This 2017.03 cumulative fix comes with many and large security improvements:
- HTTPS enforcement for (almost) all web modules
- Security hardening configuration on by default
- Configuration options for group membership synchronization at login - with significant performance improvements by default
- A new JS API for deleting internal groups
- Support for ECCiphers configuration help
- A Trust Association Interceptor that avoids the basic authentication browser dialog in WebPD upon LTPA timeout
- and, of course, vulnerability fixes.
HTTPS enforcement is (at least for me and our various internal test frameworks) a topic that is big enough for its own dedicated blog post, which also covers the new defaults for existing security hardening settings: Enforcing HTTPS
Configuration options for group membership synchronization at login
In IBM BPM work is typically assigned to groups of various types. When querying the task list for an individual user or performing any action on a task, up-to-date group membership information is important. To use this information efficiently in database queries, it is replicated to BPM's database - allowing table joins rather than extensive OR combined where clauses.
In order to ensure up-to-date group membership information, replication was triggered upon "login". Unfortunately, there is no real login event in BPM. Instead, individual sessions are established with the many web applications that comprise the product. This led to repeated replications for the same user during a single interaction, e.g. when accessing Process Portal, the REST API, and a heritage human service, replication might have been triggered 3 times. If the user logged off and back in, we would repeat these 3 replications.
A new cache is introduced that is shared across the multiple applications in a specific BPM server and that holds information about when a given user's group membership was last replicated. Cache expiration is configurable using the user-group-membership-sync-cache-expiration setting in 100Custom.xml. The default expiration is one minute, which is good enough to avoid duplicate replication when accessing Process Portal and querying the task list. If you know your LDAP group memberships change at most daily or you define e.g. an hour of lag time to be acceptable, you can dramatically increase this timeout and thus further reduce replications.
This new cache is a perfect complement for the group membership sync scripts. Replicating at night and a one day cache expiration reduces LDAP during work times and increases performance for end users.
JavaScript API for deleting internal groups
Two new JavaScript API functions are introduced: tw.system.org.removeRole(String roleName, Boolean checkAuthorization) and TWRole.remove(Boolean checkAuthorization), which you can use to delete IBM BPM security group definitions. By using the checkAuthorization parameter, you can ensure that only members of the IBM BPM administrative group can delete IBM BPM security groups successfully. If this parameter is not set, no dedicated authorization check is performed and the process or service logic must ensure that only authorized callers trigger the deletion.
Note: You can't delete a group that has tasks assigned or is configured as bpmAdminGroup in the BPMServerSecurityGroups configuration.
Support for ECCiphers configuration help
The background of this is Elliptic curve cryptography in the context of HTTPS connections and is explained in SSL / TLS challenges when consuming remote services. Basically, a set of strong ciphers is disabled by default in WebSphere 8.5.5 because of interoperability issues of early implementations when elliptic curve cryptography was "new".
With BPM 8.5.7.201703 we enable ECCiphers by default for new installations. When upgrading existing installations, we add the required configuration property "com.ibm.websphere.ssl.include.ECCiphers" with a value of false to WebSphere global security custom properties. This will give you an easy way to enable it, because the property is already there. No typos.
Trust Association Interceptor (TAI) for web based Process Designer
Trust Association Interceptors (TAIs) allow customizing authentication in WebSphere Application Server - the base AppServer underneath IBM BPM. As described in
Avoiding the Basic Auth prompt, IBM BPM has challenges addressing browser based clients and other programmatic clients (sometimes referred to as headless BPM) at the same time. While basic authentication is a simple and well established authentication scheme for programmatic access, it is a no-go for browser clients. What's particularly annoying for browser users is the basic auth pop-up dialog (instead of a login page). This is not only disturbing from a user experience perspective, it also causes confusion by caching these credentials until the browser is closed.
The new TAI allows web based Process Designer to include an indicator in the request to tell the server side "in case my authentication expired, I don't want to pop-up the basic auth dialog, so please respond with 401, but skip the www-authenticate header". The client side code then needs to be smart enough to handle 401 (storing the browser-side state and reloading the main page to cause a "full screen" authentication).
Vulnerability fixes
- Security Bulletin: Malicious File Download vulnerability in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) - CVE-2016-9693
- Security Bulletin: Persistent cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1140)
- Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (BPM) (CVE-2016-6109)
Note that the installation instructions also point you to WebSphere security ifixes, which are released on top of WAS 8.5.5.11. Use your maintenance window to get current with WAS, too!
- Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8919)
- Security Bulletin: A security vulnerability in WebSphere Application Server might affect IBM Business Process Manager (BPM), WebSphere Process Server (WPS) and WebSphere Lombardi Edition (WLE) (CVE-2016-0360)
- Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2017-1121)
- Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8934)
- Security Bulletin: A security vulnerability in WebSphere Application Server might affect IBM Business Process Manager (CVE-2017-1151)
- Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager (BPM), WebSphere Process Server (WPS) and WebSphere Lombardi Edition (WLE) (Java CPU January 2017)