Security-hardening properties

Edit online

IBM® Business Automation Workflow provides configuration settings at the deployment environment level to harden security that mitigates web application threats, including cross-site request forgery (CSRF), network sniffing, clickjacking, and uploading malicious documents.

Hardening IBM Business Automation Workflow

You can improve your security by setting custom properties at the deployment environment (DE) level in the configuration repository by using the setBPMProperty command. The following table describes the available properties and shows you how to set them for the sample deployment environment De1.

Note: In Business Automation Workflow V8.6 2018.03, these properties were changed from ProcessServer.property to Security.property. When you upgrade to V8.6 2018.03, these properties are automatically migrated to their new names. If you have automated scripts to set or read these properties using AdminTask.getBPMProperty(...) or AdminTask.setBPMProperty(...), the AdminTask will accept either name. However, names with ProcessServer.property for these security-hardening settings are deprecated.

Note: The version of Java used in the desktop IBM Process Designer doesn't support Galois/Counter Mode (GCM) ciphers. When configuring this very restrictive list of ciphers, the desktop Process Designer can't connect directly to the web container of Business Automation Workflow. If you are using the desktop Process Designer and it connects directly to the Business Automation Workflow application server without passing through a web server, you must add at least one non-GCM cipher.

Table 1. Security-hardening properties
Property	Accepted values	Example	Default value
`Security.CommonLogoutExitPage`	A full URL (absolute or relative) to which the user should be redirected after logout. This allows logging out of SSO solutions as part of logging out of Workflow. This property has no default value. Note that this setting overrides individual logout pages configured for individual web applications as described in Configuring third-party authentication products. If any of the URLs of the custom logout pages are not on the same host as the Business Automation Workflow server or do not belong to the same domain, you must set one of the `com.ibm.websphere.security.allowAnyLogoutExitPageHost` or `com.ibm.websphere.security.logoutExitPageDomainList` global security custom properties. For more information about these custom properties, see Security custom properties.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CommonLogoutExitPage', '-value', 'https://ums.customer.com/ums/logout'])`
Security.CheckXSRFForOldRestApi	This property controls whether IBM Business Automation Workflow validates the cookie "XSRF-TOKEN" against incoming REST API requests (POST/PUT/DELETE) with the path pattern "/rest/bpm/wle/v1/*". The value must be TRUE or FALSE.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CheckXSRFForOldRestApi', '-value', 'FALSE'])`	TRUE
Security.UserAgentKeywordWhiteListForOldRestAPICSRFCheck	The value of this property must be a comma-separated list of keywords of the user agents that IBM Business Automation Workflow must not validates the cookie "XSRF-TOKEN" against incoming REST API requests with the path pattern "/rest/bpm/wle/v1/*".	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.UserAgentKeywordWhiteListForOldRestAPICSRFCheck', '-value', 'Java,Wink Client,HttpClient,curl,Jersey,HttpUrlConnection,MyNewAgent'])`	Java,Wink Client,HttpClient,curl,Jersey,HttpUrlConnection
`Security.CsrfProtectionRefererWhitelist`	The value of this property must be a comma-separated list of fully qualified host names that are valid values for the Referer header field. By restricting values to host names that serve user interfaces for Business Automation Workflow, you can mitigate CSRF. For more information about the Referer header field, see the Request for Comments (RFC) 7231 documentation.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CsrfProtectionRefererWhitelist', '-value', 'fmtc4090.boeblingen.de.ibm.com'])`	Unassigned, which allows the header of the HTTP request to contain any value
`Security.CsrfProtectionOriginWhitelist`	The value of this property must be a comma-separated list of prefixes in the format `protocol://host:port` that are acceptable values in the Origin header field. By restricting possible values to host names and domain names that serve user interfaces for Business Automation Workflow, you can mitigate CSRF. For more information about the Origin header, see the RFC 6454 documentation.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CsrfProtectionOriginWhitelist', '-value', 'https://fmtc4090.boeblingen.de.ibm.com'])`	Unassigned, which allows the header of the HTTP request to contain any value
`Security.XFrameOptionsHeaderValue` (deprecated)	Note: The `Security.XFrameOptionsHeaderValue` property is deprecated. Use the Security.ContentSecurityPolicyHeaderValue property instead. The Content-Security-Policy HTTP header has a frame-ancestors directive which obsoletes this header for supporting browsers. You set the value of the X-Frame-Options header field of the HTTP response with this property. Business Automation Workflow returns this value to client requests. The value disallows browsers to embed Business Automation Workflow user interfaces in iframes and, thus, mitigates potential clickjacking attacks. You can set the following values: `DENY`: This value specifies that Business Automation Workflow must not be embedded in iframes. Note: This value does not work with client-side human services and IBM Process Portal. `SAMEORIGIN`: This value is recommended for most scenarios. Business Automation Workflow user interfaces can be embedded in iframes, if the iframe element is served from the same origin as the Business Automation Workflow user interface. `ALLOW-FROM https://example.com/`: This value allows the browser to embed Business Automation Workflow in iframes served from the https://example.com/ URI. For more information about the X-Frame-Origin options, see the RFC 7034 documentation.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.XFrameOptionsHeaderValue', '-value', 'SAMEORIGIN'])`	Unassigned, which omits the X-Frame-Options field in the response header
