PQ79541: Configuring the trusted mode to determine
if administrators can
Downloadable files
Abstract
Configuring the trusted mode to determine if
administrators can trust private HTTP headers or not
Download Description
WebSphere Application Server has further tightened security by
introducing a configuration option that permits administrators to specify
if they trust private HTTP headers or not.
You should carefully evaluate enabling the WebSphere Application Server
internal HTTP Transport in the trusted mode in the production environment
to determine if sufficient trust is established.
When the trusted mode is enabled, the WebSphere Application Server
internal HTTP Transport allows the assertion of the user identity by
adding the client certificate to the HTTP header. The Web server plug-in
can use this feature to support client certificate authentication. The
HTTP header does not carry verifiable information that WebSphere
Application Server can use to determine the server identity that asserts
the client certificate. You should establish a secure communication
channel with transport level authentication between the Web server plug-in
and WebSphere Application Server to avoid HTTP header spoofing.
You can configure the trusted mode for each HTTP port independently and
disable on any port that client machines can access directly, both from
the Internet and the Intranet. Requiring the Web server plug-in to
establish a Secure Sockets Layer (SSL) connection with client certificate
authentication is a way to ensure that only a trusted Web server plug-in
asserts the user certificate. Moreover, you should use a self-signed
certificate so that only those servers that have the self-signed
certificate can establish a secure connection to the trusted internal HTTP
server port. For more information on setting up the SSL connection with
self-signed certificate authentication, visit the following Web site:
Other than SSL, you can use mechanisms such as Virtual Private Network
(VPN) and IPSec to protect the internal HTTP Transport from being accessed
by unauthorized users.
The trusted mode is set to true by default. Perform the following steps to
add a custom transport property to disable the trusted mode:
1. Using the administrative console, click Servers > Application
Servers > <server name> > Web Container >HTTP Transports
> < host> > Custom Properties.
2. Click New and enter the property name Trusted with the value of false.
3. Restart the server.
4. After the server restarts, the Transports for which you set Trusted to
false do not accept client certificate assertion and return an HTTP Error
403 with the error message similar to the following in your log file:
Requests through proxies such as the WebSphere webserver plug-in are not
permitted to this port.
The HTTP transport on port 9080 is not configured to be trusted.
Prerequisites
This fix supersedes fixes: PQ78169 & PQ72435. Also, please apply
the interim fix for PQ70205 (for versions 4.0.2 - 4.0.5), before applying
this fix.