Security-hardening properties

IBM® Business Process Manager provides configuration settings at the deployment environment level to harden security that mitigates web application threats, including cross-site request forgery (CSRF), network sniffing, clickjacking, and uploading malicious documents.

These security settings are off by default. You enable them by setting custom properties at the deployment environment (DE) level in the configuration repository by using the setBPMProperty command. The following table describes the available properties and shows you how to set them for the sample deployment environment De1.
IBM BPM version 8.6.0 cumulative fix 2018.03Note: In IBM BPM V8.6 2018.03, these properties were changed from ProcessServer.property to Security.property. When you upgrade to V8.6 2018.03, these properties are automatically migrated to their new names. If you have automated scripts to set or read these properties using AdminTask.getBPMProperty(...) or AdminTask.setBPMProperty(...), the AdminTask will accept either name. However, names with ProcessServer.property for these security-hardening settings are deprecated.
Table 1. Security-hardening properties
Property Accepted values Example Default value
Security.CsrfProtectionRefererWhitelist The value of this property must be a comma-separated list of host names (or domain names) that are valid values for the Referer header field. By restricting values to host names and domain names that serve user interfaces for IBM BPM, you can mitigate CSRF. For more information about the Referer header field, see the Request for Comments (RFC) 7231 documentation.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
 'Security.CsrfProtectionRefererWhitelist', '-value',
 'fmtc4090.boeblingen.de.ibm.com'])
Unassigned, which allows the header of the HTTP request to contain any value
Security.CsrfProtectionOriginWhitelist The value of this property must be a comma-separated list of prefixes in the format protocol://host:port that are acceptable values in the Origin header field. By restricting possible values to host names and domain names that serve user interfaces for IBM BPM, you can mitigate CSRF. For more information about the Origin header, see the RFC 6454 documentation.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.CsrfProtectionOriginWhitelist', '-value',
    'https://fmtc4090.boeblingen.de.ibm.com'])
Unassigned, which allows the header of the HTTP request to contain any value
Security.XFrameOptionsHeaderValue You set the value of the X-Frame-Options header field of the HTTP response with this property. IBM BPM returns this value to client requests. The value disallows browsers to embed IBM BPM user interfaces in iframes and, thus, mitigates potential clickjacking attacks. You can set the following values:
  • DENY: This value specifies that IBM BPM must not be embedded in iframes.
    Note: This value does not work with client-side human services and IBM Process Portal.
  • SAMEORIGIN: This value is recommended for most scenarios. IBM BPM user interfaces can be embedded in iframes, if the iframe element is served from the same origin as the IBM BPM user interface.
  • ALLOW-FROM https://example.com/: This value allows the browser to embed IBM BPM in iframes served from the https://example.com/ URI.
For more information about the X-Frame-Origin options, see the RFC 7034 documentation.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.XFrameOptionsHeaderValue', '-value', 'SAMEORIGIN'])
Unassigned, which omits the X-Frame-Options field in the response header
Security.ContentSecurityPolicyHeaderValue You set the value of the Content-Security-Policy and X-Content-Security-Policy HTTP response header fields with this property. IBM BPM returns this value to client requests. The value instructs the browser to load and run assets in the context of IBM BPM user interfaces only from a set of whitelisted origins. For example, the policy default-src 'unsafe-inline' 'unsafe-eval' https://bpm1.ibm.com https://bpm1; img-src data: https://bpm1.ibm.com https://bpm1 instructs the browser to retrieve images from data: URIs and from URIs that meet one of the two whitelisted URI patterns.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.ContentSecurityPolicyHeaderValue', '-value', "default-src 'self' 'unsafe-inline'
    'unsafe-eval' https://fmtc4090.boeblingen.de.ibm.com"])
Unassigned, which omits both the response header fields
Security.StrictTransportSecurityHeaderValue You set the value of the Strict-Transport-Security HTTP response header field with this property. IBM BPM returns this value to client requests. The value instructs the browser to upgrade any http:// link to the server to an https:// link. For more information about the Strict-Transport-Security header, see the RFC 6797 RFC documentation. A sample value is max-age=100; includeSubDomains.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.StrictTransportSecurityHeaderValue', '-value', "max-age=100;
    includeSubDomains"])
Unassigned, which omits the Strict-Transport-Security response header field
Security.XXssProtectionHeaderValue You set the value of the X-XSS-Protection HTTP response header field with this property. IBM BPM returns this value to client requests. The value instructs the browser to enable its built-in cross-site scripting protection, independent of the user's configuration. Setting this property can be useful if the Internet Explorer browser categorizes IBM BPM to run in the intranet zone, which applies weaker browser security settings. A sample value is 1; mode=block.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.XXssProtectionHeaderValue', '-value', "1;
    mode=block"])
Unassigned, which omits the X-Xss-Protection response header field
Security.XContentTypeOptionsHeaderValue You set the value of the X-Content-Type-Options HTTP response header field with this property. IBM BPM returns this value to client requests. For example, a value of nosniff instructs browsers to disable MIME-type sniffing (a technique that tries to determine a suitable rendering strategy for server content based on the contents of the HTTP response). MIME-type sniffing can interfere with the explicit overwriting of MIME types in IBM BPM document downloads and, thus, re-run JavaScript even if IBM BPM explicitly set the Content-Type header to force the download window.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.XContentTypeOptionsHeaderValue', '-value', "nosniff"])
Unassigned, which omits the X-Content-Type-Options response header field
Security.CsrfSessionTokenSalt Security.CsrfSessionTokenProtectedUris You enable session-specific tokens to mitigate CSRF with these properties.
  • To generate identical CSRF protection tokens on all cluster members without sharing the generated tokens, use the Security.CsrfSessionTokenSalt property. To activate the CSRF protection token, set any value for Security.CsrfSessionTokenSalt.
  • For the server to check for CSRF protection, use the Security.CsrfSessionTokenProtectedUris property. The only supported URI prefixes for this feature are /teamworks/ajaxCoach for coach navigation and /teamworks/cs_ for Process Admin Console. The recommended value is /teamworks/ajaxCoach,/teamworks/cs_ to protect both.
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.CsrfSessionTokenSalt', '-value', 'verySecret'])
AdminTask.setBPMProperty(['-de', 'De1', '-name',
    'Security.CsrfSessionTokenProtectedUris', '-value',
    '/teamworks/ajaxCoach,/teamworks/cs_'])
Unassigned, which makes IBM BPM vulnerable to CSRF
Security.AllowedHttpMethods In IBM BPM, web applications process requests for a small set of well-known HTTP methods. For a minimal attack surface, it is a good security practice to respond with an HTTP 403 (forbidden) status code if a request uses an unexpected HTTP method. This avoids unintentionally triggered default code paths that are implemented in various web application frameworks.