`Security.ContentSecurityPolicyHeaderValue`	You set the value of the Content-Security-Policy and X-Content-Security-Policy HTTP response header fields with this property. Business Automation Workflow returns this value to client requests. The value instructs the browser to load and run assets in the context of Business Automation Workflow user interfaces only from a set of allowed origins. For example, the policy `default-src 'unsafe-inline' 'unsafe-eval' https://bpm1.ibm.com https://bpm1; img-src data: https://bpm1.ibm.com https://bpm1` instructs the browser to retrieve images from data: URIs and from URIs that meet one of the two allowed URI patterns.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.ContentSecurityPolicyHeaderValue', '-value', "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://fmtc4090.boeblingen.de.ibm.com ;frame-ancestors 'self'; img-src 'self' data:; font-src 'self' fonts.gstatic.com"])`	default-src 'self' 'unsafe-inline' 'unsafe-eval';frame-ancestors 'self'; img-src 'self' data:
`Security.StrictTransportSecurityHeaderValue`	You set the value of the Strict-Transport-Security HTTP response header field with this property. Business Automation Workflow returns this value to client requests. The value instructs the browser to upgrade any http:// link to the server to an https:// link. For more information about the Strict-Transport-Security header, see the RFC 6797 RFC documentation. A sample value is `max-age=100; includeSubDomains`.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.StrictTransportSecurityHeaderValue', '-value', "max-age=100; includeSubDomains"])`	max-age=31536000; includeSubDomains
`Security.XXssProtectionHeaderValue`	You set the value of the X-XSS-Protection HTTP response header field with this property. Business Automation Workflow returns this value to client requests. The value instructs the browser to enable its built-in cross-site scripting protection, independent of the user's configuration. Setting this property can be useful if the Internet Explorer browser categorizes Business Automation Workflow to run in the intranet zone, which applies weaker browser security settings. A sample value is `1; mode=block`.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.XXssProtectionHeaderValue', '-value', "1; mode=block"])`	1; mode=block
`Security.XContentTypeOptionsHeaderValue`	You set the value of the X-Content-Type-Options HTTP response header field with this property. Business Automation Workflow returns this value to client requests. For example, a value of `nosniff` instructs browsers to disable MIME-type sniffing (a technique that tries to determine a suitable rendering strategy for server content based on the contents of the HTTP response). MIME-type sniffing can interfere with the explicit overwriting of MIME types in Business Automation Workflow document downloads and, thus, re-run JavaScript even if Business Automation Workflow explicitly set the Content-Type header to force the download window.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.XContentTypeOptionsHeaderValue', '-value', "nosniff"])`	nosniff
`Security.CsrfSessionTokenSalt` `Security.CsrfSessionTokenProtectedUris`	You enable session-specific tokens to mitigate CSRF with these properties. Do not set the `HTTPOnly` flag because the CSRF token is a double-submit token. To generate identical CSRF protection tokens on all cluster members without sharing the generated tokens, use the `Security.CsrfSessionTokenSalt` property. To activate the CSRF protection token, set any value for `Security.CsrfSessionTokenSalt`. For the server to check for CSRF protection, use the `Security.CsrfSessionTokenProtectedUris` property. The only supported URI prefixes for this feature are `/teamworks/ajaxCoach` for coach navigation and `/teamworks/cs_` for Process Admin Console. The recommended value is `/teamworks/ajaxCoach,/teamworks/cs_` to protect both.	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CsrfSessionTokenSalt', '-value', 'verySecret'])` `AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.CsrfSessionTokenProtectedUris', '-value', '/teamworks/ajaxCoach,/teamworks/cs_'])`	The default for `Security.CsrfSessionTokenSalt` is a system generated random value, which is set in the configuration to ensure the same value is shared by all cluster members. The default value for `Security.CsrfSessionTokenProtectedUris` is /teamworks/ajaxCoach,/teamworks/cs_
`Security.AllowedHttpMethods`	In Business Automation Workflow, web applications process requests for a small set of well-known HTTP methods. For a minimal attack surface, it is a good security practice to respond with an `HTTP 403 (forbidden)` status code if a request uses an unexpected HTTP method. This avoids unintentionally triggered default code paths that are implemented in various web application frameworks. The value of this property is a comma-separated list of acceptable HTTP methods, such as the following methods that are set by default: GET PUT POST DELETE HEAD OPTIONS Any requests with a method that isn't on the allowlist will be rejected with the message `HTTP 403 (forbidden)`. Although the methods that are set by default are all used by the REST API, you can apply restrictions to the methods by using the WSADMIN setBPMProperty command to configure the property. For more information, see the topic setBPMProperty command. Any customization of Heritage Process Portal (deprecated) themes (and Business Space) requires a WebDAV connection. WebDAV uses exotic HTTP methods that are defined in their documentation about HTTP extensions for distributed authoring. Information on using WebDAV for customization is found in the topic Connecting to the WebDav folder to customize Heritage Process Portal. Heritage Process Portal theme customizations are not relevant to all customers. The few customers who need this capability generally only require it temporarily. WebDAV HTTP methods are therefore not on the allowlist by default. We recommend the temporary enablement of WebDAV HTTP methods while customizing Heritage Process Portal or Business Space themes (if needed).	`AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.AllowedHttpMethods', '-value', 'GET,PUT,POST,DELETE,HEAD,OPTIONS'])`	GET,PUT,POST,DELETE,HEAD,OPTIONS

