IBM Security Scanner for WebSphere Application Server

Introduction

IBM Security Scanner for WebSphere Application Server is a command-line Java tool that checks for some of the potential security vulnerabilities caused by improper or incorrect WebSphere Application Server security configuration. The tool produces an HTML report that contains the security configuration checks performed, the status of each check, a corrective action if necessary and a link to the information center task related to the corrective action. The tool runs on WebSphere Application Server Versions 5.x and 6.0.x.

The IBM WebSphere Developer Technical Journal article WebSphere Application Server V5 Advanced Security and System Hardening identifies many of the checks that are performed and why they are important. Although the article refers to WebSphere Application Server Version 5, the information applies to version 6.0.x as well.

What the tool does

It scans static WebSphere Application Server (Base and Network Deployment only) security configuration files to look for potential vulnerabilities
It attempts to identify security configuration changes that could strengthen the security of the WebSphere Application Server

What the tool does not do

The tool does not check for runtime penetration vulnerabilities.
The tool is not a general purpose WebSphere Application Server configuration diagnostic tool intended to aid in the problem determination of configuration problems.
The tool is not a fail safe guarantee that system is totally secure.
The tool does not do network, host, physical, or operating system security vulnerability analysis.

Important Note: This tool can only point out WebSphere Application Server configuration items which, if corrective action is taken, may improve the overall security of the WebSphere Application server. IBM makes no claim or guarantee that the tool detects all possible security configuration issues or that if corrective action is taken for the items it does detect, that the WebSphere Application Server system will be completely secure from any or all possible threats. Network security, operating system security, physical security, in addition to WebSphere Application Security, should all be considered.

License Agreement

License agreement files are provided in multiple languages within the tool. Refer to the paragraph on "Files present within the Tool" to find out where the license files are located

Tool Support

As mentioned in the license agreement, this tool has no warranty and comes with no formal support. It is provided "as is". However, any feedback on the tool provided at the download site will be appreciated.

WebSphere Application Server Security Configuration Items Checked

The following table enumerates the WebSphere Application Server Security Configurations checked for by the tool

The "Core" security configuration items are some of the more important security configurations that if addressed may secure the WebSphere Application Server installation

The "Extended" security configuration items are more advisory in nature and may not require any action. Examine your environment to see if these could be relevant security concerns.

Core Security Configuration Items Checked	Description of the Check
Global Security	Checks if Global Security is enabled on the WebSphere Application Server installation
Certificates	The expiration date of certificates used by WebSphere Application Server is displayed. The tool also checks if the certificate is a default certificate that is shipped as part of the product.
CORBA Namespace	Checks whether CORBA Namespace is protected
SSL between WebSphere Application Server and LDAP	Checks if SSL is enabled between WebSphere Application Server and LDAP sever
Authentication Mechanism	Checks to see the authentication mechanism being used
Encryption for Distributed Replication Service (DRS)	Checks if encryption is enabled for DRS
Sample Applications	Checks if sample applications are installed
Administrative User Ids	Checks to see if multiple administrative userids are defined
Extended Security Configuration Items Checked	Description of the Check
Administrative Roles	Checks to see if multiple administrative roles are defined
WebContainer HTTPS	Checks if the WebContainer has HTTPS transports defined
Java2 security	Checks to see if Java2 security is enabled and if it is enabled, it checks if overly generous Java2 permissions are set

History

30 June 2005: IBM Security Scanner for WebSphere Application Server version 1.0 Published at the IBM Support site.

Prerequisites

The tool runs on the following versions of WebSphere Application Server

WebSphere Application Server Version 5.0.x
WebSphere Application Server Version 5.1.x
WebSphere Application Server Version 6.0.x
WebSphere Application Server Network Deployment Version 5.0.x
WebSphere Application Server Network Deployment Version 5.1.x
WebSphere Application Server Network Deployment Version 6.0.x

The tool runs on the following operating systems

Windows
AIX
Solaris
Linux (RedHat, Suse)
z/OS
i5/OS™, which is formerly known as OS/400

Limitations

The following are limitations of the tool

Currently the tool can only look up JKS keystores, hence certificates present within jks keystores alone are evaluated for validity. Which is why the tool cannot evaluate certificates present in RACF keystores on zOS systems.

Files present within the tool

The tool reads various WebSphere Application Server configuration files and related WebSphere Application Server installed artifacts in order to perform the security checks. This tool also depends upon and uses many of the libraries of the installed WebSphere Application Server. The tool is packaged as a zip file, wsst.zip. This zip file contains the following files:

wsst.jar - contains the java class files that comprise the implementation of the tool.
wsst.properties – a property file which contains properties that control execution of the tool. There are three properties defined in the properties file. Defaults exist for all the properties.

