websphere application server and liberty security … application server and liberty security update...

© 2013 IBM Corporation

WebSphere Application Server and Liberty Security Update

Bill O'DonnellSTSM – WebSphere Foundation Security ArchitectIBM – WebSphere Development

Session TAW-1698

© 2013 IBM Corporation 2

Please Note

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.


About the Speaker

Bill O'Donnell – My email is [email protected]– WebSphere Foundation Security Architect (Austin Labs)– Responsible for:

• Security Architecture and Design for WebSphere Portfolio• Security Architect for WebSphere Application Server• Product Security Incident Response Team (PSIRT) for WebSphere

and AIM brand• Product Secure Engineering for WebSphere and AIM brand

– See my website at http://www.ibm.com/developerworks/websphere/zones/was/security/

mailto:[email protected]

http://www.ibm.com/developerworks/websphere/zones/was/security/




What are we going to talk about?

Recap of security features since WAS 6.1 What new for WAS Full Profile 8.5.0.x What new for Liberty Profile 8.5.0.x What new for Liberty Profile 8.5.5.0 Mobile Security


Recap of security features since WAS 6.1


WAS 6.1 Security Highlights

Admin Security enabled by default

Auto generate of the Server ID removing need for server userID/Pass

Simple Key and Certificate Management– Supports the full life cycle Key and Certificate Management

– Key management tool through console and WAS scripting

– Easier to configure SSL

– Certificate Monitoring for expired Certificates

SPNEGO supporting SSO from Microsoft Desk top into WAS

FIPS 140-2 compliant


WAS 6.1 Web Services Security Highlights

Secure JAX-WS web service application (Web Services Feature pack)

Support WS-Security 1.1 (signature confirmation and encrypted headers)

WS-SecureConversation

Username token profile 1.1

X509Token profile 1.1

Support LTPA token type

Secure web service application using policy set

Secure web service application using WSSAPI


WAS 7.0 Security HighlightsWebSphere Security Domain

– The ability to have multiple security configurations within a cell

– Administration and Application Security separation

– Application Security configuration can be map to server or cluster

Enhancement in Kerberos– Integrated SPNEGO Support

– Client authenticate

– Server to Server Authentication and Propagation

– Connect to DB2 using Kerberos

Enhancements in Key and Certificate Management– Certificate Chaining

– Easy way to renew Certificates through Console or Scripting

– Ability during profile create to personalize the default generated certificate for WAS – DN, Expiration date, password for keystore

– Ability to restore a deleted Certificate


WAS 7.0 Web Services Security Highlights

Included the Web Services Feature Pack from WAS 6.1

Secure JAX-WS 2.1 web service application

Basic security profile (WS-I BSP) 1.0

WS-Trust 1.3

WS-SecureConversation 1.3

Kerberos token profile 1.1

WS-SecurityPolicy 1.2


WAS 8.0 Security HighlightsWeb Services Security Enhancements

− JAX-WS 2.2− Web Service Security: SAML token profile 1.1− SHA256 XML signature algorithm− Generic Issued WS-Security token, token exchange, and remote validation using WS-Trust

EE Security Enhancements– EJB imbedded container supporting easy way of developing and testing security flows using properties role

mapping to users

– Servlet 3.0 security annotations to map Security Constraints in the Java program vs using web.xml

Security Hardening– SSL now required by default for EJB via CSIv2 Security

– HTTPOnly enabled by Default

– Default Certificate key Length now 2048

Federated Repository (VMM) Enhancements– Usability improvements in the Admin Console

– Remove Security Domain restriction

– Command line to change file base registry password

Ability to rename the LTPA cookie


For more information

See our website at http://www.ibm.com/developerworks/websphere/zones/was/security/

for more information on – WAS 61, WAS7, and WAS8

– Security Hardening

– FAQ

– How to...





What new for WebSphere Application Server Full Profile 8.5.0.x


SAML Web SSO Post Binding Profile Delivered in WAS Full Profile 7.0.0.23, 8.0.0.4, 8.5.0.0

SSO between WAS and non WAS servers

Relies on a Identity Assertion rather than server side authentication

Typically using an Identity Provider (IdP)

Come and see my session − TAW-1701: SAML and OAUTH Technologies in WAS− Date/Time: Wed, 1/May, 01:00 PM - 02:00 PM− Room: Venetian - Palazzo H


OAuth 2.0 Delivered in WAS Full Profile 7.0.0.25, 8.0.0.5, and 8.5.0.1 and WAS Liberty Profile 8.5.0.2 WAS

OAuth allows for resource sharing for social computing applications

Scenario– Alice wants to print her Google Picasa photos using a third

party online photo printing service.

– Alice protects her Google Picasa photo albums using a password.

– Alice does not want to share her password.

– Using OAuth, Alice will grant access to the third party printing service the ability to read her photo.

