Professional Documents
Culture Documents
Keys Botzum, Senior Technical Staff Member keys@us.ibm.com IBM Software Services for WebSphere http://www.ibm.com/WebSphere/developer/services
IBM WebSphere
Related presentations
We assume youve seen or are familiar with Core Concepts WAS Security Introduction WAS Advanced Authentication (cross cell trust issues) You may be interested in Application Isolation Application Hardening Hardening MQ SSL Configuration
Security Hardening
IBM WebSphere
Scope
WAS 6.0.2 Distributed (Unix, Linux and Windows)
New in 6.0
New in 6.1
Most information here applies to V5.0.x and V5.1.x as well An introduction to the relevant changes in V6.1 is included Extended Deployment and Programming Model Extensions are not specifically covered WAS on other platforms is similar, but not covered here Web Services Security specific issues are not covered
Security Hardening
IBM WebSphere
A secure infrastructure protects your system from unwanted intrusions. WAS is one key part of that infrastructure. We are going to discuss how to secure WAS.
WAS isn't the only infrastructure component you need to secure. Identify and document all of the threats you wish to protect yourself from. Many are internal.
4
Security Hardening 2006 IBM Corporation
IBM WebSphere
Intrusions
People and systems with IP connectivity to your network
Outsiders on the Internet Insiders on your Intranet In many ways more dangerous as they have knowledge, access, and possibly a grudge Several sources state that the majority of attacks are internal Email/browser exploits that serve as entry points to the company network
WAS provides a robust infrastructure for addressing most of these challenges. with some assembly required.
Security Hardening
IBM WebSphere
Agenda
Introduction SSL Overview Infrastructure Preventative Measures Advanced Considerations Protecting your Desktop Environment Wrap-up
Security Hardening
IBM WebSphere
SSL Overview
Public Certificate Authority Sign Public Private
Private
Security Hardening
IBM WebSphere
SSL Authentication
Server side SSL authentication in brief
Server sends its certificate to client along with secret encrypted using its private key (from key store) Client validate the servers certificate by checking its expiration date and signature Signature is verified using signing certificate in trust store If certificate signature isnt right, connection will be refused Client side authentication is basically the same with the parties reversed
Security Hardening
IBM WebSphere
If we limit the signers we trust on the server, we can limit the clients that can complete the SSL handshake
With self-signed certificates, there is only one signer Hence, only one valid client side private key that can be used to connect We can also limit the signers we trust on the client to ensure the client only connects to the right servers
Security Hardening
IBM WebSphere
Basically the same if have only a single key store on either side
Trust store and key store are the same file E.g., native KDB databases used by IBM HTTP Server and WAS Web Server plugin
Ensure client certificate authentication is enabled (server cert authentication is always on)
10
Security Hardening 2006 IBM Corporation
IBM WebSphere
Agenda
Introduction SSL Overview Infrastructure Preventative Measures Advanced Considerations Protecting your Desktop Environment Wrap-up
11
Security Hardening
IBM WebSphere
Basic Topology
MQ Server Application Server Application Server with ME MQ W, M J J Session & SIB DB
W eb Server H H
I, W
App DB
H W EJB Client
wsadm in
Adm in Browser
12
Security Hardening
IBM WebSphere
Protocols Used
H = HTTP traffic
Usage: browser to web server, web server to app server, and admin web client Firewall friendly
I = RMI/IIOP communication
Usage: EJB clients (standalone and web container) Firewall hostile
13
Security Hardening
IBM WebSphere
Protocols Used
MQ = WebSphere MQ protocol
Usage: MQ clients (true clients and application servers) Protocol: Proprietary Firewall feasible (there are a number of ports to consider). Refer to MQ supportpac MA86.
