Fix (APAR): PQ81764 Status: Fix Release: 5.0.1, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3 Operating System: N/A Supersedes Fixes: PQ73966(5.0.1) PQ80922(5.0.1) PQ73966(5.0.1) PQ80244(5.0.2) PQ80922(5.0.2) PQ78169(5.0.2) PQ75699(5.0.2) PQ80756(5.0.2) PQ78849(5.0.2) CMVC Defect: PQ79541 Byte size of APAR: 79241 Date: 2003-12-05 Abstract: Configuring the trusted mode to determine if administrators can trust private HTTP headers or not Description/symptom of problem: WebSphere Application Server has further tightened security by introducing a configuration option that permits administrators to specify if they trust private HTTP headers or not. You should carefully evaluate enabling the WebSphere Application Server internal HTTP Transport in the trusted mode in the production environment to determine if sufficient trust is established. When the trusted mode is enabled, the WebSphere Application Server internal HTTP Transport allows the assertion of the user identity by adding the client certificate to the HTTP header. The Web server plug-in can use this feature to support client certificate authentication. The HTTP header does not carry verifiable information that WebSphere Application Server can use to determine the server identity that asserts the client certificate. You should establish a secure communication channel with transport level authentication between the Web server plug-in and WebSphere Application Server to avoid HTTP header spoofing. You can configure the trusted mode for each HTTP port independently and disable on any port that client machines can access directly, both from the Internet and the Intranet. Requiring the Web server plug-in to establish a Secure Sockets Layer (SSL) connection with client certificate authentication is a way to ensure that only a trusted Web server plug-in asserts the user certificate. Moreover, you should use a self-signed certificate so that only those servers that have the self-signed certificate can establish a secure connection to the trusted internal HTTP server port. For more information on setting up the SSL connection with self-signed certificate authentication, visit the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/tsec_httpserv.html Other than SSL, you can use mechanisms such as Virtual Private Network (VPN) and IPSec to protect the internal HTTP Transport from being accessed by unauthorized users. The trusted mode is set to true by default. Perform the following steps to add a custom transport property to disable the trusted mode: 1. Using the administrative console, click Servers > Application Servers > > Web Container >HTTP Transports > < host> > Custom Properties. 2. Click New and enter the property name Trusted with the value of false. 3. Restart the server. 4. After the server restarts, the Transports for which you set Trusted to false do not accept client certificate assertion and return an HTTP Error 403 with the error message similar to the following in your log file: Requests through proxies such as the WebSphere webserver plug-in are not permitted to this port. The HTTP transport on port 9080 is not configured to be trusted. Directions to apply fix: NOTE: YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO INSTALL A FIX. The Fix Installer can be downloaded from the following link: http://www-3.ibm.com/software/webservers/appserv/support/index.html 1) Create temporary "fix" directory to store the jar file: UNIX: /tmp/WebSphere/fix Windows: c:\temp\WebSphere\fix 2) Copy jar file to the directory 3) Shutdown WebSphere 4) Follow the Fix installation instructions that are packaged with the Fix Installer on how to install the Fix. 5) Restart WebSphere 6) The temp directory may be removed. Directions to remove fix: NOTE: FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere 2) Follow the instructions that are packaged with the Fix Installer on how to uninstall the Fix. 3) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere 2) Follow the Fix instructions that are packaged with the Fix Installer on how to uninstall and reinstall the Fix. 3) Restart WebSphere Additional Information: