What is new for security specialists
This topic highlights new or changed features for those who are responsible for securing applications and the application-serving environment in WebSphere® Application Server traditional.
- Hostname and IP address verification are enabled by default. The verification is enforced for target servers in all SSL connections by using WebSphere socket factories. However, you can specify a list of hostnames, IP addresses, or both to skip for verification. For more information about the function, see the following topics.
- Security custom properties
Use the com.ibm.websphere.security.addPartitionedAttributeToCookie custom property to add the Partitioned attribute to the LTPA and TAI cookies. The Partitioned attribute allows only top-level sites to access cookies that the application server writes.
- Security custom properties
Use the
com.ibm.websphere.crypto.config.certexp.notify.emailSubject
property to customize the subject line of a notification email for certificate expiration. You can also include the cell scope by appending _addManagementScope to the chosen value. The default value for this property is a placeholder, intended to be replaced with a custom email subject line, with or without the _addManagementScope suffix. - OpenID Connect Relying Party custom properties
Use the
provider_<id>.usePkce
property to set whether the Trust Association Interceptor (TAI) uses Proof Key for Code Exchange (PKCE) when authenticating with the code authorization flow. - Security Web
Server Plug-in properties in the plugin-cfg.xml file
The following Web Server Plug-in properties are added to the plugin-cfg.xml file to enhance security.
HostVerificationStartupCheck
Specifies whether the plug-in validates all defined transports within the XML at startup.
SecureHostVerification
Specifies how to process when validation fails.
IMSecureConnectorVerification
Specifies whether the plug-in validates all connectors within the Intelligent Management group.
IMSecureEndpointVerification
Specifies whether the plug-in validates the Endpoint hostname that is returned by the connector.
GlobalHostAlias
Specifies a comma-separated list of either hostname or IP values for which you want certificate validation performed.
HostnameAlias
This property is specifically a transport property to validate a certificate for a single hostname value.
- Changes in FIPS
provider, SSL ciphers, and TLS version
IBMJCEFIPS
provider is replaced withIBMJCEPlusFIPS
provider.- SSL ciphers are removed.
- TLS 1 is replaced with TLS 1.2.
- Security custom properties
Use the custom property, com.ibm.websphere.audit.config.notify.fromAddress to customize the from address of a notification email for audit monitoring. The default value for this property is
WebSphereNotification@ibm.com
. - Security custom properties
Use the
com.ibm.websphere.security.ldap.suppressICH31005I
property so that the application server handles a javax.naming.Naming Exception exception as an empty result. The exception is sent from an LDAP server that is RACF enabled. - Configuring the OIDC TAI
to perform RP-initiated logout
You can configure the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) to log a user out of an OpenID provider when the WebSphere logout is complete.
Three optional custom properties are added to support RP-Initiated Logout:
provider_<id>.endSessionEndpointEnabled
Set this property to
true
to enable RP-Initiated Logout with the URL specified on theprovider_<id>.endSessionEndpoint
property.provider_<id>.endSessionRedirectUrl
Set this property to the value for the
post_logout_redirect_uri
parameter on the request to the end session endpoint on the OP.provider_<id>.endSessionUseLogoutExitPage
Set this property to
true
to use the value for thelogoutExitPage
parameter as the value for thepost_logout_redirect_uri
parameter.
- OpenID Connect Relying Party custom properties
The
provider_<id>.endSessionEndpoint
property was updated for version 9.0.5.14 and later. Set this property to the value of the end session endpoint for the Open ID provider. When this property is set to a value and theprovider_<id>.endSessionEndpointEnabled
property is set to true, the TAI redirects logout requests to the configured end session endpoint. - SAML web single
sign-on (SSO) trust association interceptor (TAI) custom properties
The regular expression (
~=
) and logical OR (||
) operators are added to the list of filter property operators that the SAML web single sign-on, OIDC, OAuth, and SAML web inbound TAIs support.The
request-uri
special input element is valid for the SAML TAI filter property.The IdP SAML TAI custom property
useJavaScript
is added. When this property is set totrue
and a request is redirected to an IdP, the TAI uses JavaScript. When JavaScript is not used, any fragments that are present on the original inbound request are lost. - Configuring Kerberos constrained delegation for outbound SPNEGO tokens in WebSphere Application
Server
Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation is supported.
