Setting up security for WebSphere

Setting up security for WebSphere® Application Server can involve configuring the following.

WebSphere cookies

An HTTP session cookie might contain tokens and sensitive user information. Secure the cookies that are used by configuring the cookieHttpOnly and cookieSecure fields as shown in the following XML stanza.

<httpSession
  cookieName="FXHSESSIONID"
  cookieSecure="true"
  cookieHttpOnly="true"
  cookiePath="/"/>
This stanza is in the default deployment.

Enable HTTPS

Enable HTTPS support for Liberty by adding the following XML to its configuration.
<featureManager>
  <feature>transportSecurity-1.0</feature>
</featureManager>
This stanza is in the default deployment.

HTTP Strict Transport Security (HSTS)

The HSTS header can be used to restrict client/server connections to using the HTTPS protocol only. For more information, see setting up HTTP strict transport security (HSTS) in the IBM® WebSphere Liberty documentation.

Host header injection

Prevent possible host header injection by using the rewrite directives to implement rewrite rules that allow only known hosts. For example,
RewriteEngine ON
RewriteCond %{HTTP_HOST} !=www.example.com
RewriteCond %{HTTP_HOST} !=example.com
   ...   
RewriteRule .* - [F]

Web container property to disable the X-Powered-By header in the HTTP response header

To avoid revealing details about the technology used by the server, disable the X-Powered-By header by setting the following property in the WebSphere Liberty web container settings.
<webContainer disableXPoweredBy="true"/>
For more information, see the IBM WebSphere Liberty documentation. This stanza is in the default deployment.

Transport Layer Security (TLS / SSL) quality of protection

Depending on your security requirements, you might want to change which version of the Transport Layer Security (TLS), and the earlier Secure Sockets Layer (SSL), protocol is supported. You can also limit which cipher suites are accepted. For example, you might want to limit TLS to version 1.2 or disable support for the DES cipher suites.

You can specify the version of TLS to use and remove support for the weaker encryption cipher suites by using the following XML. Update the list of enabled cipher suites to add the cipher suites that you want to support and then add the XML to the Liberty configuration.

<ssl id="defaultSSLConfig" 
         trustDefaultCerts="true" 
         clientAuthenticationSupported="true" 
         sslProtocol="TLSv1.2"
         enabledCiphers={List of cipher suites}
The default deployment sets the TLS version to 1.2 and removes some of the weaker encryption cipher suites.

Transport Layer Security (TLS) renegotiation

To avoid potential security risks, consider disabling TLS renegotiation on the server. For more information, see transport layer security (TLS) renegotiation issue in the IBM SDK, Java™ Technology Edition documentation in IBM Documentation.

WebSphere PD_STATEFUL cookie

A PD_STATEFUL cookie is used by IBM Security Identity and Access Management. For more information about this cookie, see the following documentation.
  • The Setting the PD_STATEFUL cookie to Secure technote on the IBM Support website.
  • The IBM Security Access Manager documentation in IBM Documentation for information about creating an HTTP transformation.

HTTP session logout timeout

When the browser HTTP session for a Control Center user times out, the user is logged out. However, someone can possibly intercept and override the logout timeout.

To avoid this override, enable HTTP session expiry for Liberty by adding the following XML to its configuration. For more information about this property, see the WebSphere Liberty documentation.
<webAppSecurity logoutOnHttpSessionExpire="true"></webAppSecurity>
This stanza is in the default deployment.