Application hardening

To maintain a proper operational state of FTM SWIFT apply the following guidelines:
  • Do not allow default passwords.
  • Disable or remove unnecessary user accounts.
  • Disable or remove unnecessary services in FTM SWIFT and the used middleware.
  • Adjust any default configurations known to be vulnerable.
  • Set auto-lock options where technically possible. For example, enforce a new operator login after a recommended inactivity timeout of 15 minutes.
  • Enable message broker administration security to limit access to the broker.
  • Secure the application serving environment of your WebSphere® Application Server as described in IBM® WebSphere Application Server Knowledge Center. In particular:
    • Make sure to use TLSv1.2 or higher and disable older protocol versions
    • Use only strong cipher suites
    • Ensure that property jdk.tls.disabledAlgorithms in the java.security file of the Java within the WebSphere Application Server contains at least the following algorithms:
      • SSLv3
      • TLSv1
      • TLSv1.1
      • DH keySize <768
      • MD5withRSA
      For example, the property within the java.security file should look like the following:
      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize <768, MD5withRSA
      For information on the java.security file, see https://www.ibm.com/support/pages/websphere-application-server-javasecurity-file.

This applies to FTM SWIFT with its required middleware and the SAG.