Come and see my session − TAW-1701: SAML and OAUTH Technologies in WAS− Date/Time: Wed, 1/May, 01:00 PM - 02:00 PM− Room: Venetian - Palazzo H


On-chip AES Encryption

Intel has extended the x86 instruction set to handle the AES Encryption to speed the encryption performance. ‒ Intel delivered in Westmere-EP, Sandy Bridge, and Ivy Bridge‒ AMD delivered in Bulldozer and Piledriver

Delivered in WAS Full Profile 8.5.0.2 and WAS Liberty Profile 8.5.0.2 as part of IBM Java 7 SR3.

Using Day Trader, WAS saw a 13.5% improvement in SSL performance.

To enable AES-NI usage, simply add the following property to the JVM command line or jvm.options file:

com.ibm.crypto.provider.doAESInHardware=true

For more info: http://publib.boulder.ibm.com/infocenter/java7sdk/v7r0/topic/com.ibm.java.security.component.doc/security-component/JceDocs/aesni.html


Secure Socket Layer (SSL) EnhancementsBackground

Common Industry standard today for SSL is SSLv2, SSLv3, and Transport Layer Security (TLS) 1.0. SSLv3 been around since 1996 and TLS 1.0 been around since 1999 Secureness of the TLS 1.0 standard is starting to be a concern by security experts New Standards have been establish focused to strengthen SSL–The National Institute of Standards and Technology (NIST) developed

a new standard, SP800-131, to replace the current FIPS standards (FIPS 140-2)

–The National Security Agency (NSA) developed a new standard Suite B

The US government within its agency is pushing adoption of FIPS 800-131


What are the Enhancements TLS 1.2

The initial handshake no longer uses MD5 and now uses SHA256 A number of new Ciphers using SHA 256 + Internet Explorer V8 + and Opera 10 + is the only browser I am aware that actually

supports TLS 1.2. And both have TLS 1.2 off by default.

SP800-131a is a significant enhancement to the current Federal Information Processing Standards (FIPS140-2) Suite B places some tighter requirements on SP800-131a, requiring specific cryptographic algorithms to be used Delivered in Java Cryptography Extension (JCE) and Java Secure Socket Extension (JSSE) parts of the IBM SDK.

– IBM JDK 6.0 SR10– IBM JDK 6.26 SR1 – IBM JDK 7.0 SR1Note: WAS customers running on Oracle or HP OS will also have these updated as part of IBM JSSE and JCE

extensions ship as part of WAS.

Delivered in WAS Full profile 8.5.0.0, 8.0.0.3 and 7.0.0.23 and Liberty Profile 8.5.0.0. No plans for 6.1 or earlier.


SP800-131a Changes

Changes to algorithm strength rules– Most significantly is using SHA2 or

higher Digital Signatures. Can not use SHA1 or lower.

– Can’t use RSA 1024 (minimum RSA 2048)

– DES prohibited, AES still OK TLS 1.2 required.

– TLS 1.2 eliminates the use of MD5 and RC4 as part of the initial handshake and uses SHA2


Security mode and signature algorithms

Security mode Available Cipher Suites Available SSL protocol Fips not enabled SHA1withRSA

SHA1withDSASHA256withRSASHA384withRSASHA512withRSASHA256withECDSASHA384withECDSASHA512withECDSAplus all of the other weaker Ciphers

SSL 1.0SSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2

FIPS140-2 SHA1withRSASHA1withDSASHA256withRSASHA384withRSASHA512withRSA

TLS 1.0TLS 1.1TLS 1.2

SP800-131 - Transition SHA1withRSASHA1withDSASHA256withRSASHA384withRSASHA512withRSASHA256withECDSASHA384withECDSASHA512withECDSA requires Java unrestricted policy

TLS 1.0TLS 1.1TLS 1.2

SP800-131 - Strict SHA256withRSASHA384withRSASHA512withRSASHA256withECDSASHA384withECDSASHA512withECDSA requires Java unrestricted policy

TLS 1.2

Suite B 128 SHA256withECDSA TLS 1.2

Suite B 192 SHA256withECDSASHA384withECDSA

TLS 1.2


New SSL Protocol added

SSL_TLS - which is SSLv3 and TLSv1 (default)

SSL - which is SSLv3

SSLv2

SSLv3

TLS - which is TLSv1

TLSv1

SSL_TLSv2 - which is SSLv3 and TLSv1, TLSv1.1, TLSv1.2

TLSv1.1

TLSv1.2


VERY IMPORTANT TO UNDERSTAND KEY POINTS....

FIPS 800-131a and Suite B requires new TLS 1.2 support SSLv2, SSLv3, TLS 1.0, and TLS 1.1 can not be used if you are required to run

in FIPS 800-131 strict enforcement mode. Internet Explorer V8 + and Opera 10 + are the only browser I am aware that actually

supports TLS 1.2. And both have TLS 1.2 off by default. If you enabled 800-131a, only clients that support TLS 1.2 will work.

Certificates must have a key length of at least 2048. Many Certificates are not.

FIPS 800-131a operates in 2 modes–Transition mode – The server will operate both 140-2 and 800-131 mode

controlled by the client. Fairly straight forward if your already running FIPS 140-2.

–Strict mode – That the server will only operate in strict compliance to the 800-131 standard. Any client that initiates a SSL handshake that not compliant to the 800-131 standard will be block from establishing a SSL session with the server. Warning: All your clients MUST BE able to support 800-131.


You can simply enable TLS 1.2 and it's Recommended.

You can simply enable TLS 1.2 as well as SSLv2, SSLv3, TLS 1.0, and TLS 1.1

–For clients that have the TLS 1.2 support, their connection can take advantage of the enhanced strength.

–Under SSL certificate and key management > SSL configurations > your Ssl Config > Quality of protection (QoP), change the Protocol to SSL_TLSv2.

–Fairly straight forward.


What new for Liberty Profile 8.5.0.0


Liberty Profile Recap Flexible, Lightweight Profile

Simple ConfigSimple Config

Incremental PublishingIncremental Publishing

PerformancePerformance

Problem DeterminationProblem Determination

Incredibly fast (re)start times: <5 seconds

Memory footprint (web feature): < 50 MB

Fast Application Deployment

Auto-update/restart – Runtime must react to changes and make them live

Load only what the application needs

Unzip and go Install

Be clear and concise simple messages

Clearly identify the location of problems

Never show system stack traces

Easy to configure – Creating new profiles

– Simple configuration changes

– Sharing configurations among a large team

– Moving an application between development machines


Simple Config in server.xml

UseCase: As a developer, I like to run my servlet application.

<server> <featureManager>

<feature>servlet-3.0</feature>

</featureManager></server>


Liberty V8.5.0.0 security

Features AvailableFeatures Available

Basic, Form, Cert login EE Programmatic APIs

isUserInRole, getUserPrincipal

getRemoteUser, authenticate

login, logout

RunAsRole Transport layer security (SSL) Registry

Basic Registry LDAP Registry (SSL, failOver, referrals)SAF

WebSphere Authorization SAF Authorization

Basic Single SignOn – LTPA Authentication Aliases Session security JAAS TAI Relevant Public APIs (wsspi,

websphere packages) JMX security

RestConnector security

MBean security

Only one administrator role Simple password encoding


SAF User Registries Modes

Requires an active Angel Started Task and appropriate access to Liberty SAFCRED authorized functions

Uses the SAF IRRSIA00 callable service

Enables creation of native credentials required for SAF authorization

Provides efficient access to group information for a user

Offers a significant performance advantage over the unauthorized

Requires the server to run in an environment that satisfies the BPX.DAEMON requirements

Uses the LE / USS __passwd_applid implementation

Unable to create native credentials required for SAF authorization

Relies on the LE / USS implementation of getGroups

z/OS Authorised Statez/OS Authorised State z/OS Program Statez/OS Program State


Secure by DefaultSecure by DefaultSecure by Default Since WAS V6.1

Security component is loaded at startupSecurity is on by default for administration taskAll security defaults are set appropriatelySecurity for application must be configured to enable

For a Liberty Profile, secure by default meansSecurity component is NOT loaded at startupSecurity is on by default for administration taskAll security defaults are set appropriatelySecurity for applications must be configured to enable


Configuring Security Features

appSecurity-1.0– Includes all the security services

(authentication, registry, authorization) and web specific security code

zosSecurity-1.0– Includes the SAF registry and

authorization codessl-1.0– Includes the SSL specific code


Example 1: Enable Security

<server> <featureManager> <feature>appSecurity-1.0</feature> </featureManager></server>


Example 2: Enable Security with Quick Start

UseCase: As a developer, all I want is one userID and password to test my applications and run admin task.

<server> <featureManager> <feature>appSecurity-1.0</feature> </featureManager>

<quickStartSecurity userName=”bob” userPassword=“{xor}CDo9Hgw=">

</server>


Example 3: Basic Registry

UseCase: As a developer, all I want to configure is a basic registry with one or more users and groups .

<server> <featureManager> <feature>appSecurity-1.0</feature> </featureManager>

<basicRegistry realm=“basicRealm"> <user name=“bob" password=“{xor}CDo9Hgw=" /> <group name =“group1”>

<member name = “bob”/> </group> </basicRegistry>

</server>


Example 4: z/OS SAF Registry

UseCase: As an administrator, I want to configure a SAF User Registry using WebSphere Authorization.

<server> <featureManager> <feature>zosSecurity-1.0</feature> </featureManager>

<safRegistry id=”saf”/></server>


Example 5: z/OS SAF Registry with SAF Authorization

UseCase: As an administrator, I want to configure a SAF User Registry using SAF Authorization.


<feature>zosSecurity-1.0</feature>

</featureManager>

<safAuthorization id=”saf” /> </server>


Example 6:Simple SSL Configuration

UseCase: As a developer, I want to setup a simple SSL Configuration using a Java based Keystore.

<server> <featureManager> <feature>ssl-1.0</feature> </featureManager>

<keyStore id=”defaultKeyStore” password="{xor}DFoKyp="/> </server>


Example 7: z/OS SAF keyrings SSL Configuration

UseCase: I want SAF Key Rings for my SSL Configuration

<server> <featureManager> <feature>ssl-1.0</feature> </featureManager>

<ssl id="DefaultSSLSettings" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />

<keyStore id="defaultKeyStore" location="safkeyring:///WB2RING" type="JCERACFKS"

password="{xor}Lz4sLCgwLTs=" fileBased="false" readOnly="true" />

<keyStore id="defaultTrustStore" location="safkeyring:///WB2RING" type="JCERACFKS"

password="{xor}Lz4sLCgwLTs=" fileBased="false" readOnly="true" /> </server>


Example 8: LDAP using default filters

UseCase: I want to use LDAP as my user registry <server> <featureManager> <feature>appSecurity-1.0</feature> </featureManager>

<ldapRegistry id="ActiveDirectoryLDAP" realm="SampleLdapADRealm"

host="host.domain.com" port="389" ignoreCase="true" baseDN="cn=users,dc=domain,dc=com" bindDN="cn=myuser,cn=users,dc=domain,dc=com" bindPassword="{xor}DFoKyp=""/>

ldapType="activeDirectory"> </ldapRegistry></server>valid ldapType are: Netscape Directory Server, IBM SecureWay Directory Server, Microsoft

Active Directory, Sun Java System Directory Server, IBM Tivoli Directory Server, Novell eDirectory, IBM Lotus Domino, Custom

custom you are required to specify the LDAP filters. See advance LDAP config later in these charts.


Remote JMX Services

Enable security by default for remote connections with minimal configuration.– Add the RESTConnector feature

• This will dynamically include the security and SSL feature.

<featureManager> <feature>restConnector-1.0</feature>

</featureManager>

– Minimal security configuration Required. <quickStartSecurity userName="<username>"

userPassword="<password>"

<keyStore id=”defaultKeyStore” password="{xor}DFoKyp="/>

• Minimum security configuration will not be used if security is configured explicitly.


What new for Liberty Profile 8.5.5.0


Summary of Security Features

Feature Introduced Description

appSecurity-1.0 8.5.0.0 All the security services (authentication, registry, authorization) and web specific security code

zosSecurity-1.0 8.5.0.0 z/OS SAF registry and authorization code

ssl-1.0 8.5.0.0 SSL specific code

appSecurity-2.0 8.5.5.0 All the security services (authentication and authorization) and Federation of User Registry

ldapRegistry-3.0 8.5.5.0 LDAP User Registry

OAUTH-2.0 8.5.5.0 OAUTH 2.0 support

<myCustomUserReg> 8.5.5.0 A user defined feature for Custom User Registry

appSecurity-2.0

The new version appSecurity-2.0 is designed to supersedes the older version appSecurity-1.0

appSecurity-2.0 is designed to be more lightweight because it does include support for the LDAP user registry and does not automatically include the servlet-3.0 feature.

Recommend using the new version instead, and add any required features as necessary. For example, update your server.xml as follows:

<featureManager>





<feature>appSecurity-2.0</feature>



<feature>servlet-3.0</feature>

</featureManager>


42

EJB Security

Liberty 8.5.5.0 introduce EJB Lite 3.1– Designed to control who can access your EJBs, either at the bean level or at the

method level

– Control the identity your EJB will use when it makes calls, either at the bean level or at the method level

– Web profiles version of EJB is supported; Full EJB and remote look-up are not supported

EJB Security– Securing your EJBs is critical to ensure only authorized users can

perform certain actions in your environment How to use this feature?

– Add the features appSecurity-2.0 and ejblite-3.1 to secure your EJBs– Specify security elements in your application's deployment descriptor

ejb-jar.xml or the IBM extensions file ibm-ejb-jar-ext.xml or use annotations


43

Custom User Registry

Designed to allows for a customised User registry of users and groups in the Liberty profile for authentication.

Designed to support is mostly the same as in the full profile WebSphere.

Requires the Custom User Registry to be a Liberty User Feature Configured in server.xml as

<featureManager> <feature>appSecurity-2.0</feature> <feature>usr:myCustomTAI-1.0</feature></featureManager>


Custom User Registry difference between Full profile and Liberty

Liberty Custom User Registry (CUR) is designed to be a user feature

Two additional Method in the CUR‒ The activate method - When the server starts or when a feature is added to the

config dynamically, the user feature is designed to be detected by the feature manager and the bundles are installed into the OSGi framework, activated/started, and the activate() method will be called.

