Browser data security
The default Control Center configuration supports both HTTP and HTTP secure (HTTPS with SSL)
browser connections. If you are concerned with the possibility of the data that is being transmitted between
the operator's browser and the Control Center being read clearly, use an HTTP secure (HTTPS)
connection. Information that might be clearly read when a nonsecure HTTP (non-SSL) connection is used includes
the information that is shown in the following list:
- User IDs and passwords
- HTTP request and response headers
- Application data
The following ports are defined for the default Control Center configuration:
- 58080
- Is used for HTTP (non-SSL) connections.
- 58448
- Is used for HTTPS (SSL) connections.
To enforce the use of secure (SSL) connections, the following techniques can be used:
- Use the WebSphere® administrative console to enable the Restrict cookies to HTTPS Sessions attribute for cookies in WebSphere Application Server. This setting notifies the browser to encrypt the cookies on a request. When you use this setting and the HTTP (non-SSL) port is not disabled, the Control Center pages don't work properly when users connect to the HTTP (non-SSL) port. For more information about changing the settings for cookies, see the WebSphere Application Server documentation.
- Consider securing the WebSphere Application Server LtpaToken2 cookie by using a secure header. To enable the secure header for this cookie, use the Requires SSL setting for single sign-on under global security and restart the server. This setting is needed even if single sign-on is not being used. For more information about changing the settings for cookies, see the WebSphere Application Server documentation.
- Use a firewall to block the HTTP port.
- Disable the HTTP port in WebSphere Application Server. For more information about virtual hosts and host aliases, see the WebSphere Application Server documentation.