Configuring SSL for WebSphere and IBM Http Server, part-4 : Dmgr and Nodes


It is always good to spend some time on thinking how to do instead of start doing it and then thinking what to do. Also it is always advisable to draw picture to understand complex things in simple way.

Now Observe the below picture of WebSphere setup having one Web Server, one DMGR and 2 nodes. Write down all the possible communications among them. Also include a browser and its communication with DMGR.

  1. Browser to DMGR
  2. DMGR to Nodes
  3. Web Server to Application Servers… Through plug-in

Thats it, now we know where all we can configure SSL and secure our WebSphere environments.

Note:

  • Take back up of configuration using backupconfig
  • In a secure communication both end points need to exchange their certificates to establish the secure link.
  • Stop all process related to websphere

WEBSPHERE-SSL-2

 

1. DMGR certificate

Start Deployment Manager [DMGR]

Replace DMGR certificate

  • In the Administrative Console, go to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates > Create a self-signed certificate. Enter the required attributes.
  • image 

  • Click OK and Save the changes
  • Go back to Security > SSL certificate and key management > Key stores and certificates > CellDefaultKeyStore > Personal certificates
  • Select the old DMGR certificate and click Replace.
  • On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers. Accept your new certificate and any browser prompts.
  • On the next screen, select the old certificate and click Delete. Click OK and Save the changes.

Now you have your DMGR certificate replaced

As i pointed earlier, the certs needs to be exchanged for establishing secure communication. So add the DMGR cert to DefaultCellTrustStore

  • Go to SSL certificate and key management > Key stores and certificates.
  • Select CellDefaultKeyStore and CellDefaultTrustStore and click Exchange signers.
  • image

  • Select the certificate in CellDefaultKeyStore personal certificates created in previous step and click Add.
  • image

  • Click OK and Save the changes.

2. Node Certificates

  • Go to Security > SSL certificate and key management > Manage endpoint security configurations.
  • Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null).
  • Click the Manage certificates button.
  • image

  • Click Create a self-signed certificate and Enter the required attributes.
  • Click OK and Save the changes
  • Go back to Security > SSL certificate and key management > Manage endpoint security configurations, click node_name(NodeDefaultSSLSettings,null), click Manage certificates.
  • Select the old certificate and click Replace.
  • On the next screen, you are able to choose which certificate will replace the old certificate. Accept your new certificate. Do not select either Delete old certificate after replacement or Delete old signers.
  • On the next screen, select the old certificate and click Delete. Click OK and save the changes.

Now Exchange the Node Signer cert with DefaultCellTrustStore

  • Go to Security > SSL certificate and key management > Manage endpoint security configurations.
  • Under Inbound, click the link for the node, node_name(NodeDefaultSSLSettings,null) and select Key stores and certificates.
  • Select NodeDefaultKeyStore and CellDefaultTrustStore and then Click Exchange signers.
  • image

  • Select the certificate in NodeDefaultKeyStore personal certificates created in previous step and click Add.
  • image

  • Click OK and Save the changes.

Delete the old signer certificates and extract the new ones.

  • Go to SSL certificate and key management > Key stores and certificates > CellDefaultTrustStore > Signer certificates
  • Select all of the old signer certificates and click Delete. If you are not sure, you can compare the Fingerprint and/or the Expiration dates with the personal certificate in the keystores.
  • Select one of the new certificates. Click Extract.
  • Enter a File Name that corresponds to the certificate. For example, node1.arm. Click Ok.
  • for each of the new certificates making sure you have done this for the cell signer and all of the node signers. These files are saved to the profile_root/Dmgr/etc directory

Manually copy the trust store to each of the /etc directories.

  • Backup the trust.p12 in profile_root\Dmgr\etc
  • Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Dmgr\etc
  • Backup the trust.p12 on each of the nodes profile_root\Appsrv\etc directories.
  • Copy the profile_root\Dmgr\config\cells\cell-name\trust.p12 to profile_root\Appsrv\etc

Note: If you have multiple nodes… You need to do the Node Certificate section for all nodes separately.

Now, Restart the DMGR and sync the nodes using ‘syncnode’ command. Then start Node Agents and Application Servers.