‒ The deactivate method will be called when your feature is being deactivated

publish/features/<myFeature>.mf file must be contained in your jar file For example

Subsystem-ManifestVersion: 1Subsystem-SymbolicName: customRegistrySample-1.0;visibility:=publicSubsystem-Version: 1.0.0Subsystem-Content: com.ibm.websphere.security; version="[1,1.0.100)", com.ibm.ws.security.registry.custom.sample; version="[1,1.0.100)"Subsystem-Type: com.ibm.websphere.featureIBM-Feature-Version: 2

For more information, please see the infocenter


Liberty Trust Association Interceptor (TAI)

By design, the TAI can be a user feature or non user feature. Recommendation is user feature

Similar to CUR, there two additional Method in the CUR‒ The activate method - When the server starts or when a feature is added to the

config dynamically, the user feature is designed to be detected by the feature manager and the bundles are installed into the OSGi framework, activated/started, and the activate() method will be called.

‒ The deactivate method will be called when your feature is being deactivated

publish/features/<myFeature>.mf file must be contained in your jar file For example

Subsystem-ManifestVersion: 1Subsystem-SymbolicName: customTAISample-1.0;visibility:=publicSubsystem-Version: 1.0.0Subsystem-Content: com.ibm.websphere.security; version="[1,1.0.100)", com.ibm.ws.security.sample; version="[1,1.0.100)"Subsystem-Type: com.ibm.websphere.featureIBM-Feature-Version: 2

For more information, please see the infocenter


46

Federated User Registry

Designed to federate multiple registries together. These registries are defined and combined under a single realm, providing a single view of a user registry and supporting the the logical joining of entries across multiple user repositories.

Liberty Profile 8.5.5.0 is designed to only supports the federating of LDAP Repositories.

– Only 1 or more LDAP configurations– Any other combinations of Basic Registry or Custom User Registry is not

supported. How to use this feature?

– Add the feature appSecurity-2.0 and ldapRegistry-3.0 to enable this feature– Specify more than one <ldapRegistry> tag to configure the LDAP registry– Specify the <federateRepository> tag to enable the federation of multiple

LDAP user registries in the server.xml


Example 1 LDAP Configuration


<feature>appSecurity-2.0</feature><feature>ldapRegistry-3.0</feature>

</featureManager>

<ldapRegistry id="ldap" realm="SampleLdapADRealm" host="smpc100.austin.ibm.com" port="636" ignoreCase="true" baseDN="cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com"

bindDN="cn=testuser,cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com" bindPassword="testuserpwd" ldapType="Microsoft Active Directory"/>

</server>


Example Federating 2 LDAP server <server> <featureManager> <feature>appSecurity-2.0</feature> <feature>ldapRegistry-3.0</feature> </featureManager>

<ldapRegistry id="TDS" realm="SampleLdapIDSRealm" host="ralwang.rtp.raleigh.ibm.com" port="389" ignoreCase="true" baseDN="o=ibm,c=us" ldapType="IBM Tivoli Directory Server">

</ldapRegistry>

<ldapRegistry id="AD" realm="SampleLdapADRealm" host="smpc100.austin.ibm.com" port="389" ignoreCase="true" baseDN="cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com"

bindDN="cn=testuser,cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com"bindPassword="testuserpwd" ldapType="Microsoft Active Directory">

</ldapRegistry>

<federatedRepository> <primaryRealm name="FederationRealm"> <== Virtual realm WAS Security sees <participatingBaseEntry name="o=ibm,c=us"/> <== TDS Configuration <participatingBaseEntry name="cn=users,dc=secfvt2,dc=austin,dc=ibm,dc=com"/> <== AD Configuration </primaryRealm> </federatedRepository></server>


Protecting Liberty Passwords

Passwords can be stored in server.xml or passwords can be stored in a separate file using <include> in server.xml to pull them into the liberty configuration

<server> <include location="${shared.config.dir}/myPasswordConfig.xml"/></server>

myPasswordConfig.xml should have a file permission set to only allowing appropriate access.

Passwords formats− Clear Text− XOR – uses XOR encoding − AES – password are encrypted using AES 128− HASH – password are hashed with PBKDF2WithHmacSHA1 Note: Encrypting a password does not guarantee that the password is secure. File

permissions do...

SecurityUtility command− A command line utility offering the ability to XOR, AES Encrypt, or Hash passwords− Password can then be cut and paste into server.xml− securityUtility -encoding=[xor|aes|hash]

Liberty offers a default key when using AES encryption. To over ride the key, you need to− securityUtility -key=myStringKey− wlp.password.encryption.key=myStringKey must be specified in server.xmlNote: Recommend storing this property in a separate include protected file.


createSSLCertificate Command

Creates a default SSL certificate for use in server configuration. Generated keystore file key.js is placed under /resources/security directory of the server specified in --server name. The key algorithm is RSA and signature algorithm is SHA1 with RSA.

The arguments are: --server=name

Specifies the name of the Liberty profile server for keystore creation. Required. --password=passwd

Specifies the password to be used in the keystore, which must be at least six characters in length. This option is required.

--passwordEncoding=password_encoding_type Specifies how to encode the keystore password. xor or aes. Default is xor.

--passwordkey=password_encryption_key Specifies the key to be used when encoding the keystore password using AES encryption. This

string is hashed to produce an encryption key that is used to encrypt and decrypt the password. The key can be provided to the server by defining the variable wlp.password.encryption.key whose value is the key. If this option is not provided, a default key is used.

--validity=days Specifies the number of days that the certificate is valid, which must be equal to or greater than

365. The default value is 365. This option is optional. --subject=DN

Specifies the Domain Name (DN) for the certificate subject and issuer. The default value is CN=localhost,O=ibm,C=us. This option is optional.


Capability Full Profile Liberty

Authentication – Basic Auth, Formbased, Certificate Authentication X X

User Registry

LDAP X X

Custom X

Database X

Basic X X

SAF X X

Local Registry X

Federation X LDAP only

WebSphere Authorization X X

SAF Authorization X X

SSO

LTPA X X

Kerberos (SPNEGO) X

OAUTH 2.0 X X

SAML Web SSO Post Binding Profile X

SAML Web Service Token Profile 1.0 X

Member Management X

Key and Certificate Management X

Security Auditing X

Security Capabilities


52

Web Service Security

Web Services Security (WS-Security) is an OASIS standard that describes how to secure Web services. WS-Security includes XML signature, encryption, authentication, timestamp, etc..

- JAX-WS is supported; JAX-RPC is not Used to provide Message level end-to-end security, which is

beyond and above traditional transport level security.. How to use this feature?

- Add Liberty feature of wsSecurity-1.1 and appSecurity-2.0...


Web Services Security Capabilities

Capability WAS full profile Liberty

SOAP Message Security 1.1 x x

Username Token Profile 1.1

PasswordText x x

PasswordDigest x

Key Derivation x

X.509 Token Profile 1.1

X509 V3 token x x

X509PKIPathv1 x

PKCS7 x

WS-SecurityPolicy 1.3 1.2 (Partial support )

x

Basic Security Profile 1.1 x

WS-Security Token as authentication and authorization token x x

SAML token profile 1.1 x

Kerberos Token Profile 1.1 x

WS-SecureConversation 1.3 x

WS-Trust 1.3 x

LTPA and LTPA2 token x

Generic and custom security token type (e.g. passticket) x


AppendixAppendixDetails on how to configure FIPS 800-131 Details on how to configure FIPS 800-131


Scenario 1: Migrate current system from FIPS 140-2 to SP800-131

Scenario : A system administrator wants to migrate the system from FIPS 140-2 to SP 800-131 string mode by going through transition mode

Steps: 1. On deployment manager, confirm current FIPS status. 2. On deployment manager, configure SP 800-131 transition mode 3. Propagate the change to the nodes4. On deployment manager, update SSL protocol to TLSv1.2 which is SP

800-131 compliant level5. Make sure other programs such as browser, LDAP, and other programs

communicates using TLSv1.26. Update ssl.client.props to communicate with nodes7. Propagate the change to the nodes8. On deployment manager, configure SP 800-131 strict mode. 9. Convert certificates with signature algorithm that comply with SP800-131


Scenario 2Configure system to SP800-131 mode.

Scenario : A system administrator, I want to configure WebSphere to be compliant with the SP800-131 standard.

Steps: 1. On a deployment manager convert certificates to comply with the SP800-131 standard.2. On deployment manager, configure SP 800-131 strict mode 3. Propagate the change to the nodes, doing manual sync nodes.4. Restart the deployment manager and all the nodes and servers in the cell.5. Make sure other programs such as browser, LDAP, and other programs communicates

using TLSv1.26. Update ssl.client.props to communicate with nodes

WARNING: BE SURE TO DISABLE dynamic SSL Prior to turning on strict mode. The Dmgr and Nodes will be in a incompatible mode. The Dmgr will likely switch to TLSv1.2 before the nodes do, they will likely still be at SSL_TLS, and the nodes and dmgr will no long be able to communicate. We STRONGLY RECOMMEND that you stop all the nodes except the Dmgr. Do the conversion on the console, restart the Dmgr, manually sync the nodes, then start the node agents and servers.


Scenario 3Configure system to Suite B mode.

Scenario : A system administrator, I want to configure WebSphere to be compliant with the Suite B standard.