- SAML web single
sign-on (SSO) trust association interceptor (TAI) custom propertiesTwo SAML TAI custom properties are available for version 9.0.5.13 and later:
useJavaScript
andsso_<id>.sp.useJavaScript
- When either of these properties are set to
true
, the TAI uses JavaScript when a request is redirected to an IdP. When you do not use JavaScript, any fragments that are present on the original inbound request are lost. These properties override the values for the existingredirectToIdPonServerSide
andsso_.sp.redirectToIdPonServerSide
properties.
The
sso_<id>.sp.useRealm
property is updated so that you can use the default WebSphere realm name by setting this property toWAS_DEFAULT
. - OpenID Connect (OIDC) trust
association interceptor (TAI) supports encrypted JSON Web Tokens (JWT)
Starting in version 9.0.5.13, the OpenID Connect Trust Association Interceptor can process an encrypted JWT. An encrypted JWT can be used with both the traditional OpenID Connect Relying Party and JWT Authentication. Using the OIDC RP allows an encrypted JWT to be the ID token, access token, or both. The following OIDC TAI custom properties are added to support an encrypted JWT:
provider_<id>.keyStore
Specifies the keystore from which to obtain the decrypting key.
provider_<id>.decryptAlias
Specifies the alias of the keyEntry in the keystore that is used to decrypt an encrypted JWT or ID token.
provider_<id>.decryptKeyPassword
Specifies the password for the decrypting key.
- OpenID Connect Relying Party
custom properties
Starting in version 9.0.5.13, you can set the value for the
provider_<id>.useRealm
custom property toWAS_DEFAULT
to use the default WebSphere realm name.The default value for the
provider_<id>.signatureAlgorithm
custom property is nowHEADER
.When the
provider_<id>.discoveryEndpointUrl
custom property is included in the OIDC TAI configuration, theprovider_<id>.signatureAlgorithm
custom property is no longer overridden.Two optional custom properties are available for version 9.0.5.13 and later:provider_<id>.signatureAllowList
andprovider_<id>.signatureDenyList
- These properties specify a comma-separated list of signature algorithms that are allowed to
secure messages from the OpenID Connect provider. If the
provider_<id>.signatureAlgorithm
custom property is set to a value other thanHEADER
, both properties are ignored.
- Optional custom property for OpenID
Connect Relying Party TAI
The custom property
provider_<id>.revokeEndpointEnabled
is added to ignore the setting for theprovider_<id>.revokeEndpointUrl
property. - Adding a file-based
repository to a federated repositories configuration
You can use the file adapter repository to lock a user account when the user fails to authenticate. Specify the lockout configuration with the administrative console or with the createIdMgrFileRepository or updateIdMgrFileRepository wsadmin commands.
- OpenID Connect Relying Party
custom propertiesYou can use the following OpenID Connect Relying Party custom properties to filter or service requests.
provider_<id>.useIssuer
- When this property is set to
true
, the runtime can use the provider entry to service JSON web token (JWT) verification requests by API. provider_<id>.allowJwtIssuerSelection
- When this property is set to
true
, the runtime filters requests based on theiss
claim in the JWT in the Authorization header of the HTTP request.
- Configuring the
application server and Db2 to authenticate with Kerberos
Use Kerberos credentials to authenticate with Db2 data sources for XA recovery by specifying the
Krb5RecoveryPrincipal
custom property in your data source configuration. - Creating a Secure
Sockets Layer configuration
You can specify a custom list of protocols for the SSL handshake, rather than a single protocol. Specify the list with Custom protocol list on the console Quality of protection (QoP) settings or with the createSSLConfig or modifySSLConfig wsadmin command.
- Auditable security
events
You can set the
com.ibm.audit.terse.progname
property totrue
to include the name of the application that is being logged in to or out of in the terse audit record. - LTPA timeout value for forwarded credentials between servers
Starting in version 9.0.5.8, the range value for LTPA timeouts for forwarded credentials is an integer between 5 and 5265000. The maximum timeout value is 5256000 minutes, the equivalent of 10 years. Prior to version 9.0.5.8, the value is an integer between 5 and 153722867280911.
