IBM Support

Removing the DefaultApplication template scripts from the WebSphere Application Server profile for ClearQuest Web

Troubleshooting


Problem

The IBM WebSphere Application Server where IBM Rational ClearQuest is deployed contains some testing and debugging scripts and sample applications. Some of these scripts and applications provide information such as system paths and versions. You can remove these sample scripts and applications from a production environment to prevent malicious attacks created by using the information obtained from the target host.

Symptom

There are no adverse symptoms apparent to ClearQuest users.

Cause

The IBM Installation Manager deploys ClearQuest Web into the WebSphere Application Server profile by using a WebSphere Application Server default template. The default template places some sample testing and debugging scripts and sample applications on the server.

Diagnosing The Problem

The following sample scripts and applications might be included in your WebSphere Application Server profile for ClearQuest Web. These scripts might also be referenced in the plugin-cfg.xml file for IBM HTTP Server (IHS) and WebSphere Application Server:


https://<server>/snoop
https: //<server>/hello
https: //<server>/ivt/
https: //<server>/hitcount
https: //<server>/HitCount.jsp
https: //<server>/HelloHTMLError.jsp
https: //<server>/HelloHTML.jsp
https: //<server>/HelloVXMLError.jsp
https: //<server>/HelloVXML.jsp
https: //<server>/HelloWMLError.jsp
https: //<server>/HelloWML.jsp
https: //<server>/cqweb/j_security_check


Note: The http protocol might be referenced in the plugin-cfg.xml file instead of https, as specified above.

Resolving The Problem

Depending on your business and security requirements, the following configuration changes might be appropriate to remove, disable, or hide the sample scripts and applications that are included with the WebSphere Application Server default template.



Option 1

Procedure
  1. Log on to the WebSphere Application Server administrative console for the profile associated with ClearQuest Web. Here is the default location of the console:
    http://localhost:12060/ibm/console<⁄code>
  2. Click Applications > Application Types > WebSphere enterprise applications.
  3. Select the check box in the Select column beside DefaultApplication.

    Important: There is a green arrow indicating that this application is running. An application that is not running is indicated by a red 'X' icon.
  4. Click Stop to simulate what will happen if you remove this web application.
  5. You can verify that the DefaultApplication stopped by attempting to access each script specified in the plugin-cfg.xml file. This is an indication of what it will be like when the DefaultApplication is removed.
  6. If satisfied, repeat Steps 1-4. However, in Step 4, click Uninstall instead of Stop. Repeat Step 5 to verify that the DefaultApplication stopped.
  7. You might need to repeat this procedure each time after upgrading ClearQuest Web.

Result
The DefaultApplication is removed.



Option 2

Procedure
  1. Log on to the WebSphere Application Server administrative console for the profile associated with ClearQuest Web. Here is the default location of the console:
    http:// localhost:12060/ibm/console<⁄code>
  2. Click Applications > Application Types > WebSphere enterprise applications.
  3. Click DefaultApplication.
  4. In the "Web Module Properties" section, click Context Root For Web Modules.
  5. In the Content Root text box, change the value of '/' (a single forward slash) to a longer string, for example, /inaccessible or /unplugged or /un1qu3_p4th, retaining the initial forward slash '/' character.
    Important: Select a unique name for the context root. For security purposes, be sure to specify a non-intuitive path.
  6. Click OK. On the next screen, click the Save.
  7. Restart the Web Sphere Application Server profile.

Result
ClearQuest Web continues to work. However, you can no longer access any scripts that are hosted by the DefaultApplication on port 80. For example, if you specify /inaccessible in the Context Root text box in Step 5 above, the following sample scripts and applications will fail with a 404 not found error:

http://localhost/hitcount<⁄code>
http://localhost/hello<⁄code>
http://localhost/inaccessible/hitcount<⁄code>
http://localhost/inaccessible/hello<⁄code>

The next URLs, which bypass IHS and connect directly to the WebSphere Application Server port, will fail as well:


"SRVE0255E: A WebGroup/Virtual Host to handle /fail/hitcount has not been defined."
http://localhost:12080/hitcount<⁄code>
http://localhost:12080/hello<⁄code>

However, the following URLs will continue to work, although no one will know the root context of inaccessible:

http://localhost:12080/inaccessible/hitcount<⁄code>
http://localhost:12080/inaccessible/hello<⁄code>

Important: To properly firewall your server, ensure that only port 80 and SSL port 443 are directly accessible. Do not allow direct access to WebSphere Application Server port 12080.

Note: This issue was identified as a product defect and logged under APAR PM66896 and is fixed in Rational ClearQuest Fix Pack 4 (8.0.0.4) for 8.0. Upgrading from ClearQuest V8.0.0.x to V8.0.0.4 does not resolve the issue because a new profile is not created during an upgrade.
  • If you perform the steps described in Option 1 or Option 2 to remove the DefaultApplication scripts in ClearQuest V8.0.0.x, and then upgrade to V8.0.0.4, the DefaultApplication scripts remain uninstalled.
  • If you upgrade from ClearQuest V8.0.0.x to V8.0.0.4 without removing the DefaultApplication scripts, and then uninstall and reinstalling the ClearQuest Web component, the issue is resolved.

[{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Documentation","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1.1;7.1.1.1;7.1.1.2;7.1.1.3;7.1.1.4;7.1.1.5;7.1.1.6;7.1.1.7;7.1.1.8;7.1.2;7.1.2.1;7.1.2.2;7.1.2.3;7.1.2.4;7.1.2.5;8.0;8.0.0.1;8.0.0.2;8.0.0.3","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21599361