Documente Academic
Documente Profesional
Documente Cultură
Related presentations
We assume youve seen or are familiar with
Core Concepts
Key, Certificate, and SSL Management
Security Introduction
You may be interested in
Firewalls
Hardening MQ SSL Configuration
Application Isolation
Application Hardening
Cross Cell SSO
Service Integration Bus
PCI Considerations
WPS Security Overview
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
Fixed
in V8.5
Fixed
in V8
Potential Intrusions
People and systems with IP connectivity to your network
Outsiders on the Internet
Insiders on your Intranet
Table of Contents
Introduction
Hardening High Importance
Hardening Medium Importance
Hardening Low Importance
Other Considerations
Basic Topology
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
Secure By Default
WAS V6.1 has greatly improved security hardening along several
key dimensions
Secure by default
Liberty V8.5
All Profiles:
R/W Local OS file access enables complete admin control.
10
Priority Order
The hardening slides are organized in rough priority order
High
There are real risks here but they are obscure and difficult for a hacker to
leverage
> Some reasonable people will ignore these issues
> Highly sensitive systems should address these as well
Many of the issues raised are judgment calls, so carefully consider your own
requirements and security policies
11
Agenda
Introduction
Hardening High Importance
Hardening Medium Importance
Hardening Low Importance
Other Considerations
12
W eb
S erver
A pplication
S erver w ith
ME
I, W
MQ
W, M
S ession &
S IB
DB
H
F
W
B row ser
F
W
A pplication
S erver
J
W
N ode
A gent
N ode
W eb
S ervices
A pp
DB
L
W
LD A P
D eploym ent
M anager
H
W
FW
w sadm in
A dm in
B row ser
NMEI
13
NMEI
14
An intruder might even be able to modify web page content for public pages which
could also confuse your users
This is because an intruder might be able to capture cookies sent in the clear
(before or after login) and then act as that user
This attack has been demonstrated at public WiFi access points
Configuring/Enforcing
Refer to your Web servers documentation for instructions
Popular web browsers ship with 100s of pre-trusted CA certificates. Youll likely want
to support one of them. Purchase a certificate from a well-known CA.
You may need to configure a virtual host alias for the HTTPS port (WAS assumes
port 443 by default)
WAS can enforce that HTTPS is used by an application by specifying a data constraint
in web.xml
Testing
Go to www.ssllabs.com
Select Server Test and input your website
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
NMEI
15
NMEI
16
Experience shows that very few applications can develop their own custom
authentication mechanism successfully most are laughably insecure
It is not necessary to enable Java 2 security
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
17
Liberty V8.5
<featureManager>
<feature>appSecurity-1.0</feature>
</featureManager>
18
19
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
20
WAS 6.0 and later can manage Web servers as part of a cell
Two options
Managed Node a regular Node Agent collocated with Web server (likely in the DMZ)
IHS Admin Server
Both approaches increase the attack surface
Not recommended for use in a DMZ for a production environment (although convenient for a test
environment)
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
21
22
E.g., look at the URLs it is proxying and make sure the list is just what is
needed and no more
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
23
HTTPS
Authn
Authz
Audit
Add Headers
user
misc headers
HTTPS
Web
Server
user
misc headers
TAI
HTTPS
Application
- get User Identity
- get Headers
user
misc headers
HTTPS
24
25
Forging HTTP headers can be done easily using any browser and a
graphical plugin such as Tamper Data. I could then
Forge certificate information by sending it directly to web container if web
server is performing certificate authentication (see next slide)
Possibly trick applications by falsifying proxy or web server provided headers
26
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
27
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
28
Bypass Prevention
Firewalls
Typically a firewall will prevent access from the internet to the web server and
web container
What about users on the internal network?
You should have internal firewalls as well
29
Bypass Prevention
Preventing bypass using transport tricks
Configure every web server to listen only to proxy server IP address and
every web container to listen only to web server IP address
Configure every web server to require mutual SSL and trust only proxy
server certificates and configure every web container to require mutual
SSL and trust only web server certificates
30
Detecting Bypass
Detecting bypass at web container is the best option
Verify that request really did come from trusted web server or proxy
server
While may be complicated to configure, if configuration is wrong, system
will fail rather than being insecure
31
to the web container and JEE APIs to see the certificate used to
connect to the web server
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic
=/com.ibm.websphere.express.doc/info/exp/ae/csec_trust.html
Authorize request if direct certificate used to connect to web
container is on trusted list
If authenticating end user using certificates, then JEE provided
certificate is end users certificate. A TAI could use this as the
users idenity
If validating trust path from proxy, then JEE provided certificate
is proxys certificate and you can authorize request based upon
this
Refer to programming hints and tips for more
ISSW has an asset that demonstrates how to do the above
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
32
Make sure you understand the implications of configuring and using a TAI
Weak point is usually server to server trust how does TAI know caller is server
trusted to assert identity information
Bad Examples
Weve seen TAIs that validate the host name in the HTTP header as an indicator of
trust
Long ago deprecated WebSEAL TAI can be configured insecurely if you are not careful
EI
33
Liberty V8.5
Self-Signed certs.