The classesToRun property determines which security checks to perform. Remove a particular class name from this list in order to skip the security check
The viewClass determines the format of output generated. The only valid value for this is com.ibm.wsst.HtmlView
The third property, outputFile is to specify the output file. The default value, outputFile=default creates an output in the format report_Date_Time.html

wsst.bat, wsst.sh, wsst50.qsh, wsst51.qsh, wsst60.qsh - scripts that set environment variables and launch the tool.
readme.html – provides tool overview, how to install, setup and run the tool.
license directory - the license agreement files in different languages are present under this directory
COPYRIGHT - this file has the copyright information for the tool
tool.version - this file has the version and build number for the tool

Installation and Launch Instructions

OS/400, Windows, UNIX and zOS

Complete the following steps to install the tool on OS/400, Windows, UNIX and zOS

Place the wsst.zip file in any directory on the machine that has the WebSphere Application Server installation to be scanned. For example, you could create a “security_scanner” directory under “/usr/IBM/WebSphere/AppServer” or “C:\Program Files\WebSphere\AppServer” and place the zip file under it.
Unzip (or unjar) the wsst.zip file. On unzipping, a directory "wsst" is created containing the files mentioned under "Files present within the tool"
Change the current directory to the directory "wsst" created on unzipping the wsst.zip file.
Edit the script file (wsst.bat for windows or wsst.sh for UNIX and zOS or wsstxx.qsh for OS/400) in the directory "wsst" to change WAS_HOME to point to a WebSphere Application Server installation, for example C:\WebSphere\AppServer or /usr/IBM/WebSphere/AppServer on the same machine.

Note:

Three different scripts are provided for OS/400, wsst50.qsh, wsst.51.qsh and wsst60.qsh. The numbers in the script file names refer to the version number of WebSphere Application Server it runs against. For example, on OS/400 edit wsst50.qsh to change WAS_HOME to point to /QIBM/ProdData/WebAS5/Base, to run against WebSphere Application Server version 5.0.x
On zOS you might have to convert wsst.sh from ascii to ebcdic and change the permission bits of wsst.sh to 755 in order to be able to execute.
On Unix, after unzipping 'wsst.zip', do 'chmod +x' to grant execute permission to 'wsst.sh'

Complete the following steps to launch the tool on OS/400, Windows, UNIX and zOS

Run the script file (wsst.bat for Windows, wsst.sh for UNIX, and wsstxx.qsh for OS/400) on the command line from the same directory "wsst" that was created on unzipping wsst.zip.
For all operating systems other than OS/400, the tool prompts for the WebSphere Application Server installation to be scanned, hit <return> to scan the WebSphere Application Server installation pointed to by WAS_HOME in the script file, or input another WebSphere Application Server installation on the same machine to be scanned from the command line. (Note: The version of this WebSphere Application Server to be scanned can be different from the one mentioned in WAS_HOME)
The tool outputs the name of the WebSphere Application Server installation ( for v5.0.x and v5.1.x) or the WebSphere Application Server profile name ( for v6.0.x) being scanned and the name of each security check being performed along with it’s status on system out. For v5.0.x and v5.1.x on OS/400 the tool outputs the Websphere Application Server instance name.
A report in the format hostname_report_Date_Time.html is generated after the tool completes running. Open the report in the browser to view the result of the scan.

Interpreting the output report

The output report has the name of the WebSphere Application Server installation scanned along with the build details of the installation at the top of the report. Also mentioned at the top of the report are the version of the tool that generated the report and the date and time the report was generated.

The report has 3 sections. The first section reports on the security checks performed. The status of each check is either “OK” or “Improvements Possible”. If the status is "OK", then the configuration item does not need improvement or a corrective action. If the status is “Improvements Possible” look for the “Area of Concern” to understand what was detected by the check and why it could be a potential problem. Look at the “Corrective Action” column to see how to address the issue. The “InfoCenter Task Reference” column points to the exact link in InfoCenter that can be followed in order to perform the “Corrective Action”.

The second section of the report is “Extended Checks”. These are some of the security configurations found which may or may not be a security concern depending on your setup. The intention of the “Extended Checks” is to make you aware of the status of these security configurations.

The third section of the report is present if any errors are detected when performing a check. It reports on the errors encountered when performing a check. If a check cannot be completed due to errors, it does not appear under the first two sections, but appears in the third section along with the error encountered.

If the tool is run on a WebSphere Application Server Version 6.0.x or WebSphere Application Server Network Deployment version 6.0.x installation that has multiple profiles, the tool performs all the security checks against each profile. The output report will have 3 sections for each profile (the error section will only appear if errors were encountered).

