IBM\WebSphere\AppServer\profiles\Dmgr01\properties\ssl.client.props

    On Syst, update...

      C:\IBM\WebSphere\AppServer\profiles\cw_profile\properties\ssl.client.props
      C:\IBM\WebSphere\wp_profile\properties\ssl.client.props

  7. On each web server node, update plugin-cfg.xml and set...

      StrictSecurity="true"

    If this is not done, we may receive GSK_ERROR_SOCKET_CLOSED (gsk rc = 420) errors.

  8. Restart the dmgr using stopManager/startManager

    Stop nodes...

      c:\IBM\WebSphere\wp_profile\bin\stopNode.bat -username -password

  9. Use stopServer to stop all application servers running on the nodes

  10. Synchronize nodes...

      c:\IBM\WebSphere\wp_profile\bin\syncNode.bat dmgr_host soap_port

    soap port is found from dmgr console under...

      System Administration | Deployment manager | Ports | SOAP_CONNECTOR_ADDRESS

    You must run syncNode.bat from the command-line on each federated node, otherwise the nodes will not synchronize in the administrative console.

  11. Start the node agent on each federated node...

      c:\IBM\Websphere\wp_profile\bin\startNode.bat

  12. Check the Sync status of node from console, and then start the application server from console.

  13. Log back on to the QoP settings panel and set cipher suites to SHA384 and SHA256.

  14. Test using browsers

  15. Test using OpenSSL

  16. Test with sslscan.


Test TLS v1.2 using browsers


Test using OpenSSL

You can use openssl s_client connnect to WAS using SSL port like console SSL port or Application server ssl port

For Example...

Once connected to the WAS system, the certificate chain is displayed in the command prompt and the handshake details.


See also

  1. How do I configure websphere application server SSL protocol to TLSv1.2 ONLY?