34
Liberty V8.5
Full Profile
35
Mitigation:
Use SSL Client Auth to Web Container (Direct Connection Peer)
36
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
37
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
38
Can limit access to files not owned by that application server (doesnt address
application servers running multiple applications)
Node agent must run as root (or root-like) OS user in order to start application servers
NMEI
39
Then all applications on those nodes will share that common userid, but
different nodes can have different userids
Could even run multiple node agents on a single machine
Doesnt scale well if you need lots of userids (one node agent per id per host)
Not a big fan of this, but it is workable in limited circumstances
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
40
All as nonroot
41
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
42
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
43
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
44
Liberty V8.5
45
Agenda
Introduction
Hardening High Importance
Hardening Medium Importance
Hardening Low Importance
Other Considerations
46
If stolen a third party intruder can act as that user until the token expires
Cookies support the attribute of secure which tells the browser to send the
cookie over HTTPS only
Note that there are other more subtle attacks related to this that are discussed in
the application hardening presentation
(7.0.0.9 required)
Liberty V8.5
<webAppSecurity ssoRequiresSSL=true/>
47
Liberty V8.5
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
48
Exposes password to anyone that can see process list on same machine
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
49
To force stdin instead of GUI prompt, edit sas.client.props (for RMI) and/or
soap.client.props (for SOAP)
soap.client.props: com.ibm.SOAP.loginSource=stdin, or
sas.client.props: com.ibm.IIOP.loginSource=stdin
Liberty V8.5
NMEI
50
51
Liberty V8.5
52
Human beings need ids in the registry in order to authenticate to and manage WAS
The profile creation process ensures there is one root WAS admin user
Limit the use of this id
NMEI
53
Create in your registry a user id (or use the users existing registry id)
All administrative actions that result in changes to the configuration will be audited
by the Deployment Manager
Including the identity of the principal that made the change
These records are much more useful if each administrator has a separate identity
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
54
Liberty V8.5
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
55
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
56
Administrative Roles
First Administrative User
AdminSecurityManager
Administrator
Deployer
Partial
iscadmins
Configurator
Auditor
Edit Security
Edit Audit
Partial
Operator
Partial
Monitor
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
57
By default, plug-in will use HTTPS to connect to application server only if Browser used
HTTPS
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
58
Liberty V8.5
Example:
<httpEndpoint id="defaultHttpEndpoint"
host="localhost"httpsPort="9443" />
59
Liberty V8.5
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
60
Liberty V8.5
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
61
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
62
http://www.ibm.com/developerworks/db2/library/techarticle/dm0806sogalad/?S_TACT=105AGY82&S_CMP=GENSITE
Internal link with step by step for WAS:
http://w3.ibm.com/connections/wikis/home?lang=en#/wiki/Jens%20Engelk
e/page/Using%20SSL%20with%20JDBC%20to%20communicate%20with
%20DB2
Oracle Advanced Security supports encryption (built into 10g)
DataDirect Sequelink driver supports encryption (with SQL Server)
Microsofts SQLServer driver supports it - http://msdn.microsoft.com/enus/library/bb879935%28v=SQL.100%29.aspx
MEI
63
64
65
Agenda
Introduction
Hardening High Importance
Hardening Medium Importance
Hardening Low Importance
Other Considerations
66
Examples:
Connecting with the administrative console to the secured port.
Connecting to WebSphere with wsadmin from a remote system.
Importing signers from a remote cell.
When you accept the signers, you are saying that you are willing
to trust that they are who they claim to be.
How can you accept their claim without validating they are in fact who they
say they are?
