PQ81764: Security Exposure issue in WAS private HTTP header

 Fixes are available

PQ85432; 5.0.x, 5.1.0.3: HTTP connection is not closed in event of an IO excepti
PQ81764: Configuring the trusted mode to determine private HTTP headers



APAR status
Closed as program error.

Error description
Security exposure issue in WAS private HTTP header
Local fix Problem summary
****************************************************************
* USERS AFFECTED: Users who would like to configure the        *
*                 trusted mode of the internal Http            *
*                 Transport to determine if administrators     *
*                 can trust private HTTP headers or not.       *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere Application Server has        *
*                      further tightened security by           *
*                      introducing a configuration option      *
*                      that permits administrators to          *
*                      specify if they trust private HTTP      *
*                      headers or not.                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
You should carefully evaluate enabling the WebSphere
Application Server internal HTTP Transport in the trusted mode
in the production environment to determine if sufficient trust
is established.
When the trusted mode is enabled, the WebSphere Application
Server internal HTTP Transport allows the assertion of the
user identity by adding the client certificate to the HTTP
header. The Web server plug-in can use this feature to support
client certificate authentication. The HTTP header does not
carry verifiable information that WebSphere Application Server
can use to determine the server identity that asserts the
client certificate. You should establish a secure
communication channel with transport level authentication
between the Web server plug-in and WebSphere Application
Server to avoid HTTP header spoofing.
Problem conclusion
You can configure the trusted mode for each HTTP port
independently and disable on any port that client machines can
access directly, both from the Internet and the Intranet.
Transports for which you set Trusted to false do not accept
client certificate assertion and return an HTTP Error 403 with
the error message similar to the following in your log file:
Requests through proxies such as the WebSphere webserver
plug-in are not permitted to this port.
The HTTP transport on port 9080 is not configured to be trusted.
Temporary fix Comments
APAR information
APAR number PQ81764
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00W
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2003-12-05
Closed date 2003-12-05
Last modified date 2003-12-05

APAR is sysrouted FROM one or more of the following:
PQ79541

APAR is sysrouted TO one or more of the following:

Modules/Macros
utils          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R103 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PQ81764
IBM Group: Software Group
Modified date: Dec 5, 2003