IBM BPM has supported HTTPS access to web user interfaces for a long time, however, before 184.108.40.206703, this had not been enforced consistently. If a user was really determined to put data at risk, he could invoke e.g. the REST API over an unencrypted HTTP connection.
Of course, BPM on Cloud enforced HTTPS for all requests since day 1. This post is about on premise installations.
There is not much use of BPM without being authenticated, so most requests to BPM contain some form of credential, such as username/password or an LTPA token cookie, none of which should be sent over an unencrypted connection.
All of the IT industry is moving away from non-secure HTTP, browser vendors being the most obvious examples:
- w3c recommends new browser features to work in secure contexts only (and existing browser features to be replaced): Secure Contexts
section 1: [...] application code with access to sensitive or private data be delivered confidentially over authenticated channels that guarantee data integrity. [...]
section 7.3: [...] When writing a specification for new features, we recommend that authors and editors guard sensitive APIs with checks against secure contexts. [...]
- Mozilla deprecated the use of non-secure HTTP in 2015: Deprecating Non-Secure HTTP
- Mozilla actively executes on that policy by restricting new browser features to secure connections: Disable Geolocation on non-secure origins
- Chrome requires secure contexts for powerful features: Deprecating Powerful Features on Insecure Origins
- Windows apps for Windows 8.1 and later must use https in their application manifest: Windows 8.1 allows only https URIs, not http URIs
- For a long time, we have seen mixed content warnings or later blank screens if a page was loaded over secure HTTPS but included sub resources (like stylesheets or script) from non-secure origins.
As you can see, accessing a web site using non-secure HTTP will cause more and more functional issues, but browser vendors made even more progress:
- End users are increasingly made aware about the absence of security: Marking HTTP As Non-Secure
- In particular, if it relates to sensitive data
If you want your users to sign in, you better avoid such (unnecessary!) warnings by being HTTPS everywhere. This message has reached most web site owners, and the few who haven't understood yet are object of ridicule on twitter: https://twitter.com/konklone/status/843933144789213186
So much about motivation.
What changes in BPM 220.127.116.11703?
- When applying the cumulative fix 2017.03 many web.xml files are changed to include a transport-guarantee element declaring a CONFIDENTIAL requirement. This causes the web container in WebSphere Application Server underneath IBM BPM to redirect requests for non-secure URLs to their secure equivalent. For example, a request to http://bpm.customer.com:9080/teamworks/login.jsp is redirected to https://bpm.customer.com:9443/teamsworks/login.jsp
There are very few exceptions to that redirection rule. For example, SOAP endpoints (product APIs and custom web services) will not redirect, because you might have WSDL files advertising a http:// URL and we haven't seen any SOAP client following such redirects.
Custom SCA modules in BPM Advanced are another example. They will not be modified in any way.
- Knowing that all web user interfaces are now accessed securely, we set the secure flag for LTPA and HTTP session cookies by default. This setting tells browsers (and all other clients) to only submit these cookies over secure connections.
- In case you upgraded from 18.104.22.168 (or earlier), your BPM environment might have a configuration setting value of useHTTPSURLPrefixes=false. While we have been setting this to true for all new environments since 22.214.171.124, we are now also setting it to true for upgraded environments. This setting causes BPM to calculate self-referential URLs with a https:// prefix.
Will this break anything?
As browsers follow redirects automatically, browser users will not see any impact.
If all programmatic clients connected securely in the past - no impact.
If there are any non-browser clients connecting to BPM using non-secure HTTP, it depends on the client.
Some HTTP client libraries (such as Apache HTTP client) follow redirects by default. These clients will be redirected from a non-secure URL to a secure URL and then will then need to trust BPM's HTTPS certificate in order to establish this secure connection. Given that these clients were connecting over non-secure HTTP in the past, there is a good chance that the BPM HTTPS certificate is not yet in their truststore, so the connection would fail until the certificate is added.
Other HTTP client libraries do not follow redirects. For these clients the response code would change from e.g. 200 OK to 302 Found. The client logic would most likely fail until this client's configuration is updated to use the secure HTTPS URL instead (and of course, trusting the BPM HTTPS certificate is required, too).
One example of a non-browser client is online Process Server connecting to Process Center for its periodic heartbeat. In case you entered a http:// URL as the Process Center URL, you will see the heartbeart failing and will need to update this configuration.
How can I revert this change?
You shouldn't! Fixing clients is really an easy thing to do.
However, this change is meant to improve security. If any customer was unable to install the cumulative fix to production because of this change, their BPM would be less secure. A new AdminTask is introduced that allows modifying web.xml in a supported way:
For customers who temporarily need to reenable non-secure HTTP access because some programmatic clients have used non-secure connections in the past and cannot be updated immediately, this AdminTask.configureBPMTransportSecurity(...) allows reconfiguring these deployment descriptors to allow non-secure HTTP access.
The AdminTask accepts the following parameters:
- de: name of the deployment environment to configure
- apps: scope of the configuration. Possible values are
-- productREST: REST APIs provided by the BPM product,
-- productSOAP: SOAP APIs provided by the BPM product,
-- customSOAP: SOAP Web Services in custom applications,
-- 201612: all other changes relative to cumulative fix 2016.12
- transportSecurity: mode of the configuration. Possible values are
-- list: show current configuration
-- allowhttp: switch transport-guarantee to NONE in order to allow non-secure HTTP traffic
-- httpsonly: switch transport-guarantee to CONFIDENTIAL in order to enforce a redirect to HTTPS
The AdminTask reconfigures web deployment descriptors and then needs to redeploy and restart affected applications. This command must be run in disconnected mode, that is using the -conntype NONE option of wsadmin. All servers, nodeagents and the deployment manager must be stopped while running the command.
a) Allow non-secure HTTP access for BPM REST APIs in deployment environment De1
print AdminTask.configureBPMTransportSecurity( [ '-de', 'De1', '-apps', 'productREST', '-transportSecurity', 'allowhttp'] )
b) Enforce HTTPS for SOAP clients calling BPM product APIs in deployment environment De1
print AdminTask.configureBPMTransportSecurity( [ '-de', 'De1', '-apps', 'productSOAP', '-transportSecurity', 'httpsonly'] )
c) Enforce HTTPS for SOAP clients calling custom Web Services in deployment environment De1
print AdminTask.configureBPMTransportSecurity( [ '-de', 'De1', '-apps', 'customSOAP', '-transportSecurity', 'httpsonly'] )
d) View current configuration for all other (modified) web modules that are not covered by productREST, productSOAP, or customSOAP
print AdminTask.configureBPMTransportSecurity( [ '-de', 'De1', '-apps', '201612', '-transportSecurity', 'list'] )
When switching back to non-secure HTTP access for browser user interfaces, you also need to ensure that cookies can be sent over non-secure connections and that BPM calculates http:// URLs.
If there is a single deployment environment in your WebSphere cell, you can use the following script to perform this configuration:
|# calculate non secure URLs
for server in AdminUtilities.convertToList(AdminConfig.list("BPMCommonServer")):
AdminConfig.modify(server, [ [ "useHTTPSURLPrefixes", "false" ] ] )
# allow LTPA cookie to be transmitted for non secure connections
# allow JSESSIONID cookie to be transmitted for non secure connections
# save changes