The following information will be added to WebSphere
Application Server V4.0.1 for z/OS and OS/390: Assembling J2EE
Applications, SA22-7836-06:
In Chapter 4, the last bullet in the second note associated with
Table 5, "Summary of the two Versions of the Web container security
collaborator", will be to changed to the following:
Add the following environment variables to your J2EE server’s current.env.
file:
ENABLE_TRUSTED_APPLICATIONS=1
BBOC_HTTP_SSL_MODE=INTERNAL (only required if you are using HTTP 1.0
protocol)
In Chapter 8, section "Setting up the WebSphere HTTP Plug-in for
z/OS:"
- The description of the BBOC_HTTP_MODE=INTERNAL and/or
BBOC_HTTP_SSL_MODE=INTERNAL environment variable included in Step 5 will
be changed to the following:
These environment variables enable the
HTTP(S) Transport Handler to trust private headers received from the HTTP
Server’s plug-in, over the port specified on the BBOC_HTTP_PORT and/or
BBOC_HTTP_SSL_PORT environment variables.
Notes:
- HTTP 1.0 protocol does not require an HTTPS request to include the
port number in the HTTP Host header field. Therefore, if you are using
HTTP 1.0 protocol, and Form Based authentication (or some other technique
that involves redirection) for security, you must include the
BBOC_HTTP_SSL_MODE=INTERNAL environment variable in the current.env file.
This variable enables the Web container to obtain the port information,
that it needs to perform the redirect, from the private headers if it has
not been specified on the HTTP Host header field. (This is not a problem
if you are using HTTP 1.1 protocol because that protocol requires the port
information to be included on the HTTP Host header field.
- If you add either the BBOC_HTTP_MODE=INTERNAL or the
BBOC_HTTP_SSL_MODE=INTERNAL environment variable to the current.env file,
the HTTP(S) Transport Handler will trust all private headers it receives
in HTTP or HTTPS requests, respectively. Therefore, you must ensure that
there are no untrusted paths to the HTTP or HTTPS Transport Handler.
- The following new step will be added to this procedure:
The connection between the browser and the
IBM HTTP Server and the connection between the plug-in and the HTTP
Transport Handler must be the same type; either HTTP or HTTPS. If one of
the connections is an HTTP connection, and the other is an HTTPS
connection, any redirection or URL rewriting will cause subsequent
requests to fail with a 404 error code.
In Appendix A, the following note will be added to the description
of the BBOC_HTTP_SSL_MODE environment variable:
Note: This environment variable must be
included in the curent.env file and set to Internal if you are using HTTP
1.0 protocol, and Form Based authentication (or some other technique that
involves redirection) for security. The port information, that the Web
container uses to redirect requests to the login form, is normally
contained in private headers, which are ignored if this environment
variable is not included.
This last change will also be made to the description of the
BBOC_HTTP_SSL_MODE environment variable contained in Appendix . A
of WebSphere Application Server V4.0.1 for z/OS and OS/390:
Installation and Customization, GA22-7834-07.
NOTE: Periodically, we refresh the documentation on our Web site, so these
changes might have been made before you read this text. To access the
latest on-line documentation, go to the product library page at:
http://www.ibm.com/software/webservers/appserv/zos_os390/library/ |