Steps: 1. On a deployment manager convert certificates to comply with the Suite B

standard.2. On deployment manager, configure Suite B mode 3. Propagate the change to the nodes, doing manual sync nodes.4. Restart the deployment manager and all the nodes and servers in the cell.5. Make sure other programs such as browser, LDAP, and other programs

communicates using TLSv1.26. Update ssl.client.props to communicate with nodes


Preparing for configuration

FIPS configuration includes certificate conversion and SSL protocol update. System Administrator may want to consider turning off “Dynamic SSL update feature” so that the change takes effect after restarting the cell. In the following section, screen captures for scenario 1 shows configuration when dynamic SSL update feature is on. Screen captures for scenario 2 and 3 shows configuration when dynamic SSL update feature is off.


Preparing for configuration– 2

System Administrator may also look into backup and restore the configuration before FIPS configuration as it will affect communication with other programs.

backupConfig command for v8 (contains URL link to restoreConfig command) http://publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.nd.multiplatform.doc%2Finfo%2Fae%2Fae%2Frxml_backupconfig.html&resultof=%22backupConfig%22%20%22backupconfig%22

backupConfig command for v7 (contains URL link to restoreConfig command) http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=%2Fcom.ibm.websphere.nd.multiplatform.doc%2Finfo%2Fae%2Fae%2Frxml_backupconfig.html&resultof=%22backupConfig%22%20%22backupconfig%22

http://publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.nd.multiplatform.doc%2Finfo%2Fae%2Fae%2Frxml_backupconfig.html&resultof=%22backupConfig%22%20%22backupconfig%22













Manage FIPS panel

Manage FIPS panel is launched from:

administrative console -> Security -> ssl certificate and key management.


Confirm current FIPS Level

Confirm current FIPS level. In the example below, FIPS140-2 is configured.


Configure SP 800-131 transition mode

Configure SP 800-131 transition mode. Transition mode supports both current algorithm and ssl protocols as well as the ones that comply with SP 800-31 strict mode.


Save transition mode

Save transition mode and restart deployment manager. Run syncNode command manually to propagate the change to nodes.


Update SSL protocol to require TLSv1.2

Now, on deployment manager, update SSL protocol to require TLSv1.2 to be compliant with SP800-131. This change takes effect immediately if dynamic SSL update feature is enabled (Default configuration)


Check browser configuration

If administrative console is no longer accessible from browser after changing SSL protocols to “TLSv1.2”, it is likely that browser is not configured for or supporting the protocol.

Internet Explorer v8 (on Windows 7 and Windows 2008) has option to enable the protocol by going Tools > Internet Options > Advanced (Tab) > Security

Firefox support schedule may be found : http://forums.mozillazine.org/viewtopic.php?f=7&t=1831235

http://forums.mozillazine.org/viewtopic.php?f=7&t=1831235

http://forums.mozillazine.org/viewtopic.php?f=7&t=1831235


Check user registry configuration

Ensure connection between user registry is working after SSL protocol change to “TLSv1.2”.

Following is an example where LDAP keeps using “TLSv1” and WebSphere requires “TLSv1.2”. For this case, it is necessary to re-configure LDAP so that it can communicate using “TLSv1.2”.

Similar connection test is necessary for Federated Repository or custom user registry where SSL connection is used.


Check nodes

Communication between deployment manager and nodes will also be affected when ssl protocol is changed to “TLSv1.2”. It is necessary to run nodeSync command manually.

Prior to running the command, ssl.client.props need to be updated so that syncNode command uses “TLSv1.2” to communicate with deployment manager.


ssl.client.props file

Following steps will re-establish the communication between deployment manager and nodes.

Prior to running commands, {profile_root}/properties/ssl.client.props file needs to be updated so WebSphere commands uses “TLSv1.2” to communicate with deployment manager

(1) Stop Dmgr (require updating ssl.client.props for stopManager command)

(2) Start Dmgr

(3) Stop Node

(4) Synchronize node with dmgr (may require updating ssl.client.props for the syncNode command)

(5) Start Node

# Sample ssl.client.props

#-------------------------------------------------------------------------

# Global SSL Properties (applies to entire process)

#-------------------------------------------------------------------------

com.ibm.ssl.defaultAlias=DefaultSSLSettings

com.ibm.ssl.performURLHostNameVerification=false

com.ibm.ssl.validationEnabled=false

com.ibm.security.useFIPS=true //turn on when FIPS is enabled

com.ibm.websphere.security.FIPSLevel=transition //specify mode

user.root=C:/WAS80ND/AppServer/profiles/Dmgr01

....

#-------------------------------------------------------------------------

# This SSL configuration is used for all client SSL connections, by default

#-------------------------------------------------------------------------

com.ibm.ssl.alias=DefaultSSLSettings

com.ibm.ssl.protocol=TLSv1.2 //ssl protocol

…..


Enable SP 800-131 strict mode

Turn on SP 800-131 strict mode to fully comply with SP800-131 requirement. Select the options below on the Manage FIPS panel and select Apply/OK.