The value of this property is a comma-separated list of acceptable HTTP methods, such as the following methods that are set by default:

  • GET
  • PUT
  • POST
  • DELETE
  • HEAD
  • OPTIONS

Any requests with a method other than the white-listed ones will be rejected with the message HTTP 403 (forbidden).

Although the methods that are set by default are all used by the REST API, you can apply restrictions to the methods by using the WSADMIN setBPMProperty command to configure the property. For more information, see the topic setBPMProperty command.

Any customization of Heritage Process Portal (deprecated) themes (and Business Space) requires a WebDAV connection. WebDAV uses exotic HTTP methods that are defined in their documentation about HTTP extensions for distributed authoring. Information on using WebDAV for customization is found in the topic Connecting to the WebDav folder to customize Heritage Process Portal.

Heritage Process Portal theme customizations are not relevant to all customers. The few customers who need this capability generally only require it temporarily. WebDAV HTTP methods are therefore not white-listed by default. We recommend the temporary enablement of WebDAV HTTP methods while customizing Heritage Process Portal or Business Space themes (if needed).

AdminTask.setBPMProperty(['-de', 'De1', '-name',
 'Security.AllowedHttpMethods', '-value',
 'GET,PUT,POST,DELETE,HEAD,OPTIONS'])
 
To display the current settings, you can create a simple Jython script like the following example (assuming your deployment environment name is De1):
de = 'De1'

def printSetting(propertyName):
  value = AdminTask.getBPMProperty(['-de', de, '-name', propertyName])
  if value:
    print propertyName+': ' + value 
  else:
    print propertyName + ' is not set.'
print 'Security hardening settings:'  
printSetting('Security.CsrfProtectionRefererWhitelist')
printSetting('Security.CsrfProtectionOriginWhitelist')
printSetting('Security.XFrameOptionsHeaderValue')
printSetting('Security.ContentSecurityPolicyHeaderValue')
printSetting('Security.StrictTransportSecurityHeaderValue')
printSetting('Security.XXssProtectionHeaderValue')
printSetting('Security.XContentTypeOptionsHeaderValue')
printSetting('Security.CsrfSessionTokenSalt')
printSetting('Security.CsrfSessionTokenProtectedUris')
printSetting('Security.AllowedHttpMethods')

Store the script in a path accessible from your wsadmin scripting client; for example, path_to_script/printSecuritySettings.jy.

Start the wsadmin scripting client from the deployment manager profile /bin directory:
wsadmin -conntype none -f path_to_script/printSecuritySettings.jy
By default, the output of the script is:
WASX7357I: By request, this scripting client is not connected to any server process. oCertain configuration and application operations will be available in local mode.
Security hardening settings:
Security.CsrfProtectionRefererWhitelist is not set.
Security.CsrfProtectionOriginWhitelist is not set.
Security.XFrameOptionsHeaderValue is not set.
Security.ContentSecurityPolicyHeaderValue is not set.
Security.StrictTransportSecurityHeaderValue is not set.
Security.XXssProtectionHeaderValue is not set.
Security.XContentTypeOptionsHeaderValue is not set.
Security.CsrfSessionTokenSalt is not set.
Security.CsrfSessionTokenProtectedUris is not set.
Security.AllowedHttpMethods: GET,PUT,POST,DELETE,HEAD,OPTIONS