PQ81764: Security Exposure issue in WAS private HTTP header | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description Security exposure issue in WAS private HTTP headerLocal fix Problem summary **************************************************************** * USERS AFFECTED: Users who would like to configure the * * trusted mode of the internal Http * * Transport to determine if administrators * * can trust private HTTP headers or not. * **************************************************************** * PROBLEM DESCRIPTION: WebSphere Application Server has * * further tightened security by * * introducing a configuration option * * that permits administrators to * * specify if they trust private HTTP * * headers or not. * **************************************************************** * RECOMMENDATION: * **************************************************************** You should carefully evaluate enabling the WebSphere Application Server internal HTTP Transport in the trusted mode in the production environment to determine if sufficient trust is established. When the trusted mode is enabled, the WebSphere Application Server internal HTTP Transport allows the assertion of the user identity by adding the client certificate to the HTTP header. The Web server plug-in can use this feature to support client certificate authentication. The HTTP header does not carry verifiable information that WebSphere Application Server can use to determine the server identity that asserts the client certificate. You should establish a secure communication channel with transport level authentication between the Web server plug-in and WebSphere Application Server to avoid HTTP header spoofing.Problem conclusion You can configure the trusted mode for each HTTP port independently and disable on any port that client machines can access directly, both from the Internet and the Intranet. Transports for which you set Trusted to false do not accept client certificate assertion and return an HTTP Error 403 with the error message similar to the following in your log file: Requests through proxies such as the WebSphere webserver plug-in are not permitted to this port. The HTTP transport on port 9080 is not configured to be trusted.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PQ79541 APAR is sysrouted TO one or more of the following: Modules/Macros
Publications Referenced
|
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 00W
Software edition:
Reference #: PQ81764
IBM Group: Software Group
Modified date: Dec 5, 2003
(C) Copyright IBM Corporation 2000, 2008. All Rights Reserved.