L = LDAP communication
Usage: WAS verification of user information in registry Protocol: TCP stream formatted as defined in LDAP RFC Firewall friendly
S = SOAP
Usage: SOAP clients Protocol: generally SOAP/HTTP Firewall friendly
14
Security Hardening
IBM WebSphere
NMEI
15
Security Hardening 2006 IBM Corporation
IBM WebSphere
I, W
A pp DB
W eb S ervices
H W E JB FW C lient
w sadm in
A dm in B row ser
16
Security Hardening
IBM WebSphere
The Application Servers and other components go behind a second firewall on a "production" subnet
NMEI
17
Security Hardening 2006 IBM Corporation
IBM WebSphere
Can take addition steps to further protect against internal network access; need to take additional steps will vary
Consider limiting access to Administrative functions (e.g. Web Administration Console) to trusted VLANs or internal VPN Might even consider a full internal DMZ
NMEI
18
Security Hardening 2006 IBM Corporation
IBM WebSphere
NMEI
19
Security Hardening 2006 IBM Corporation
IBM WebSphere
Beyond Firewalls
Firewalls are a valuable component in an overall security plan, but they are not sufficient Now that we have firewalls in place
Lets continue to harden WAS from attack This list is in priority order
20
Security Hardening
IBM WebSphere
Does not protect all network links, but most key ones well cover the rest soon Administrators will now be required to authenticate Does not prevent network sniffing attacks until you change the default keys
New in 6.1
NMEI
2006 IBM Corporation
IBM WebSphere
You may need to configure a virtual host alias for the HTTPS port (WAS assumes port 443 by default) WAS can enforce that HTTPS is used by an application by specifying a data constraint in web.xml You should use SSL for any confidential information - including LTPA Tokens, session IDs etc.
NMEI
22
Security Hardening 2006 IBM Corporation
IBM WebSphere
To enable authentication, simply replace the existing File Transfer application with the secured version
cd <profilehome>\bin wsadmin.bat wsadmin>source ../../../bin/redeployFileTransfer.jacl wsadmin>fileTransferAuthenticationOn <cellName> <dmgrName> dmgr wsadmin>$AdminConfig save
New in 6.1
NMEI
2006 IBM Corporation
IBM WebSphere
Protect JNDI
J2EE applications use JNDI to find other applications and resources Too many have too much access by default
By default anyone in your registry can destroy a cell Everyone read All Authenticated read, write, create, delete Allow everyone read only access Everyone read All Authenticated nothing Applications that explicitly write to JNDI in application code will need to be granted access (rare) WAS will ensure that its own components always have read/write access so core function (e.g. binding EJBs, Datasources into the namespace) will continue to work Everyone nothing
Unauthenticated threads (e.g, anonymous servlets) cant read JNDI > MDBs cant access JNDI > Local refs (e.g., java:comp/env) will not work > Applications must authenticate users or authenticate themselves using JAAS or RunAs
Recommended configuration
Permission are set in the admin console via Environment > Naming > CORBA Naming Service Groups WAS V6.1 by default uses the above recommended configuration
New in 6.1
NMEI
2006 IBM Corporation
24
Security Hardening
IBM WebSphere
New in 6.0
Youll also need to ensure client components (MDBs, JMS) authenticate using an appropriate identity (userYouDetermine) WAS V6.1 will by default require users and groups that are authorised to access the bus to be explicitly configured
No AllAuthenticated access by default
25
Security Hardening
New in 6.1
NMEI
2006 IBM Corporation
IBM WebSphere
New in 6.1
26
Security Hardening
IBM WebSphere
See the URL for a paper on securing WAS-MQ connections at the end of these slides
NMEI
27
Security Hardening 2006 IBM Corporation
IBM WebSphere
If using a Custom User Registry, ensure this link is encrypted and authenticated method will vary by User Registry
NMEI
28
Security Hardening 2006 IBM Corporation
IBM WebSphere
As appropriate, you need to create new SSL configurations with new key and trust files In most cases to address the Default Key problem, sufficient to update the existing default SSL configurations that are shared by the WAS components (there are typically two in a cell)
Create new key databases (key and trust) with new private key & certificate using ikeyman Update SSL config (Security > SSL > DefaultSSLSettings) to use the new key database
WAS V6.1 will generate a installation unique keys at time of installation -- no more DummyKeyFile.
More on following slides 29
Security Hardening
New in 6.1
NMEI
2006 IBM Corporation
IBM WebSphere
New in 6.1
IBM WebSphere
New in 6.1
WAS 6.1 will create unique certs and keyfiles for each profile out of the box For base profiles, these are created in the node dir of the config repository Upon federation to cell, the signer of these is added to the cellwide trust store in the cell config directory For the plugin, this is all managed for you, which removes a considerable admin task from previous versions in keeping the keystores in sync
All of this can be managed with the admin console Of course, we dont recommend making the web server hosting the plugin a managed node, so manual copying of automatically generated keyfiles to plugin will likely still be necessary
31
Security Hardening
IBM WebSphere
Generally self-signed certificates are best choice unless you have many Java clients
Self signed certificates are not less secure than CA issued, just harder to manage Not much harder in V6.1 since Java client can import new signers if user allows
New in 6.1
32
Security Hardening
IBM WebSphere
WAS V6.1 will by default generate a certificate that uses the deployment manager hostname
Certificate is still not issued by a trusted Certificate Authority
33
Security Hardening
New in 6.1
NMEI
2006 IBM Corporation
IBM WebSphere
Train your admins that if this message ever comes up again there is a problem!
