Direct link to fix
APAR status
Closed as program error.
Error description
After an initial installation, additional security-hardening configuration is recommended. PRODUCTS AFFECTED IBM Business Automation Workflow
Local fix
Run the commands to apply security-hardening settings specifically to match your environment as documented in "Security-hardening properties" (https://www.ibm.com/support/knowledgecenter/SS8JB4/com.ibm.wbpm .imuc.doc/topics/rsec_harden_properties.html). The recommended value for the Content Security Policy is AdminTask.setBPMProperty(['-de', 'De1', '-name', 'Security.ContentSecurityPolicyHeaderValue', '-value', "default-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; img-src 'self' data:"]) To revert to the previous default of not setting these headers by configuring a value of "unset" for - Security.AllowedHttpMethods - Security.ContentSecurityPolicyHeaderValue - Security.CsrfSessionTokenProtectedUris - Security.StrictTransportSecurityHeaderValue - Security.XContentTypeOptionsHeaderValue - Security.XXssProtectionHeaderValue
Problem summary
No additional information is available.
Problem conclusion
A fix is available or will be available that applies the following security-hardening settings by default during an initial installation: -If the Security.AllowedHttpMethods property is not set, the system will assume a setting of "GET,PUT,POST,DELETE,HEAD,OPTIONS". -If the Security.ContentSecurityPolicyHeaderValue property is not set, the system will assume a setting of "default-src 'self' 'unsafe-inline' 'unsafe-eval';frame-ancestors 'self'; img-src 'self' data:". -If the Security.CsrfSessionTokenProtectedUris property is not set, the system will assume a setting of "/teamworks/ajaxCoach,/teamworks/cs_". -If the Security.CsrfSessionTokenSalt property is not set, the system will generate a random and set it in the configuration to ensure the same value is shared by all cluster members. -If the Security.StrictTransportSecurityHeaderValue property is not set, the system will assume a setting of "max-age=31536000; includeSubDomains". -If the Security.XContentTypeOptionsHeaderValue property is not set, the system will assume a setting of "nosniff". -If the Security.XXssProtectionHeaderValue property is not set, the system will assume a setting of "1; mode=block". If your custom user interface application requires browsers to allow additional origins or features, configure the exact header values you need Business Automation Workflow to return. For example, you might need to extend the Security.ContentSecurityPolicyHeaderValue with additional origins to load images, stylesheets or even script from other sources.
Temporary fix
Comments
APAR Information
APAR number
JR62125
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
J00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-03-13
Closed date
2020-06-21
Last modified date
2020-06-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
22 June 2020