Important: After you have hardened your security, test your user interfaces to see if any of the security restrictions prevent a browser from properly rendering and executing your user interface code. If you find problems, you might have to change the security hardening settings to suit the exact header values that you need IBM Business Automation Workflow to return. For example, you might need to extend the Security.ContentSecurityPolicyHeaderValue with additional origins to load images, stylesheets or scripts from other sources. As a temporary "quick fix", you can revert to the previous default behavior of not setting these headers, by configuring a value of unset for the following properties:

Security.AllowedHttpMethods
Security.ContentSecurityPolicyHeaderValue
Security.CsrfSessionTokenProtectedUris
Security.StrictTransportSecurityHeaderValue
Security.XContentTypeOptionsHeaderValue- 
Security.XXssProtectionHeaderValue

If your custom user interface application requires browsers to allow additional origins or features, configure the exact header values that you need IBM Business Automation Workflow to return. For example, you might need to extend the Security.ContentSecurityPolicyHeaderValue with additional origins to load images, style sheets or even script from other sources.

This is the case when configuring this IBM Business Automation Workflow as one of the federated IBM Business Automation Workflow systems for Process Federation Server and federated portal or when integrating with BA Studio of IBM Cloud Pak for Business Automation.

Assuming that fp1.ibm.com is your federated portal, and bpm1.ibm.com is the IBM Business Automation Workflow system to be federated:

All of the federated BAW/BPM systems (bpm1.ibm.com) need to configure Security.ContentSecurityPolicyHeaderValue to a value similar to the following:
```
default-src 'self' 'unsafe-inline' 'unsafe-eval';frame-ancestors 'self' https://fp1.fyre.ibm.com; img-src 'self' data:
```

If non-default HTTP(s) port are used, for example, 9443, then the configuration needs to be the following:

default-src 'self' 'unsafe-inline' 'unsafe-eval';frame-ancestors 'self' https://fp1.fyre.ibm.com:9443; img-src 'self' data:

If you use the ICN BPM Plugin, to display Work dashboard and/or BPM tasks, you must perform the preceding configuration.