People are the weakest link; ignoring the warning leaves you open to a potential man in the middle attack
NMEI
34
Security Hardening
IBM WebSphere
WAS 6.0 introduces the ability to manage Web Servers as part of a cell
Two options New in 6.0 Managed Node a regular Node Agent collocated with web server (in the DMZ) IHS Admin Server Both approaches increase the potential attack surface; not recommended for use in a DMZ for a production environment (although convenient for a test environment).
Remove the JDKs installed when installing the Web Server and the Plug-in
IHS installer leaves behind one JDK and the plug-In installer leaves behind two JDKs Zip up these installations if required for later uninstallation or fixpacks In WAS 6.1 only 2 JREs left behind, rather than the prior 3 JDKs One JRE for the plugin, one for the web server (if IHS) New These should still be archived and removed in 6.1
NMEI
35
Security Hardening 2006 IBM Corporation
IBM WebSphere
36
Security Hardening
IBM WebSphere
NMEI
37
Security Hardening 2006 IBM Corporation
IBM WebSphere
In some cases it is critical that you can limit Web Container access only to trusted Web Servers
If using client certificates (WAS is trusting Web Server to verify cert) If using a Trusted Association Interceptor (TAI) that uses unverifiable information (e.g. only a userid only is forwarded to TAI) To limit Web Container access to trusted Web Servers Limit the Application Server to HTTPS transport (delete HTTP transport) Update the Web Server plugin and web container key and trust files such that each can talk only to the other using the limiting connections to trusted clients approach described earlier Update SSL configuration used for HTTPS to require client authentication
NMEI
38
Security Hardening 2006 IBM Corporation
IBM WebSphere
etc/DummyServerKeyFile.jks (you will probably change the name of the file) - a JKS keystore containing WAS' private key etc/plugin-key.kdb - web server's private key etc/plugin-key.sth - the password for access to the plugin-key.kdb. sas.client.props or soap.client.props - config file may contain a user UID and password installedApps files for applications that have been installed. Users other than WAS shouldnt be able to modify. Might contain sensitive information.
Dont put private keys on a shared file system Dont share private keys between test and production environments Use caution when sending configuration files externally they contain passwords!
39
Security Hardening
NMEI
IBM WebSphere
Examples
Weve seen TAIs that validate the host name in the HTTP header as an indicator of trust Since headers can be trivially forged this is completely insecure WebSEAL configuration WebSEAL TAI is quite secure IF configured properly
mutualSSL property on TAI means assume that HTTP input is completely trusted and do no validation > Did you configure a trusted HTTPS tunnel from WebSEAL to WAS? > Deprecated with new TAM WebSEAL TAI (aka TAMPlus TAI) Password authentication > If no loginId property specified ANY valid userid and password combination is assumed to be a trusted server!
40
Security Hardening
IBM WebSphere
Old and new cookies supported simultaneously for compatibility with older WAS versions, WPS, Lotus Domino, TAM, etc.
Can use only new format if all WAS 5.1.1 or greater disable Interoperability Mode on Security > Global Security > Authentication Mechanisms > LTPA > Single Sign-on configuration panel
NMEI
41
Security Hardening 2006 IBM Corporation
IBM WebSphere
42
Security Hardening
IBM WebSphere
WAS tools will prompt (often graphically) as of 6.0.2 or later if password not provided
Prior to 6.0.2 can force prompt by using RMI JMX connector conntype RMI port <bootstrap port>.