- Auditable security
events
You can add the
com.ibm.audit.terse.form.login
andcom.ibm.audit.terse.form.logout
properties in theaudit.xml
file for web logins and logouts to environments where Kerberos or SPNEGO are configured. The events that are enabled are SECURITY_FORM_LOGIN, SECURITY_KERBEROS_LOGIN, SECURITY_SPNEGO_LOGIN, SECURITY_FORM_LOGOUT, SECURITY_KERBEROS_LOGOUT, and SECURITY_SPNEGO_LOGOUT. - Security custom
properties
Use the
com.ibm.websphere.security.useOnlyCustomCookieName
property to specify that the product only look for cookies with names that are specified in thecom.ibm.websphere.security.customLTPACookieName
andcom.ibm.websphere.security.customSSOCookieName
custom properties. By default, the server evaluates theLtpaToken2
andLtpaToken
cookies in the default name that are specified with theLtpaToken2
andLtpaToken
values. - Support for the product to self-issue SAML tokens that contain an
Audience element is available:
- The Audience
SAMLIssuerConfig.properties
property is added to SAML Issuer Config Properties. - The
com.ibm.wsspi.wssecurity.saml.config.issuer.Audience
policy bindings property is added to Web services security SAML token custom properties.
- The Audience
- Security custom
properties
Use the
com.ibm.websphere.ssl.enforceCipherOrder
security custom property to specify whether the JVM prefers the client-side cipher suite order or the server-side cipher suite order in an SSL connection. - Kerberos bind authentication with Generic Security Services API (GSSAPI)
is available for stand-alone LDAP servers and LDAP servers in federated repositories. The following
topics contain information about the new function:
- Configure LDAP in a federated repository configuration
- Lightweight Directory Access Protocol test query utility settings
- Lightweight Directory Access Protocol repository configuration settings
- Configure a federated repository or stand-alone LDAP registry using wsadmin
- Standalone LDAP registry settings
- Set up Kerberos as the bind authentication mechanism for LDAP
- SecurityConfigurationCommands command group for the AdminTask object, specifically the configureAdminLDAPUserRegistry and configureAppLDAPUserRegistry commands
- Kerberos bind authentication troubleshooting tips
- SSLConfigCommands command
group for the AdminTask object
Use the
-returnAttributes
parameter to specify a comma-separated list of SSL configuration attributes that the getSSLConfig command returns. - Support for the Transport Layer Security (TLS) protocol, version 1.3
In version 9.0.5.6 and later, the
TLSv1.3
protocol is added to the list of supported protocols for the SSL or TLS handshake. For more information, see SSL configurations. - Security custom
properties
Use the
com.ibm.websphere.security.spnego.includeCustomCacheKeyInSubject
security custom property to include a custom cache key in LTPA tokens. When this property is set to true, LTPA tokens that are created from SPNEGO authentication include a custom cache key that is derived from the associated Kerberos credentials. If the server receives an LTPA token with the custom cache key and the authentication cache is empty, the server initiates a new SPNEGO authentication to obtain new Kerberos credentials. - OpenID Connect Relying Party
custom propertiesStarting in version 9.0.5.6, you can use the following OpenID Connect Relying Party custom properties:
provider_<id>.accessTokenIsJwt
- Set this property to the
true
value if the access token that is returned from the OP is a JWT and you want the TAI to validate the JWT. provider_<id>.endSessionEndpoint
- Set this property to the value of the session endpoint for the OpenID provider so that the Open ID provider can then be accessed with an API.
provider_<id>.introspectClientId
- Specifies the clientId to include in the requests to the introspection endpoint of the OpenID Provider.
provider_<id>.introspectClientSecret
- Specifies the clientSecret to include in the requests to the introspection point of the OpenID Provider.
provider_<id>.jwkClientId
- Specifies the client identifier to include in the basic authentication scheme of the JWK request.
provider_<id>.jwkClientSecret
- Specifies the client password to include in the basic authentication scheme of the JWK request.