You can validate by verifying that the fingerprints are genuine
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
67
You can also import certificates into the server using the
Retrieve From Port option
Here again it is critical that you verify the fingerprint
At least this operation is controlled by administrators that (hopefully) know
better
NMEI
68
69
$ ./wsadmin.bat
*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host localhost is not found in trust store
C:/IBM/WebSphere/AppServer/profiles/AppSrv02/etc/trust.p12
Here is the signer information (verify the digest value matches what is
displayed at the server):
Subject DN: CN=keysbotzum, O=IBM, C=US
Issuer DN: CN=keysbotzum, O=IBM, C=US
Serial number: 1151337276
Expires:
Tue Jun 26 11:54:36 EDT 2007
SHA-1 Digest:
53:43:75:86:A8:C3:55:15:98:35:54:E7:49:B7:15:AF:16:A9:53:6F
MD5 Digest: 29:36:B1:9C:22:5A:36:AD:78:B3:7E:FD:D3:B1:B4:19
Add signer to the trust store now? (y/n)
Alternatively, consider disabling this feature by editing ssl.client.props and set
this property
com.ibm.ssl.enableSignerExchangePrompt=false
NMEI
70
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
71
Option 2: accept the certificate on the first use as trusted after verifying the fingerprint
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
72
Maximum headers
Maximum number of headers that can be included in a single HTTP request
Default is 50
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/c
om.ibm.websphere.nd.doc/info/ae/ae/urun_chain_typehttp.html
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
73
New issue
in V7
Profiles created under early fixpacks of 7.0 included a DataPower signing certificate that signs
the default certificate used by every DataPower box is in cell level trust store by default.
Instead, define special purpose SSL Configuration - not a change to the Cell truststore.
Fixed
in some
V7 Fixpack
74
By default
in V8
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
75
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
76
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
77
78
79
Note: cache is actually a one way password hash not a big risk!
Issues
com.ibm.websphere.security.util.authCacheEnabled = BasicAuthDisabled
Beware: logins using passwords will be slightly slower
Could be an issue for stateless web services
NMEI
80
Warning - interoperability
For the old LTPAv1 token, the FIPS and non-FIPS crypto is not the same. Non-FIPS
LTPAv1 uses proprietary DES encryption and proprietary RSA signatures. FIPS
LTPAv1 uses the IBMJCEFIPS provider with "DESede/ECB/PKCS5Padding"
encryption and "SHA1withRSA" signatures.
Domino SSO token sharing will stop working with FIPS since it supports only LTPA
V1
In the future Domino will support LTPA V2
For the LTPA v2 token, both the IBMJCE or IBMJCEFIPS providers use
"AES/CBC/PKCS5Padding" encryption and "SHA1withRSA" signatures
References:
WAS doc
http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websp
here.nd.doc/info/ae/ae/tsec_fips.html
JVM doc - http://www.ibm.com/developerworks/java/jdk/security/60/FIPShowto.html
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
81
SP800-131 / Suite B
FIPS 140-2 is old standard
NIST updated to an even stronger SP800-131 standard
NSA defined own Suite B standard.
Both prohibit use of TLS 1.0 and TLS 1.1
WAS 7.0.0.23, 8.0.0.4, 8.5.0.0 add support
Transition Mode allows FIPS-120 and SP800-131
Strict Mode allows only SP800-131
Warning: All your clients must be able to support these restrictive
ciphers.
See Whats new in WAS 8.5 Security presentation for gory
details.
82
NMEI
Materials may not be reproduced in whole or in part without the
prior written permission of IBM
83
Agenda
Introduction
Hardening High Importance
Hardening Medium Importance
Hardening Low Importance
Other Considerations
84
85
Dont Forget
Firewalls
See Firewall presentation
Development Tools
Next slide
86
You need firm and well understood security policies and strong
enforcement
E.g., Dont give someone your password if they ask.
87
88
89
References
WebSphere Security Presentation Series
http://pokgsa.ibm.com/~keys/documents/securitySeries
WSDD - http://www128.ibm.com/developerworks/websphere/techjournal//0512_botzum/0512_botzum1.html
90
Futures
Nothing here is an IBM commitment
91
Appendix
92
NMEI
93
If you have any legitimate need for access to the web server (perhaps a
server to server call) it will now fail
If you make a mistake, the system is insecure
NMEI
94
95
96
97
98
99
10
10
10
10
You dont have to share the same private key for every wildcard
certificate if your CA allows it
If DNS is compromised a request for a.ibm.com could be routed
b.ibm.com successfully even over SSL
10
10
10
DREAD Table
"A DREAD table is a representation of threats used by Microsoft
Corp. and is here described in more detail:
Damage Potential - If this vulnerability is successfully exploited,
what is the worst that can happen?
Reproducibility - How easy is it to reproduce an attack on this
vulnerability?
Exploitability - How easy is it to attack based on this vulnerability?
Affected users - What percentage of users is likely to be affected
by this vulnerability?
Discoverability - How easy is it to find this vulnerability?"
10
Single Loss
x
Expectancy (cost)
Expected Annual
=
Rate of Occurrences
Annualized Loss
Expectancy (cost/year)
10
Transfer funds
from an account
Obtain user
password
Hijack
user session
Modify
Source Code
Decrypt HTTPS
connection
Compromise
Web Server
Compromise
Application Server
10
11
11