'Hardening' a Maximo/TPAE Based Implementation
ColleenMcCretton 270002FD5R Visits (4275)
As companies are becoming more security-aware they are conducting security audits of their key applications and looking for ways to ‘harden’ their implementations. Maximo and other TPAE based products are scanned using IBM's Rational AppScan tools to identify and remediate known security vulnerabilities. There are many suggested configurations to make an implementation more secure.
Deploy your system over SSL. Most security auditing tools will alert if information, especially user session information, is sent over a network and not encrypted. Deploying the application on the app server in an SSL environment will ensure that the information is encrypted.
Use the Application Server to authenticate users. The application server can be used to authenticate users against an LDAP directory or using a Single Sign-On system. When this is enabled ‘form’ authentication not ‘basic’ authentication should be set up for the most secure configuration. This configuration ensures that best practices for password management enabled on the directory are enforced (like expiration rules, character and length requirements and prohibited passwords such as the term password). It also enhances the session management capabilities as with internal authentication enabled an un-authenticated user still needs to access the system to authenticate so many security auditing tools will alert on the sessions used to authenticate. Using application server authentication ensures that every session that interacts with the server is already authenticated.
Use Strong Passwords. Usually, when interacting with an LDAP directory, appropriate password requirements are already in place but sometimes if the evaluation is part of a larger security initiative these rules may not yet be in place. General best-practices for passwords are that passwords:
Limit login attempts. General best practice is to lock a user account after between 3 and 5 failed login attempts. With application server security enabled this setting may have to be set both in the LDAP directory and the Security Controls dialog in the Users application
Enable special properties. The application provides a filter mechanism that strips out characters that can be used in cross-site scripting and a property that will filter out certain things that can be used in SQL injection. Ensure that the cross-site scripting filter is enabled per the instructions in this tech note and that the value of the property mxe.db.sqlinjection is set to 1.
Limit use of the Where Clause in advanced searches. When you allow your users to execute SQL statements to be used for searching there is some risk. Throughout the system, prepared statements are used with the exception of the SQL capability in the advanced search. The mxe.db.sqlinjection property limits what can be executed but many security audit tools will alert on this SQL capability. As a best practice this function should only be offered to trusted users with a real business need. The option description for this function is always ‘Search Where Clause’ and the option name is ‘SEARCHWHER’.
Review results with care. Most scanners have built in parameters that test certain url strings with generic parameters for known vulnerabilities in common technologies such as web servers or scripting languages. When Maximo receives a URL pattern it doesn't recognize it accepts it, but redirects the user session to the start center (in the case of a logged in user) or to the login page (in the case of a non-logged in user). Code is not executed so alerts related to non-used technologies are false positives in most cases.