IBM Support

Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server

Flashes (Alerts)


Abstract

Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server (like IBM HTTP Server and the WebSphere WebServer plug-in)

Content

Background
A WebSphere application running behind a HTTP proxy server may begin experiencing failures with client certificate based authentication, or if client IP addresses or connection information are reported incorrectly as those of the proxy server.  In such cases, it is necessary to configure the "trustedSensitiveHeaderOrigin" custom property.
On WebSphere Liberty, "trustedSensitiveHeaderOrigin" is configured as a HttpDispatcher custom property, and on traditional WebSphere the property is configured as an HTTP channel custom property.  This property has a default value of "none", which means that a subset of WebSphere-specific HTTP header are not trusted from any host. 
The property also accepts value a of "*" (all), or a comma-separated list of IP addresses.  For a secure deployment in which proxy servers are used, the "trustedSensitiveHeaderOrigin" property should be configured with a comma-separated list of IP addresses corresponding to those of any WebSphere-aware proxy servers in front of the WebSphere server.  With PH33180  (9.0.5.7, 8.5.5.20, and 21.0.0.2)  the values can additionally contain hostnames (with optional leading wildcards) and IP segments with wildcards.
Alternatively, to enable the original insecure behavior, set trustedSensitiveHeaderOrigin="*", which will direct the WebSphere server to trust all headers sent from any host or proxy.  This value must only be used for testing, or if the WebSphere server is isolated from external connections.
Configuring WebSphere Application Server traditional
Instructions to set HttpChannel custom properties in traditional WebSphere Application Server can be found here [1].  An abbreviated description of the configuration steps follows:
  1. For each server in the "Server Types -> WebSphere Application Servers", click the server name, expand "Web Container Settings" then click "Web container transport chains"
  2. Click "HttpQueueInboundDefault", then click the hyperlink beginning with "HTTP inbound channel", then "Custom properties", then add or modify a property of the name "trustedSensitiveHeaderOrigin"
  3. Repeat the above for "HttpQueueInboundDefaultSecure"
A scripting example is available that allows setting the trustedSensitiveHeaderOrigin custom property on every "HTTP Inbound Channel" found on the server or cell. Rename the file to trustedSensitiveHeader.py on your application server system and read the comment at the top of the file for details: trustedSensitiveHeader.py_.txt
Note: if the WebContainer custom property "trusted"[2] is set to false, none of the headers managed by trustedHeaderOrigin or trustedSensitiveHeaderOrigin will be trusted, regardless of the values of those properties. This is a relatively rare configuration.
Configuring WebSphere Liberty
Instructions to set HttpDispatcher custom properties in WebSphere Liberty can be found at [3] and [4]
 
As an example Liberty configuration, the following server.xml configuration will direct a Liberty server to trust all headers from a given proxy server:
<httpDispatcher trustedSensitiveHeaderOrigin="<TRUSTED_PROXY_IP_ADDRESS>"/>
Details:
This configuration is necessary in 8.5.5.16 / 9.0.0.11 / 9.0.5.0 and later for traditional WebSphere Application Server and 19.0.0.3 and later for WebSphere Liberty.
Note: The IP address you must supply is the IP address you see in "netstat" output on the connections between the proxy server and application server. On systems with multiple interfaces, or where the servers are co-located, the address in use for this connection might not be immediately clear and should be verified with netstat.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Liberty;9.0;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 July 2022

UID

ibm10879485