Convert certificates

If there are certificates that does not comply with SP 800-131 requirement, following message is shown. Click on “Convert certificates” link to perform the conversion.


Select signature algorithm and key size

For the security mode, available signature algorithms and key sizes are shown. Select from pulldown menu and click on Apply/OK. Certificate conversion may take a while.


Save certificates

After successful certificate conversion, following panel appears.

Click on save to replace the certificates with the converted ones, then select “Strict” mode and press Apply/OK to enable SP 800-131 strict mode.


Certificates from certificate authority

Certificates issued by certificate authority cannot be converted by this feature. Certificates in read-only keystore cannot be converted also.

These certificates will show in the box below. It is system administrator’s responsibility to update these certificates to comply with SP 800-131 (Please see “How to replace certificate” InfoCenter link in reference section)

SP 800-131 strict mode will not be turned on until all certificates comply with the requirement.


Migration to SP 800-131 strict mode

After SP 800-131 strict mode is enabled, it is necessary for system administrator to check the communication between WebSphere and other programs, just like when “TLSv1.2” was turned on.

To restore communication between deployment manager and nodes, it is necessary to run syncNode manually with another update in ssl.client.props. Expect following prompt asking update in truststore when issuing websphere commands and wsadmin command.

Exchanging certificates with other programs may be required to restore communication.

Once all the communications are found successful, system is compliant with SP 800-131


wsadmin commands

Newly introduced commands for this feature : FIPSCommands command group

enableFips

getFipsInfo

listCertStatusForSecurityStandard

convertCertForSecurityStandard

KeyStoreCommand group

listSignatureAlgorithms

SSLConfigCommand group

listSSLProtocolTypes

Updated commands with -signatureAlgorithm parameter (optional parameter)

PersonalCertificateCommands gorup

createSelfSignedCertificate

CertificateRequestCommads group

createCertificateRequest


References – Security Standards

FIPS Publications on National Institute of Standards and Technology (NIST) http://csrc.nist.gov/publications/PubsFIPS.html

SP800-131a http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

National Security Agency - NSA Suite B Cryptography http://www.nsa.gov/ia/programs/suiteb_cryptography/

Suite Bhttp://tools.ietf.org/rfc/rfc6460.txt

http://csrc.nist.gov/publications/PubsFIPS.html



http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

http://www.nsa.gov/ia/programs/suiteb_cryptography/

http://tools.ietf.org/rfc/rfc6460.txt


We love your Feedback!

Don’t forget to submit your Impact session and speaker feedback!

•Your feedback is very important to us – we use it to improve next year’s conference

•Go to the Impact 2013 SmartSite (http://impactsmartsite/com):‒ Use the session ID number to locate the session‒ Click the “Take Survey” link‒ Submit your feedback

http://impactsmartsite/com

http://impactsmartsite/com


Legal Disclaimer

• © IBM Corporation 2013. All Rights Reserved.• The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained

in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

• References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

• If the text contains performance statistics or references to benchmarks, insert the following language; otherwise delete:Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.

• If the text includes any customer examples, please confirm we have prior written approval from such customer and insert the following language; otherwise delete:All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

• Please review text for proper trademark attribution of IBM products. At first use, each product name must be the full name and include appropriate trademark symbols (e.g., IBM Lotus® Sametime® Unyte™). Subsequent references can drop “IBM” but should include the proper branding (e.g., Lotus Sametime Gateway, or WebSphere Application Server). Please refer to http://www.ibm.com/legal/copytrade.shtml for guidance on which trademarks require the ® or ™ symbol. Do not use abbreviations for IBM product names in your presentation. All product names must be used as adjectives rather than nouns. Please list all of the trademarks that you use in your presentation as follows; delete any not included in your presentation. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.

• If you reference Adobe® in the text, please mark the first use and include the following; otherwise delete:Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.

• If you reference Java™ in the text, please mark the first use and include the following; otherwise delete:Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

• If you reference Microsoft® and/or Windows® in the text, please mark the first use and include the following, as applicable; otherwise delete:Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

• If you reference Intel® and/or any of the following Intel products in the text, please mark the first use and include those that you use as follows; otherwise delete:Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

• If you reference UNIX® in the text, please mark the first use and include the following; otherwise delete:UNIX is a registered trademark of The Open Group in the United States and other countries.

• If you reference Linux® in your presentation, please mark the first use and include the following; otherwise delete:Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.

• If the text/graphics include screenshots, no actual IBM employee names may be used (even your own), if your screenshots include fictitious company names (e.g., Renovations, Zeta Bank, Acme) please update and insert the following; otherwise delete: All references to [insert fictitious company name] refer to a fictitious company and are used for illustration purposes only.

http://www.ibm.com/legal/copytrade.shtml

http://www.ibm.com/legal/copytrade.shtml

websphere application server and liberty security … application server and liberty security update...

Documents