Operations and Administration Console and middleware security configuration information
Application security
In a production environment, set the following environment entries for the Operations and Administration Console
(OAC) to guard against information leakage:
- Set enablePerUserDebug to false.
- Set enableExceptionView to false.
- Set expireSessionOnLeave to yes.
- Set genTableSql to false.
- Set allAlertsInterval to -1.
For more information, see Environment entries and resources.
WebSphere Application Server security
Consider the following security items when you are reviewing the Securing applications and their environment section in the IBM WebSphere Application Server documentation.
- Java™ 2 security
- Use this option to specify whether to enable or disable Java 2 security permission checking, which involves checking application access to local resources.
- Restrict cookies to HTTP only
- The FTM
OAC creates some encrypted cookies for authentication and session management
purposes. Restricting cookies to only HTTP is recommended to provide a level of defense against a client-side
script that can access a protected cookie and acquire its content. To configure this function, add the com.ibm.ws.webcontainer.HTTPOnlyCookies custom property to the application server web container in the WebSphere Application Server administrative console.
- In the administrative console, click .
- Select the Set session cookies to HTTPOnly to prevent cross-site scripting attacks checkbox.
- On the console taskbar, click Save to save your configuration changes.
- Secure the JSESSIONID cookie
-
- In the administrative console click .
- Select the Restrict cookies to HTTPS sessions checkbox.
- Click Ok.
- On the console taskbar, click Save to save your configuration changes.
- Secure the LTPA cookie
- If you are using single sign-on (SSO), the LTPA token can be secured as follows:
- In the administrative console, click .
- Select the Requires SSL checkbox.
- Click Ok.
- On the console taskbar, click Save to save your configuration changes.
- Restart the WebSphere Application Server.
- Password Protection
- Use one of the supported user account repositories to ensure that at least the following rules are
enforced:
- A strong password policy that ensures password length, complexity, reuse, and aging.
- The accounts are locked out after a defined number of incorrect password attempts.
- Slowloris HTTP Denial of Service (DoS) Attack
- A Slowloris attack works by opening multiple connections to the targeted web server and keeping them open
for as long as possible. Eventually all the connection capacity of the server is used, which effectively
denies access to legitimate users.
Use the RequestReadTimeout HTTP Server directive to mitigate against this attack. This module provides a convenient way to set timeouts and minimum data rates for receiving requests. The parameters of this directive need to be carefully tuned for your specific environment to avoid affecting legitimate users.
- Restrict login form to accept POST method requests only
- By default, the login authentication form that uses the
j_security_check
action can be called by using both the POST and GET HTTP methods. You can use thecom.ibm.ws.webcontainer.enablePostOnlyJSecurityCheck
custom property to restrict calls toj_security_check
to the POST method only. For more information, see https://www.ibm.com/support/pages/apar/PI60797.
HTTP headers
HTTP response headers are delivered in responses that are sent from the server to the client browser. They
can be used to enable browser restrictions to mitigate against security vulnerabilities. The following list
has some of the headers that need to be considered.
- Strict-Transport-Security
- The HTTP Strict Transport Security (HSTS) header can be used to restrict the client and server connections to using HTTPS only. For more information, see Setting up HTTP Strict Transport Security (HSTS) in the WebSphere Application Server documentation.
- X-Content-Type-Options
- This header ensures that the MIME types as specified in the Content-Type header cannot be altered.
- X-XSS-Protection
- This header enables the cross-site scripting (XSS) filter in the browser.
- Content-Security-Policy
- This header can be used to modify the way that the browser renders pages. It can be configured to prevent a wide range of attacks.
- X-Powered-By
- To avoid revealing details about the technology used by the server, disable this
header by setting the following property in the WebSphere Application Server web container settings:
For more information, see the WebSphere Application Server documentation.com.ibm.ws.webcontainer.disablexPoweredBy
- SameSite attribute for cookies
- For more information about how to configure this attribute in WebSphere Application Server, see https://www.ibm.com/support/pages/apar/PH22157.