At the end of the report, helpful links are provided. To understand the security configurations and why that they are needed, see the link to the IBM WebSphere Developer Technical Journal article on WebSphere Application Security Hardening appears that refer to in order to understand the security configurations and why they are needed. A link is also provided to the IBM support website that has the latest updates and fixes available.

All possible values for each security check

The following tables shows all the possible values for each security check

Core Security Configuration Items Table

Security Configuration Item Name	Value of Status	Possible values for Area of Concern	Value of Corrective Action
Global Security (High Priority)	OK	Global Security is enabled. Only users with specific rights can use the WebSphere Application Server administrative tools to perform any administrative operation	No action required
	Improvements Possible	Global Security is disabled. By default, WebSphere Application Server uses no security. This means that all network links are insecure and that any user with access to the deployment manager (HTTP to the Web admin console, or SOAP/IIOP to the JMX management ports) can use the WebSphere Application Server administrative tools to perform any administrative operation, up to and including removing existing servers.	Enable Global Security
Certificate Checker (High Priority)	OK	Certificate for SSLConfig: IBM-2RI44RCU0TCNode01/WebContainerSSLSettings, key file: C:\WebSphere\AppServer\profiles\default\etc\keys\WASWebContainer.jks, alias: waswebcontainer will expire on Thu May 25 14:03:17 CDT 2006	No action required
	Improvements Possible	Certificate for SSLConfig: IBM-2RI44RCU0TCNode01/DefaultSSLSettings, key file: C:\WebSphere\AppServer\profiles\default\/etc/DummyServerKeyFile.jks, alias: websphere dummy server is a default certificate from IBM and should not be used. The certificate will expire on Wed Oct 13 15:39:20 CDT 2021	Create a new certificate
	Improvements Possible	Certificate for SSLConfig: IBM-2RI44RCU0TCNode01/WebContainerSSLSettings, key file: C:\WebSphere\AppServer\profiles\default\etc\keys\WASWebContainer.jks, alias: test will expire on Tue Jul 26 10:12:47 CDT 2005 Warning: Certificate expires in less than 90 days!	Create a new certificate
	Improvements Possible	Certificate for SSLConfig: Client Authentication setting in sas.client.props file, key file: C:/Program Files/WebSphere/DeploymentManager/etc/DummyClientKeyFile.jks, alias: websphere dummy client is a default certificate from IBM and should not be used. The certificate has expired, it expired on Thu Mar 17 14:05:45 CST 2005	Create a new certificate
CORBA Namespace Security (High Priority)	OK	CORBA Naming roles are configured	No action required
	Improvements Possible	The CORBA Namespace can be modified by All Authenticated users. Any authenticated user can alter the JNDI namespace. The default naming security policy is to grant all users read access to the CosNaming space and to grant any authenticated user the privilege to modify the contents of the CosNaming space. You can restrict user access to the CosNaming space.	Configure CORBA Naming Roles
	Improvements Possible	The CORBA Namespace can be modified by Everyone. Anyone can alter the JNDI namespace. The default naming security policy is to grant all users read access to the CosNaming space and to grant any authenticated user the privilege to modify the contents of the CosNaming space. You can restrict user access to the CosNaming space.	Configure CORBA Naming Roles
	Improvements Possible	Global Security is not enabled, therefore security policies are not enforced. As a result, anyone can modify CORBA Namespace.	Enable Global Security and configure CORBA Naming Roles
SSL usage between LDAP and WebSphere Application Server (Medium Priority)	Improvements Possible	Global Security is not enabled, cannot check if LDAP user registry is being used	Configure a user registry as part of Enabling Global Security
	OK	User Registry is LDAP. SSL between WebSphere Application Server and LDAP is enabled This ensures that the communication between WebSphere Application Server and LDAP is encrypted	No action required
	Improvements Possible	User Registry is LDAP. SSL between WebSphere Application Server and LDAP is disabled The communication between WebSphere Application Server and LDAP is not encrypted	Enable SSL between WebSphere Application Server and LDAP User Registry
	OK	User registry being used is not LDAP	No action required
Authentication Mechanism (Medium Priority)	Improvements Possible	Global Security is not enabled, therefore no authentication mechanism is being used	Choose an authentication mechanism as part of Enabling Global Security.
	Improvements Possible	LTPA Authentication is not enabled. SWAM Authentication is being used. SWAM is weaker than LTPA since it relies on the HTTP Session for maintaining state. SWAM authentication is not forwardable to remote EJBs and cannot be used in distributed environments such WebSphere Application Server Network Deployment. SWAM is intended for simple, non-distributed, single appserver run-time environments.	Use LTPA Authentication mechanism in distributed environments and for Single Sign On (SSO)
	OK	LTPA Authentication mechanism is enabled. Lightweight Third Party Authentication (LTPA) is intended for distributed, multiple application server and machine environments. It supports single signon (SSO).	No action required
Encryption for Distributed Replication Service (Medium Priority)	OK	Data Replication Service(DRS) is not being used to exchange data among appservers	No action required
	OK	Encryption is enabled on Distributed Replication Service(DRS). This ensures that the data shared among appservers is encrypted.	No action required
	Improvements Possible	Encryption is disabled on Distributed Replication Service(DRS). The data shared among appservers is not encrypted.	Enable Encryption on DRS
Sample Applications (Medium Priority)	Improvements Possible	WebSphere Sample Applications are installed. WebSphere Application Server ships with examples to demonstrate various parts of WebSphere Application Server. These samples are not intended for use in a production environment. Some of these samples can provide an intruder with information about your system.	Uninstall Sample Application(s): Application names
	OK	WebSphere Sample Applications are not installed WebSphere Application Server ships with examples to demonstrate various parts of WebSphere Application Server. These samples are not intended for use in a production environment. Some of these samples can provide an intruder with information about your system.	No action required
Administrative User IDs (Medium Priority)	Improvements Possible	Global Security is not enabled, therefore no administrative ids are configured.	Create a serverID as part of Enabling Global Security. Then configure additional administrative user ids to protect this server ID and enable more effective audit logging
	OK	Multiple Administrative user IDs are configured. When WebSphere security is enabled, a single security ID is initially configured as the Security Server ID. Configuring multiple administrative user ids can protect this server ID and enable more effective audit logging	No action required
	Improvements Possible	Multiple Administrative user IDs are not configured. When WebSphere security is enabled, a single security ID is initially configured as the Security Server ID. Configuring multiple administrative user ids can protect this server ID and enable more effective audit logging	Configure Additional Administrative User IDs