3. Plug-in

  • Go to Servers > Web servers. Click webserver_name, then under Additional Properties click Plug-in properties.
  • Click Manage keys and certificates under Additional Properties, click Signer certificates and then click AddEnter a unique Alias Name and then specify the File Name that you exported as .arm file
  • image

  • Repeat this for each of the new certificates making sure you have done this for the cell signer and all of the node signers.
  • Manually copy the plugin-key.kdb from the local configuration to the Web server. [ default locations: profile_root\Dmgr\config\cells\cell-name\nodes\node-name\servers\web-server-name\plugin-key.kdb to Web-server-root\Plugins\config\web-server-name\plugin-key.kdb]
  • Start the Web server

Note: If you have multiple web servers … you need to do the above steps for each web server separately

The steps and procedure are from IBM Websphere Infocenter and document Reference #: 1305596

Configuring SSL for WebSphere and IBM Http Server, part-3 : Client Authentication and Ciphers


Client Authentication:

If you enable client authentication, the server validates clients by checking for trusted certificate authority, Known as CA root certificates in the local key database. To enable client authentication, you need to use SSLClientAuth directive. The options to use with this stanza are:

  • None – The server requests no client certificate from the client.
  • Optional – The server requests, but does not require, a client certificate. If presented, the client certificate must prove valid.
  • Required – The server requires a valid certificate from all clients and returns a 403 status code if no certificate is present.
  • Required_reset – The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access. make sure you have GSKit version 7.0.4.19 or later when you choose this option.
    For example, If i want all the clients to be authenticated, then i need to add the following stanza

SSLClientAuth required

Ciphers

We set the cipher specification to use during secure transactions. The specified cipher specifications validate against the level of the Global Security Kit (GSK) toolkit that is installed on your system. Invalid cipher specifications cause an error to log in the error log. If the client issuing the request does not support the ciphers specified, the request fails and the connection closes to the client. IBM HTTP Server has a built-in list of cipher specifications to use for communicating with clients over Secure Sockets Layer (SSL).  The actual cipher specification that is used for a particular client connection is selected from those which are supported by both IBM HTTP Server and the client.

Some cipher specifications provide a weaker level of security than others, and might need to be avoided for security reasons. Some of the stronger cipher specifications are more computationally intensive than weaker cipher specifications and might be avoided if required for performance reasons. When an SSL connection is established, the client (web browser) and the web server negotiate the cipher to use for the connection. The web server has an ordered list of ciphers, and the first cipher in that list which is supported by the client will be selected.

IBM HTTP Server supports the following SSL ciphers: SSLv3 and TLS and SSLv2

IBM recommends the following setting, keeping in mind both strong security and performance

  ## SSLv3 128 bit Ciphers
  SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
  SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

  ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
  SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

  ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
  SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

  ## Triple DES 168 bit Ciphers
  ## These can still be used, but only if the client does
  ## not support any of the ciphers listed above.
  SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

  ## The following block enables SSLv2. Excluding it in the presence of
  ## the SSLv3 configuration above disables SSLv2 support.

  ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
  #SSLCipherSpec SSL_RC4_128_WITH_MD5
  #SSLCipherSpec SSL_RC4_128_WITH_SHA
  #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5

View the Ciphers which the server uses for Secure transactions

Set the LogLevel to info in the configuration file. Look in the error log for messages in this format: TimeStamp info_message mod_ibm_ssl: Using Version 2/3 Cipher: longname|shortname. The order that the cipher specifications are displayed in the error log from top to bottom represents the attempted order of the cipher specifications.

View the Ciphers were used for negotiating a connection

You can use the following LogFormat directive to view and log the SSL cipher negotiated for each connection:

LogFormat “%h %l %u %t \”%r\” %>s %b \”SSL=%{HTTPS}e\” \”%{HTTPS_CIPHER}e\” \”%{HTTPS_KEYSIZE}e\” \”%{HTTPS_SECRETKEYSIZE}e\”” ssl_common

CustomLog logs/ssl_cipher.log ssl_common

This logformat will produce an output to the ssl_cipher.log that looks something like this:

127.0.0.1 – – [01/Sep/2010:00:02:05 -0800] “GET / HTTP/1.1″ 200 1582 “SSL=ON” “SSL_RSA_WITH_RC4_128_MD5″ “128″ “128″

SSL for multiple IP virtual hosts

When you do not define an SSL directive on a virtual host, the server uses the directive default. You can define different (SSL) options for various virtual hosts. To enable SSL:

  • Specify the SSLEnable directive on the virtual host stanza in the configuration file, to enable SSL for a virtual host.
  • Specify a Keyfile directive and
  • Any SSL directives you want enabled for that particular virtual host.
  • Restart the server.

