There are several methods that you
can use to protect the WebSphere® Application Server
infrastructure
and applications from different forms of attack. Several different
techniques can help with multiple forms of attack. Sometimes a single
attack can leverage multiple forms of intrusion to achieve the end
goal.
Procedure
-
Take preventative measures to protect the infrastructure.
- Make applications less vulnerable to attack.
- At a minimum, ensure administrative security is
enabled
in all WebSphere processes. This protects access
to the administrative ConfigService interface and managed beans (MBeans)
that enables control over the WebSphere process if it is
compromised.
- Ensure Secure Sockets Layer (SSL)
is used whenever possible,
and mutual SSL whenever possible. However, mutual SSL requires all
clients to supply a trusted personal certificate in order to connect.
- Remove any unnecessary certificate authority (CA)
signer
certificates from your trust stores.
- Change
default keystore passwords during or after profile
creation using the AdminTask changeMultipleKeyStorePasswords command.
- Change your Lightweight Third-Party Authentication
(LTPA)
keys periodically. You can configure the automatic regeneration of
LTPA keys if necessary.
- Common Secure Interoperability
version 2 (CSIv2) inbound
Basic authentication is supported in this release of WebSphere Application
Server. The authentication default is 'required'.
What to do next
Note: In this release of WebSphere Application Server, more security
hardening features of the server are enabled by default. However,
if the features are not enabled after migration you can enable them
yourself. See the Security hardening features enablement and migration
article for more information.
For additional information
about hardening security configurations, see the WebSphere
Application Server security web page.