Security hardening

You can secure your installation against specific vulnerability types. Follow the steps in tech notes to secure the installation.

  • To protect against Host header injection - technote.
  • To protect against Content spoofing - technote.
  • To protect against Information disclosure in X-Powered-By HTTP response headers - technote.
  • Configure appropriate TLS versions and cipher suites for the Microservices tier - technote.
  • Avoid insecure deserialization in IBM® InfoSphere® Information Server Java Remote Method Invocation services - technote.
  • Disable disclosure of ingress controller metrics - technote.
  • Samesite can be configured as strict for two WebSphere related cookies:
    1. JSESSIONID cookie: The CookieSameSite property can be specified as Strict in the WebSphere Administration console at Servers > Server Types > WebSphere application servers > server1 > Session management > Custom properties > New. For more details, see PH22157.
    2. LtpaToken2 cookie: In the WebSphere Administration console, a new custom property, com.ibm.websphere.security.addSameSiteAttributeToCookie can be specified as Strict at Security > Global security > Custom properties > New. For more details, see WebSphere documentation.
  • Security of Apache Zookeeper, Kafka, and Solr services installed by IBM InfoSphere Information Server:
    • If you have a Microservices tier, authentication is enabled for Zookeeper, and some znodes are protected. Most znodes do not require authentication, and are world readable and writable. The ACLs are only enforced on certain Kafka, Solr, Zookeeper znodes which hold data that should not be tampered with. This is the default Zookeeper setup for Kafka and Solr. There are no destructive actions that can be performed using zkCli.
    • If you do not have a Microservices tier, see Securing the Zookeeper, Kafka, and Solr services in InfoSphere Information Server services tier.