With all the above security options enabled, your virtual host may look like this:

<VirtualHost *:443>

SSLEnable

Keyfile keyfile.kdb

SSLCientAuth required

## SSLv3 128 bit Ciphers

SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5

SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher

SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

## Triple DES 168 bit Ciphers

## These can still be used, but only if the client does not support any of the ciphers listed above.

SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

## The following block enables SSLv2.
## Excluding it in the presence of  the SSLv3 configuration above disables SSLv2 support.

## Uncomment to enable SSLv2 (with 128 bit Ciphers)

#SSLCipherSpec SSL_RC4_128_WITH_MD5

#SSLCipherSpec SSL_RC4_128_WITH_SHA

#SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5

</VirtualHost>

Configuring SSL for WebSphere and IBM Http Server, part2 : Restrict unused HTTP methods and Verbose HTTP headers


Restricting unused HTTP methods

The HTTP method is supplied in the request line and specifies the operation that the client has requested. Browsers will generally just use two methods to access and interact with web sites; GET for queries that can be safely repeated and POST for operations that may have side effects. This means, we need to disable unused http methods. some of them are:(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL). Check with the application teams, if they need any of these methods for the application to work, before disabling them.

Testing before limiting http methods:

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx…
Connected to josephamrithraj.mp.
Escape character is ‘^]’.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:11:57 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Connection closed by foreign host.

your IBM http servers configuration file [httpd.conf] has 2 sections named main and virtualhost sections. you need to add the following code at both the places. I am explaining this task using mod_rewrite module. So, first make sure that… mod_rewrite is enabled. then, add the following lines to your http.conf files main and virtualhost sections.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|TRACK|COPY|MOVE|LOCK|UNLOCK|PROPFIND|PROPPATCH|SEARCH|MKCOL)
RewriteRule .* – [F]

Restart the web server after adding the above lines.

Now, when someone tried to use one of these http methods, they will get forbidden response since we specified [F] in the rewrite rule.

Testing after adding and restarting web server

telnet josephamrithraj.mp 80
Trying xx.xx.xx.xx...
Connected to josephamrithraj.mp.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: josephamrithraj.mp

HTTP/1.1 200 OK
Date: Thu, 14 Sep 2010 00:15:44 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, POST
Connection closed by foreign host.

Testing TRACE methods

telnet josephamrithraj.mp 80 Trying xx.xx.xx.xx... Connected josephamrithraj.mp Escape character is '^]'. TRACE / HTTP/1.0 Host: josephamrithraj.mp testing... <- ENTER twice HTTP/1.1 403 Forbidden Date: Thu, 14 Sep 2010 00:18:31 GMT Server: Apache Web Server Content-Length: 320 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / on this server.</p> </body></html> Connection closed by foreign host. 

Disable verbose HTTP headers:

you might have seen this … when the web server [apache or ibm http server] throws errors page, sometimes it might show the information related to its version, build, modules etc. This is a security issue since you are giving away the details about your web server. for example, take a look at this:
Server: Apache/2.0.53 (Ubuntu) PHP/4.3.10-10ubuntu4 Server at xx.xx.xx.xx Port 80
The line in the server header expose important version and variant information about the Linux operating system and Apache software used on the machine, indirectly expose the possible security holes that are existed to the hackers, or at least make malicious attackers easier to identify your system for available attack points.
To ensure that the Apache HTTP web server does not broadcast this message to the whole world publicly and fix possible security issue, modify these two directives ServerTokes and ServerSignature in httpd.conf configuration file.

ServerTokens

This directive configures what you return as the Server HTTP response Header. The built-in default is ‘Full’ which sends information about the OS-type and compiled in modules.  The recommended value is ‘Prod’ which sends the least information.

Options:  Full | OS | Minor | Minimal | Major | Prod

“ServerTokens Prod”

This configures Apache to return only Apache as product in the server response header on very page request, suppressing OS, major and minor version info.

ServerSignature

This directive lets you add a line containing the server version and virtual host name to server-generated pages. It is recommended to set it to OFF and Set to “EMail” to also include a mailto: link to the ServerAdmin.

Options: On | Off | EMail

“ServerSignature Off”

This instructs Apache not to display a trailing footer line under server-generated documents, which displays server version number, ServerName of the serving virtual host, email setting etc..

WebSphere Application Server v8 Primer, Part-7 : High performance extensible logging (HPEL)


High Performance Extensible Logging (HPEL) is a log and trace facility that is provided as a part of WebSphere Application Server. HPEL provides a convenient mechanism for storing and accessing log, trace, System.err, and System.out information produced by the application server or your applications. It is an alternative to the basic log and trace facility, which provided the JVM logs, diagnostic trace, and service log files commonly named SystemOut.log/SystemErr.log, trace.log, and activity.log.