Setting up security for WebSphere
Setting up security for WebSphere® Application Server can involve configuring the following.
WebSphere cookies
cookieHttpOnly and cookieSecure
fields as shown in the following XML stanza.
<httpSession
cookieName="FXHSESSIONID"
cookieSecure="true"
cookieHttpOnly="true"
cookiePath="/"/>
This stanza is in the default deployment.Enable HTTPS
<featureManager>
<feature>transportSecurity-1.0</feature>
</featureManager> This stanza is in the default deployment.HTTP Strict Transport Security (HSTS)
The HSTS header can be used to restrict client/server connections to using the HTTPS protocol only. For more information, see setting up HTTP strict transport security (HSTS) in the IBM® WebSphere Liberty documentation.
Host header injection
RewriteEngine ON
RewriteCond %{HTTP_HOST} !=www.example.com
RewriteCond %{HTTP_HOST} !=example.com
...
RewriteRule .* - [F]Web container property to disable the X-Powered-By header in the HTTP response header
<webContainer disableXPoweredBy="true"/> For more information, see the
IBM
WebSphere
Liberty documentation. This stanza is in the default deployment.Transport Layer Security (TLS / SSL) quality of protection
Depending on your security requirements, you might want to change which version of the Transport Layer Security (TLS), and the earlier Secure Sockets Layer (SSL), protocol is supported. You can also limit which cipher suites are accepted. For example, you might want to limit TLS to version 1.2 or disable support for the DES cipher suites.
<ssl id="defaultSSLConfig"
trustDefaultCerts="true"
clientAuthenticationSupported="true"
sslProtocol="TLSv1.2"
enabledCiphers={List of cipher suites}
The default deployment sets the TLS version to 1.2 and removes some of the weaker encryption
cipher suites.Transport Layer Security (TLS) renegotiation
To avoid potential security risks, consider disabling TLS renegotiation on the server. For more information, see transport layer security (TLS) renegotiation issue in the IBM SDK, Java™ Technology Edition documentation in IBM Documentation.
WebSphere PD_STATEFUL cookie
- The Setting the PD_STATEFUL cookie to Secure technote on the IBM Support website.
- The IBM Security Access Manager documentation in IBM Documentation for information about creating an HTTP transformation.
HTTP session logout timeout
When the browser HTTP session for a Control Center user times out, the user is logged out. However, someone can possibly intercept and override the logout timeout.
<webAppSecurity logoutOnHttpSessionExpire="true"></webAppSecurity>
This stanza is in the default deployment.