Extended Security Configuration Items Table

Security Configuration Item Name	Possible values for Findings	Value of Possible Action
Administrative Roles	Global Security is not enabled, so no administrative roles are being used. WebSphere Application Server allows four administrative roles: Administrator, Operator, Monitor, Configurator. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need.	Create an administrative role as part of Enabling Global Security, then create additional roles.
	Multiple Administrative Roles are configured. WebSphere Application Server allows four administrative roles: Administrator, Operator, Monitor, Configurator. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need.	No action required
	Multiple Administrative Roles are not configured. WebSphere Application Server allows four administrative roles: Administrator, Operator, Monitor, Configurator. These roles make it possible to give individuals (and automated systems) access appropriate to their level of need.	Configure Additional Administrative Roles
WebContainer HTTPS Checker (Medium Priority)	Only HTTP transport is defined between the webserver and the appserver. Communication between the webserver and appserver is over HTTP which is unencrypted and in clear text	Evaluate if HTTP transport is required for your environment. If sensitive information is being transmitted between the web server and the appserver, it is recommended to use HTTPS (SSL) transports between the web server and appserver
	HTTPS transports are defined between the webserver and the application server. If you choose HTTPS transport, communication between the webserver and appserver is over HTTPS which is encrypted and secure	No action required
	No transports are defined between the webserver and the appserver	Set up HTTPS (SSL) transports between the webserver and appserver, in order to have the communication between webserver and appserver be encrypted
Java2 Security	Global Security is not enabled, therefore Java2 Security is not being used. Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions of installed applications before allowing them access to certain protected system resources such as file I/O, sockets, and properties.	Enable Global Security, create an appropriate Java2 Security policy for each of the installed applications and enable Java2 Security If the applications being deployed are trusted, enabling Java 2 security might not be necessary
	Java2 Security is enabled. Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions of installed applications before allowing them access to certain protected system resources such as file I/O, sockets, and properties.	No action required
	Java2 Security is disabled. Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions of installed applications before allowing them access to certain protected system resources such as file I/O, sockets, and properties.	Create an appropriate Java2 Security Policy file for each of the installed applications and enable Java2 Security If the applications being deployed are trusted, enabling Java 2 security might not be necessary
	In application "appName", the permission "All Permissions" is granted to codeBase, "codeBase" This disables the access control mechanism provided by Java 2 Security for this application.	The permission "All Permissions" is granted to WebSphere Application Server system applications such as adminconsole.ear and filetransfer.ear. No action is necessary if application appName is provided with WebSphere Application Server. If application appName is not a WebSphere Application Server system application, investigate if "All Permissions" is required, or whether a more restrictive set of permissions should be granted.

Trademarks

The following terms are trademarks of International Business Machines Corporation in the United States, other countries, or both:

AIX
IBM
iSeries
OS/400
WebSphere
z/OS

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.