Bootstrap is usually 9809 on dmgr and 2809 for nodes. Applies to most cmd line tools, including wsadmin. If you leave out port or there is an error, will silently fall back to SOAP. tperfviewer is special, use ./tperfviewer.bat localhost 9809 RMI
Installer bug makes this sometimes not work. If so, try this tech note:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websp here.express.doc/info/exp/ae/rtrb_wsadminprobs.html
To use stdin instead of GUI prompt, edit sas.client.props (for RMI) and/or soap.client.props (for SOAP)
soap.client.props: com.ibm.SOAP.loginSource=stdin, or sas.client.props: com.ibm.IIOP.loginSource=stdin Beware that RMI is firewall hostile
NMEI
2006 IBM Corporation
43
Security Hardening
IBM WebSphere
New in 6.0
For each application server, disable the InboundBasicMessaging transport clients will then only be able to use the InboundSecureMessaging transport
NMEI
44
Security Hardening 2006 IBM Corporation
IBM WebSphere
Disabling InboundBasicMessaging
45
Security Hardening
IBM WebSphere
46
Security Hardening
IBM WebSphere
NMEI
47
Security Hardening 2006 IBM Corporation
IBM WebSphere
DCS always authenticates messages when Global Security is enabled, but maximise security by encrypting this link
For each Core Group, select a transport type of channel framework and DCS-Secure as channel chain name
NMEI
48
Security Hardening 2006 IBM Corporation
IBM WebSphere
49
Security Hardening
IBM WebSphere
If you cant swing DB encryption, protect this link as best as you can
Inside your intranet. NEVER expose DB to internet. Use firewalls to protect production database from non-production networks Use clever network routing and/or firewalls to limit access to DB to "trusted" client machines Use VPN technology (such as IPSEC) to encrypt links between DB and WAS
NMEI
50
Security Hardening 2006 IBM Corporation
IBM WebSphere
Create a WAS user id account for each person that will administer the WAS domain
Create in your registry, then Using the admin console Specify additional administrators: System Administration >Console Users/Groups. These are users/groups from the underlying WAS registry. Grant these users/groups CosNamingCreate, CosNamingDelete in CORBA namespace or they wont be able to log into the admin console
As of WAS 5.0.2, all administrative actions that result in changes to the configuration will be audited by the Deployment Manager
Including the identity of the principal that made the change These records are much more useful if each administrator has a separate identity 51
Security Hardening
NMEI
IBM WebSphere
Now, you can limit administrative access based on need. This is valuable, for example:
During development, the lead developer can give all developers the ability to start/stop app servers, but not mess with the repository During production, you can give people permissions based on job role Monitoring tools (which often store passwords in a file) can have only monitoring permissions
Access is cell wide. Split into multiple WAS cells to restrict access. WAS V6.1 provides administrative isolation
Only available using the command line; does not apply to Admin Console
New in 6.1
NMEI
2006 IBM Corporation
52
Security Hardening
IBM WebSphere
Administrative Roles
Administrator
Configurator
Sensitive Config
Operator
Monitor
53
Security Hardening
IBM WebSphere
54
Security Hardening
IBM WebSphere
NMEI
55
Security Hardening 2006 IBM Corporation
IBM WebSphere
Node manager runs as the root (or root-like) OS user Read & write privileges for the application server profile(s) plus Node Agent profiles WAS administrators have implicit root authority Difficult to configure Can use LocalOS registry, but have to set special property (WAS_UseRemoteRegistry) Has almost no meaningful impact on security, but can be useful for application server level accounting
NMEI
56
Security Hardening 2006 IBM Corporation
IBM WebSphere
NMEI
57
Security Hardening 2006 IBM Corporation
IBM WebSphere
Options Summary
All as root user WAS admins have implicit root authority Some WAS admin tasks may require root access Cant use Operating System Registry Fairly complex file ownership/permission issues Node as root All as non-root
Application isolation cannot be address by operating system permissions. Need Java 2 security and MUCH more. Refer to application isolation materials.
