WebSphere Portal relies on setting certain cookies to enforce its security controls. As an administrator, you should carefully consider how to protect these cookies in your environment. Unauthorized parties could circumvent WebSphere Portal's security controls given access to:
LTPAToken2 (and LTPAToken, if Interoperability Mode is enabled): Lightweight Third-Party Authentication: WebSphere Application Server relies on this cookie for Single Sign-On. WebSphere Application Server considers a client to be authenticated if it presents a valid LTPAToken2.
JSESSIONID: from the Java Servlet specification: WebSphere Portal's session management uses this cookie.
1. To guard against network eavesdropping, enable SSL for all communications between the browser and the web server. Without an HTTPS pipe, you are relying on the security of the network (which could be a valid option in intranet or VPN environments). If you cannot guarantee network security, it is essential that these cookies be transmitted only within an HTTPS pipe.
2. Define these cookies' domains as narrowly as possible. If a cookie's domain is left unset, the browser should present it to only the server that set the cookie.
3. In conjunction with (1) and (2), consider setting the secure attribute on these cookies. For example, a browser accesses https://portal1.ibm.com/wps/myportal, authenticates, and LTPAToken2 is set with domain=ibm.com. When the browser later requests http://server2.ibm.com, it presents LTPAToken2 over HTTP because of the domain. Setting the secure attribute tells the browser to present the cookie only over HTTPS, regardless of domain.
4. Set HTTPOnly to guard against cross-site scripting (XSS). When HTTPOnly is set for a cookie, the browser should not allow scripts to access the cookie. Of these several recommendations, this is the most highly reliant upon browser implementation. HTTPOnly is a useful tool, but application developers should be vigilant in guarding against XSS regardless of HTTPOnly.
5. Consider your securtiy requirements when configuring LTPA token expiration and session timeouts. Expiration is actually encoded into an LTPA token's value. Simply restricting access to the server long enough for all issued LTPA tokens to expire would mitigate a known breach.
Note: If WebSphere Portal is integrated with an external security manager (ESM) in your environment, you might also need to consider the ESM's cookies. For example, given a valid ESM cookie, a trust association interceptor could instruct WebSphere Application Server to issue a new LTPAToken2.
For more information on these and other WebSphere Portal security topics, refer to:
Thoughts on Portal from Level 2 Support
From archive: May 2011 X
JMW98 2000000MY6 7,304 Views
Many folks are getting started looking at getting certified for WebSphere Portal v7.0. In this first part we will take a look at the test, its makeup, information on it and how to prepare.
First thing to know is that this test is more difficult than the previous versions of the tests. The questions are much more specific and will cover a wider array of topics given all the new v7 functionality.
Taking a look at the test there will be 60 questions, in which you have 75 minutes to answer them. You must get 67% right to pass the certification. Those questions will be compromised of the following areas.
There will also be 2 unscored questions.
From the chart above we can see that the test is broken up into 7 core areas with some areas getting more focus that others. For this test you will want to understand the themes and skins of Portal 7.0, the APIs for both portlet specs, as well as the additional portlet services and frameworks that are provided. This covers a very broad range of topics so plan to spend a significant amount of time on each of the major sections.
To start off with your main areas of study will be the following:
You can find more about the test here. There you can find links to additional test information as well as link to a sample test. It would be a good idea to go through the sample test at least once to get yourself prepared for the test.
In future installments we will delve into the specific sections with more study pointers on each section.