Operations and Administration Console and middleware security configuration information

Application security

In a production environment, set the following environment entries for the Operations and Administration Console (OAC) to guard against information leakage:
  • Set enablePerUserDebug to false.
  • Set enableExceptionView to false.
  • Set expireSessionOnLeave to yes.
  • Set genTableSql to false.
  • Set allAlertsInterval to -1.

For more information, see Environment entries and resources.

WebSphere Application Server security

Consider the following security items when you are reviewing the Securing applications and their environment section in the IBM WebSphere Application Server documentation.

Java™ 2 security
Use this option to specify whether to enable or disable Java 2 security permission checking, which involves checking application access to local resources.
The OAC application EAR file comes with a customized was.policy file that defines the permission requirements of the application. This policy file is specifically for a Db2® environment. The following steps show you how to enable the Java 2 security option in WebSphere® Application Server for the OAC application with a Db2 database.
  1. In the WebSphere Application Server Administration Console, enable the Java 2 security in the Security > Global Security section.
  2. It is also recommended that the following global security options are selected:
    • Warn if applications are granted custom permissions
    • Restrict access to resource authentication data
If Oracle is used, a different was.policy file needs to be used. The following steps show you how to enable the Java 2 security option in WebSphere Application Server for the OAC application with an Oracle database.
  1. Replace the was.policy file in the delivered FTM.ear file by using the following steps:
    1. Rename the was.Oracle.policy file to was.policy. The was.Oracle.policy file can be found at <installation directory>\ftm\v3213\multiplatform\FXH_Console.zip\FXH\management console\was.Oracle.policy.
    2. Import the FTM.ear file into the IBM® Assembly and Deploy Tools for WebSphere Administration.
    3. Import the was.policy file into the META-INF directory, replacing the existing file.
    4. Export the updated FTM.ear file.
    5. Deploy this new EAR file as normal by using the WebSphere Application Server Administration Console.
  2. In the WebSphere Application Server Administration Console, enable the Java 2 security in the Security > Global Security section.
  3. It is also recommended that the following global security options are selected:
    • Warn if applications are granted custom permissions
    • Restrict access to resource authentication data
Restrict cookies to HTTP only
The FTM OAC creates some encrypted cookies for authentication and session management purposes. Restricting cookies to only HTTP is recommended to provide a level of defense against a client-side script that can access a protected cookie and acquire its content.
To configure this function, add the com.ibm.ws.webcontainer.HTTPOnlyCookies custom property to the application server web container in the WebSphere Application Server administrative console.
  1. In the administrative console, click Applications > Application Types > WebSphere enterprise applications > application_name > Session Management > Enable cookies.
  2. Select the Set session cookies to HTTPOnly to prevent cross-site scripting attacks checkbox.
  3. On the console taskbar, click Save to save your configuration changes.
This property can also be set at the server level by using the com.ibm.ws.webcontainer.HTTPOnlyCookies custom property.
Secure the JSESSIONID cookie
  1. In the administrative console click Applications > Application Types > WebSphere enterprise applications > application_name > Session Management > Enable cookies.
  2. Select the Restrict cookies to HTTPS sessions checkbox.
  3. Click Ok.
  4. On the console taskbar, click Save to save your configuration changes.
Secure the LTPA cookie
If you are using single sign-on (SSO), the LTPA token can be secured as follows:
  1. In the administrative console, click Security > Global Security > Web and SIP security > Single sign-on (SSO).
  2. Select the Requires SSL checkbox.
  3. Click Ok.
  4. On the console taskbar, click Save to save your configuration changes.
  5. Restart the WebSphere Application Server.
Password Protection
Use one of the supported user account repositories to ensure that at least the following rules are enforced:
  • A strong password policy that ensures password length, complexity, reuse, and aging.
  • The accounts are locked out after a defined number of incorrect password attempts.
Slowloris HTTP Denial of Service (DoS) Attack
A Slowloris attack works by opening multiple connections to the targeted web server and keeping them open for as long as possible. Eventually all the connection capacity of the server is used, which effectively denies access to legitimate users.

Use the RequestReadTimeout HTTP Server directive to mitigate against this attack. This module provides a convenient way to set timeouts and minimum data rates for receiving requests. The parameters of this directive need to be carefully tuned for your specific environment to avoid affecting legitimate users.

Restrict login form to accept POST method requests only
By default, the login authentication form that uses the j_security_check action can be called by using both the POST and GET HTTP methods. You can use the com.ibm.ws.webcontainer.enablePostOnlyJSecurityCheck custom property to restrict calls to j_security_check to the POST method only. For more information, see https://www.ibm.com/support/pages/apar/PI60797.

HTTP headers

HTTP response headers are delivered in responses that are sent from the server to the client browser. They can be used to enable browser restrictions to mitigate against security vulnerabilities. The following list has some of the headers that need to be considered.
Strict-Transport-Security
The HTTP Strict Transport Security (HSTS) header can be used to restrict the client and server connections to using HTTPS only. For more information, see Setting up HTTP Strict Transport Security (HSTS) in the WebSphere Application Server documentation.
X-Content-Type-Options
This header ensures that the MIME types as specified in the Content-Type header cannot be altered.
X-XSS-Protection
This header enables the cross-site scripting (XSS) filter in the browser.
Content-Security-Policy
This header can be used to modify the way that the browser renders pages. It can be configured to prevent a wide range of attacks.
X-Powered-By
To avoid revealing details about the technology used by the server, disable this header by setting the following property in the WebSphere Application Server web container settings:
com.ibm.ws.webcontainer.disablexPoweredBy
For more information, see the WebSphere Application Server documentation.
SameSite attribute for cookies
For more information about how to configure this attribute in WebSphere Application Server, see https://www.ibm.com/support/pages/apar/PH22157.