58
Security Hardening 2006 IBM Corporation
IBM WebSphere
If you want to assure that traffic is encrypted; ensure that SSL is the only acceptable option at negotiation time
Security > Authentication Protocol > CSIv2 > Inbound Transport and Security > Authentication Protocol > CSIv2 > Outbound Transport Change Transport from SSL-supported to SSL-required
NMEI
59
Security Hardening 2006 IBM Corporation
IBM WebSphere
http://www.ibm.com/support/mysupport
Warning: Security fixes are usually rolled into the next Cumulative Fix or Refresh Pack for every supported release and then no longer listed on the recommended updates page Keep up to date with all your infrastructure components Operating Systems, LDAP, Database, Web Server etc not just WAS
NMEI
60
Security Hardening 2006 IBM Corporation
IBM WebSphere
NMEI
61
Security Hardening 2006 IBM Corporation
IBM WebSphere
Password caching can be disabled by setting a JVM system property as follows: com.ibm.websphere.security.util.authCacheEnabled = BasicAuthDisabled
62
Security Hardening
IBM WebSphere
Agenda
Introduction SSL Overview Infrastructure Preventative Measures Advanced Considerations
Cross Cell Trust WAS Weaknesses
63
Security Hardening
IBM WebSphere
64
Security Hardening
IBM WebSphere
65
Security Hardening
IBM WebSphere
Net: Identity assertion can slightly reduce risk over shared LTPA keys WAS V6.1 allows cell A to use a defined account in cell Bs user registry
Eliminates need to share cell Bs security server id password with cell A Specify an alternative trusted identity on CSIv2 outbound panel
New in 6.1
66
Security Hardening
IBM WebSphere
Password
67
Security Hardening
IBM WebSphere
JMX callback involves a secure call from server B to server A to obtain the users tokens (authentication information)
Server B authenticates to server A by sending its admin userid and password Server A authorizes server B by verifying that the userid has administrative authority
68
IBM WebSphere
Agenda
Introduction SSL Overview Infrastructure Preventative Measures Advanced Considerations
Cross Cell Trust WAS Weaknesses
69
Security Hardening
IBM WebSphere
New in 6.1
NMEI
70
Security Hardening 2006 IBM Corporation
IBM WebSphere
Agenda
Introduction SSL Overview Infrastructure Preventative Measures Application Preventative Measures Advanced Considerations Protecting your Desktop Environment Wrap-up
71
Security Hardening
IBM WebSphere
The Agent Controller is installed by default and is used for monitoring application servers
By default (prior to 6.0.1), the Agent Controller accepts requests from any host without authentication -- could be used to read any file from your computer
72
Security Hardening
IBM WebSphere
Other hardening steps (from this presentation) worth considering but not as critical Other weaknesses can be used to damage embedded test environment which will be frustrating, but shouldnt result in compromise of entire desktop WAS V6.1 will enable Administrative Security by default and includes a supported file registry
New in 6.1
IBM WebSphere
WAS V6.1 AST does not include Agent Controller Presumably RAD V7 will and this should be addressed by default Appears to be part of an open source project: http://www.eclipse.org/tptp/
74
Security Hardening
IBM WebSphere
Agenda
Introduction SSL Overview Infrastructure Preventative Measures Application Preventative Measures Advanced Considerations Protecting your Desktop Environment Wrap-up
75
Security Hardening
IBM WebSphere
76
Security Hardening
IBM WebSphere
77
Security Hardening
IBM WebSphere
78
Security Hardening
IBM WebSphere
You should also be monitoring system logs, including the WAS serious event stream
Events tell you something about the system activity and may help detect intruders or failures Ideally using automated tools to correlate events
79
Security Hardening
IBM WebSphere
80
Security Hardening
IBM WebSphere
81
Security Hardening
IBM WebSphere
ACert tool
Checks SSL certificates for expiration dates http://www.ibm.com/support/docview.wss?uid=swg24006797
New in 6.1
82
Security Hardening
IBM WebSphere
References
WebSphere Security Presentation Series
http://pokgsa.ibm.com/~keys/documents/securitySeries
ISBN 0131468626
http://search.barnesandnoble.com/booksearch/isbnInquiry.asp?isbn=0131468626&itm=5
128.ibm.com/developerworks/websphere/techjournal//0512_botzum/0512_botzum1.ht ml
83
Security Hardening
IBM WebSphere
Appendix
84
Security Hardening
IBM WebSphere
85
Security Hardening
IBM WebSphere
SCA components that read from or write to queues require authentication if security is enabled
Specify authentication alias information on the connection in the bindings panel
Lots of potential to export Web Services which means you need to secure those in the usual manner E.g., web services authentication (WS-Security or transport), plus EJB authorization Human tasks use the Staff registry for making authorization decisions, not the users authenticated Subject
Custom group information in subject will be ignored 86
Security Hardening 2006 IBM Corporation
IBM WebSphere
Authorization Issues
Coarse grained authorization you dont have much control over who can edit/manage particular instances of something Weak default authorization some components have rather open authorization (typically all authenticated) by default Look at
87
IBM WebSphere
88
Security Hardening
IBM WebSphere
89
Security Hardening
IBM WebSphere
Legal
Copyright IBM Corporation 2004, 2005. All rights reserved. IBM, the IBM logo, the e-business logo and other IBM products and services are trademarks or registered trademarks of the International Business Machines Corporation, in the United States, other countries or both. References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this publication may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both.
All other trademarks, company, products or service names may be trademarks, registered trademarks or service marks of others.
90
Security Hardening