To display the current settings, you can create a simple Jython script like the following example (assuming your deployment environment name is De1):

de = 'De1'

def printSetting(propertyName):
  value = AdminTask.getBPMProperty(['-de', de, '-name', propertyName])
  if value:
    print propertyName+': ' + value
  elif propertyName == 'Security.XFrameOptionsHeaderValue':
    print propertyName + ' is not set, it is obsolete, use CSP frame-ancestors instead.'
  else:
    print propertyName + ' is not set.'
print 'Security hardening settings:'  
printSetting('Security.CsrfProtectionRefererWhitelist')
printSetting('Security.CsrfProtectionOriginWhitelist')
printSetting('Security.XFrameOptionsHeaderValue')
printSetting('Security.ContentSecurityPolicyHeaderValue')
printSetting('Security.StrictTransportSecurityHeaderValue')
printSetting('Security.XXssProtectionHeaderValue')
printSetting('Security.XContentTypeOptionsHeaderValue')
printSetting('Security.CsrfSessionTokenSalt')
printSetting('Security.CsrfSessionTokenProtectedUris')
printSetting('Security.AllowedHttpMethods')

Store the script in a path accessible from your wsadmin scripting client; for example, path_to_script/printSecuritySettings.jy.

Start the wsadmin scripting client from the deployment manager profile /bin directory:

wsadmin -conntype none -lang jython -f path_to_script/printSecuritySettings.jy

By default, the output of the script is:

WASX7357I: By request, this scripting client is not connected to any server process. oCertain configuration and application operations will be available in local mode.
Security hardening settings:
Security.CsrfProtectionRefererWhitelist is not set.
Security.CsrfProtectionOriginWhitelist is not set.
Security.XFrameOptionsHeaderValue is not set, it is obsolete, use CSP frame-ancestors instead.
Security.ContentSecurityPolicyHeaderValue is not set.
Security.StrictTransportSecurityHeaderValue is not set.
Security.XXssProtectionHeaderValue is not set.
Security.XContentTypeOptionsHeaderValue is not set.
Security.CsrfSessionTokenSalt is not set.
Security.CsrfSessionTokenProtectedUris is not set.
Security.AllowedHttpMethods: GET,PUT,POST,DELETE,HEAD,OPTIONS

Hardening WebSphere Application Server

In addition to harden the IBM Business Automation Workflow application, you also need to take care of your WebSphere® Application Server infrastructure:

By default, TLS secured communication is very compatible, which allows older clients to connect (and be connected to) by using TLS 1.0 and TLS 1.1. To restrict the set of TLS protocol versions and available ciphers, you can update the default SSL configuration by using a script like:

AdminTask.modifySSLConfig('[-alias NodeDefaultSSLSettings -sslProtocol TLSv1.2 -securityLevel CUSTOM -enabledCiphers "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ]')
AdminTask.modifySSLConfig('[-alias CellDefaultSSLSettings -sslProtocol TLSv1.2 -securityLevel CUSTOM -enabledCiphers "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ]')

By default, WebSphere Application Server listens to several secure and non-secured ports for HTTP traffic, ignoring the exact hostname used by clients to connect. This can cause concerns about possible host header injection because requests will be processed regardless of the host header value. You can ensure that IBM Business Automation Workflow applications only respond to requests with a particular host port combination, by configuring the default_host virtual host "host aliases" in the application server using a script like the following. Replace the two initial variables to match your environment. If you use a web server in front of your environment, use the web server's hostname and port:
```
targethostname='example.fyre.ibm.com'
targetport='9443'
cellName=AdminControl.getCell()
aliases=AdminUtilities.convertToList(AdminConfig.list('HostAlias', AdminConfig.getid( '/Cell:' + cellName + '/VirtualHost:default_host/')))
for alias in aliases:
  port = AdminConfig.showAttribute(alias, 'port')
  if (port != targetport):
    print 'removing hostalias with port number ' + port
    AdminConfig.remove(alias)
  else:
    hostname = AdminConfig.showAttribute(alias, 'hostname')
    if ('*' == hostname):
      print 'modifying hostname from * to ' + targethostname + ' for hostalias with port ' + port
      AdminConfig.modify(alias, '[[hostname ' + targethostname + ']]')
    else:
      print 'there is already a non-wildcard hostname configured: ' + hostname
```
Important: The blank lines at the end of this sample are syntactically important.