IBM Security Scanner for WebSphere Application
Server
Downloadable files
Abstract
This command-line Java™ tool checks for potential security
vulnerabilities that are caused by improper or incorrect WebSphere®
Application Server security configuration
Download Description
The tool scans static security configuration files for WebSphere
Application Server and WebSphere Application Server Network Deployment
V6.x and 5.x to look for potential vulnerabilities.The tool produces an
HTML report that contains the following information:
The security configuration checks that were performed.
The status of each check.
A corrective action, if necessary.
A link to the information center task that is related to the
corrective action.
The IBM WebSphere Developer Technical Journal article entitled,
WebSphere
Application Server V5.0 Advanced Security and System Hardening,
identifies many of the security checks that are performed and explains why
the checks are important. Although the article refers to WebSphere
Application Server Version 5.0 and V5.1, the information applies to V6.0.x
as well. The article entitled, WebSphere
Application Server V6.1: What's new in security?, discusses the
security features that are introduced and how security hardening has been
addressed in V6.1. What the tool does not do:
Does not check for runtime penetration vulnerabilities.
Is not a general purpose configuration diagnostic tool for WebSphere
Application Server that is intended to aid in problem determination for
configuration problems.
Is not a fail safe guarantee that the system is totally secure.
Does not do network, host, physical, or operating system security
vulnerability analysis.
Important note: This tool only can point out WebSphere Application
Server configuration items which, if corrective action is taken, might
improve the overall security of the WebSphere Application server. IBM®
does not make a claim or guarantee that the tool detects all of the
possible security configuration issues. IBM also does not make a claim or
guarantee that, if corrective action is taken for the items it does
detect, the WebSphere Application Server system is completely secure from
any or all possible threats. Consider network security, operating system
security, and physical security in addition to WebSphere Application
Server security. Related information: Use the ACert
tool to check for out-of-date Secure Sockets Layer (SSL) certificates
that are used by WebSphere Application Server.
Prerequisites
The tool runs on the same system that is used to install WebSphere
Application Server.
Installation Instructions
Complete the following steps to install the tool:
Place the wsst.zip file for WebSphere Application Server
Version 5.x. and v6.0.x or wsst61.zip file for V6.1 in any
directory on the machine that has the WebSphere Application Server
installation to be scanned. For example, you might create a
security_scanner directory under
/usr/IBM/WebSphere/AppServer or C:\Program
Files\WebSphere\AppServer and place the zip file in the directory.
Unzip (or unjar) the wsst.zip or wsst61.zip file. After unzipping the
file, a wsst or wsst61 directory is created.
Change the current directory to the wsst or
wsst61 directory that is created after unzipping the wsst.zip
or wsst61.zip file.
Edit the appropriate script file to replace the WAS_HOME
variable with the path to your WebSphere Application Server installation.
For example, you might change this variable to the
C:\WebSphere\AppServer or
/usr/IBM/WebSphere/AppServer directory on the same machine.
The following list provides the Version 5.x and 6.0.x script file names
for the different operating systems:
The Microsoft® Windows® operating systems: wsst.bat
The AIX®, HP-UX, Linux®, Solaris, and z/OS® operating systems:
wsst.sh
The i5/OS® operating system: wsstxx.qsh
The following list provides the Version 6.1 script file names for the
different operating systems:
The Microsoft Windows operating systems: wsst61.bat
The AIX, HP-UX, Linux, Solaris, and z/OS operating systems:
wsst61.sh
The i5/OS operating system: wsst61.qsh
Notes:
The following different scripts are provided for the i5/OS operating
system in the wsst.zip file:
wsst50.qsh
wsst.51.qsh
wsst60.qsh
The numbers in the script file names refer to the version number of
WebSphere Application Server against which you are running the tool. For
example, on the i5/OS operating system, edit the wsst50.qsh file to change
the WAS_HOME variable to point to the
/QIBM/ProdData/WebAS5/Base directory and run the tool against
a WebSphere Application Server Version 5.0 installation.
On the z/OS operating system, you might have to convert the wsst.sh
file from the ascii format to the ebcdic format and change the permission
bits of the wsst.sh file to 755 in order to run the tool.
On the AIX, HP-UX, Linux, and Solaris operating systems after
unzipping wsst.zip, run the chmod +x
command to grant execute permission to the wsst.sh
file.
Use the tool
For WebSphere Application Server Versions 5.x and 6.0.x, run the
appropriate script file on the command line from the same
wsst directory that was created when you unzipped the
wsst.zip file.
For WebSphere Application Server version 6.1.x, run the appropriate script
file on the command line from the same wsst61directory that
was created when you unzipped the wsst61.zip file.
For all operating systems other than the i5/OS operating system, the tool
prompts for the WebSphere Application Server installation that you want to
scan. Press Enter to scan the WebSphere Application Server installation
that is referenced by the script. or enter the path to another WebSphere
Application Server installation on the same machine that you want to scan.
Monitor and view the result
The tool displays the name of the WebSphere Application Server
installation for V5.x or the WebSphere Application Server profile name for
V6.x that is scanned. The tool also displays the name of each security
check that is being performed along with its status. For V5.x on the
OS/400 oparating system, the tool displays the Websphere Application
Server instance name.
A report in the hostname_report_Date_Time.html format is
generated after the tool finishes. Open the report in a browser window to
view the result of the scan.
This tool is provided "as-is". However, if you have questions about
any WebSphere Application Server issues identified by this tool, you can
contact IBM Support at 1-800-IBM-SERV (US calls only).
Cross Reference information
Segment
Product
Component
Platform
Version
Edition
Application Servers
WebSphere Application Server for z/OS
Security
z/OS
6.1, 6.0.1, 5.1, 5.0
Application Servers
WebSphere Application Server
AIX, HP-UX, i5/OS, Linux, OS/400, z/OS
6.1, 6.0, 5.1, 5.0
Developer, Express, Network Deployment
Application Servers
Runtimes for Java Technology
Java SDK
Document Information
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > Security
Operating system(s): z/OS
Software version: 6.1
Software edition: Reference #: 4009963
IBM Group: Software Group
Modified date: Sep 22, 2006
(C) Copyright IBM Corporation 2000, 2009. All Rights
Reserved.