PQ81764: Configuring the trusted mode to determine private HTTP headers
 Downloadable files
 
Abstract
Configuring the trusted mode to determine if administrators can trust private HTTP headers or not
 
Download Description
IBM® WebSphere® Application Server has further tightened security by introducing a configuration option that permits administrators to specify if they trust private HTTP headers or not.

Carefully evaluate enabling the WebSphere Application Server internal HTTP Transport in the trusted mode in the production environment to determine if sufficient trust is established. When the trusted mode is enabled, the WebSphere Application Server internal HTTP Transport allows the assertion of the user identity by adding the client certificate to the HTTP header.

The Web server plug-in can use this feature to support client certificate authentication. The HTTP header does not carry verifiable information that WebSphere Application Server can use to determine the server identity that asserts the client certificate. Establish a secure communication channel with transport level authentication between the Web server plug-in and WebSphere Application Server to avoid HTTP header spoofing. Configure the trusted mode for each HTTP port independently and disable on any port that client machines can access directly, both from the Internet and the Intranet.

Requiring the Web server plug-in to establish a Secure Sockets Layer (SSL) connection with client certificate authentication is a way to ensure that only a trusted Web server plug-in asserts the user certificate. Also, use a self-signed certificate so that only those servers that have the self-signed certificate can establish a secure connection to the trusted internal HTTP server port.

For more information on setting up the SSL connection with self-signed certificate authentication, visit the following Web site:
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r0/topic/com.ibm.websphere.
exp.doc/info/exp/ae/tsec_httpserv.html


Other than SSL, you can use mechanisms such as Virtual Private Network (VPN) and IPSec to protect the internal HTTP Transport from being accessed by unauthorized users. The trusted mode is set to true by default. Perform the following steps to add a custom transport property to disable the trusted mode:

1. Using the administrative console, click Servers > Application Servers > <server name> > Web Container >HTTP Transports > < host> > Custom Properties.

2. Click New and enter the property name Trusted with the value of false.

3. Restart the server.

4. After the server restarts, a Transport where Trusted is set to false does not accept client certificate assertion and returns an HTTP Error 403 with an error message in the log.

Requests through proxies such as the Web server plug-in are not permitted to this port.

The HTTP transport on port 9080 is not configured to be trusted.

This Fix Supersedes Fixes: PQ73966(5.0.1); PQ80922(5.0.1); PQ73966(5.0.1); PQ80244(5.0.2); PQ80922(5.0.2); PQ78169(5.0.2); PQ75699(5.0.2); PQ80756(5.0.2); PQ78849(5.0.2)
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7000000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 4614
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ81764 - 5.0.1 12/5/2003 US English 28705 FTP DD
PQ81764-5.0.2/5.0.2.1/5.0.2.2/5.023 12/5/2003 US English 50536 FTP DD
 
Technical support
1-800-IBM-SERV (U.S. Only)
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PQ81764, PQ73966, PQ80922, PQ73966, PQ80244, PQ80922, PQ78169, PQ75699, PQ80756, PQ78849
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > HTTP Transport
Operating system(s): Windows
Software version: 5.0.2.3
Software edition:
Reference #: 4005964
IBM Group: Software Group
Modified date: Aug 17, 2004