The following OpenID Connect Relying Party custom property was updated for Version 9.0.5.6 and later:provider_<id>.filter
- The property is updated so that the callback URI from the OP, /callbackServletContext/identifier, is automatically intercepted by the TAI.
- OpenID Connect Relying Party
custom propertiesThe following OpenID Connect Relying Party custom property was updated for Version 9.0.5.5 and later:
provider_<id>.setLtpaCookie
-
- The default value is
true
when the useJwtFromRequest OIDC property is set to therequired
value. - The default value is
false
when the useJwtFromRequest OIDC property is set to theifPresent
value or theno
value.
- The default value is
The following OpenID Connect Relying Party custom property is new for Version 9.0.5.5 and later:provider_<id>.userinfoEndpointEnabled
- Set this property to the
false
value to ignore the setting for the provider_<id>. userinfoEndpointUrl property during login.
- Certificate support for key usage and SAN extensions
In Version 9.0.5.5 and later, you can configure key usage, extended key usage, and SAN extensions for certificates with commands or with the administrative console. For more information, see creating a self-signed certificate, creating a chained personal certificate in SSL, and creating a certificate authority request.
- com.ibm.websphere.security.addSameSiteAttributeToCookie
Set this custom property to specify the SameSite attribute value for the single sign-on (SSO) associated with a Lightweight Third Party Authentication (LTPA) cookie.
- OpenID Connect Relying Party
custom propertiesThe following new OpenID Connect Relying Party custom properties are available for version 9.0.5.4 and later:
provider_<id>.grantType
- Set this property to
client_credentials
to use the provider entry to obtain an access token from the OpenID Provider token endpoint by using theclient_credentials
grant type. provider_<id>.discoveryEndpointUrl
- This property specifies the endpoint URL that calls the OpenID Connect Provider discovery endpoint.
provider_<id>.useDiscovery
- If this property is set to true and no value is specified for the
discoveryEndpointUrl
property, the default value for thediscoveryEndpointUrl
property is used. If this property is set to false, the value for thediscoveryEndpointUrl
property is ignored. provider_<id>.useJavaScript
- Set this property to false if you do not want to use JavaScript when you redirect to the OpenID Connect Provider for the initial authentication request.
For version 9.0.5.4 and later, a new value is available for the
provider_<id>.signatureAlgorithm
OpenID Connect Relying Party custom property. You can now specifyRS512
as the algorithm that is used to secure messages from the OpenID Connect provider. - OpenID Connect Relying Party
custom propertiesTwo new OpenID Connect Relying Party custom properties are available for version 9.0.5.3 and later.
provider_<id>.nonceEnabled
- When the responseType property is set to code, this parameter defaults to false. If the responseType property is set to anything other than code, this property is set to true, and cannot be altered.
provider_<id>.contentSecurityPolicy
- If you want a Content-Security-Policy HTTP header to be included in the initial login request
that is sent to your OP, set the
provider_<id>.contentSecurityPolicy
property to the value that you want to use for the Content-Security-Policy HTTP header. If your Content-Security-Policy value requires anonce
, you can use the%NONCE%
keyword to indicate where thenonce
should be placed in the text.
- Security custom
propertiesThree new Security custom properties are available for version 9.0.5.3 and later.
com.ibm.websphere.security.ior.hostName
- An IOR is a CORBA or RMI-IIOP reference that uniquely identifies an object on a remote CORBA server. By default, the product uses an IP address in the IOR instead of a host name. When this custom property is set to true, the product uses a host name in the IOR. The default value is false.
com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit
- When this custom property is specified, WebSphere looks for a Kerberos authentication token
(
KRBAuthnToken
) in the cache, even if Kerberos authentication is not enabled. If aKRBAuthnToken
exists, this property adds it to the subject. The default is value false. com.ibm.websphere.security.dumpJaasConfig
- This property specifies whether Java Authentication and Authorization Service (JAAS) configuration information is written to the first failure data capture (FFDC) file. The default value is true.
- OpenID Connect Relying Party
custom properties
Two new OpenID Connect Relying Party custom properties are available for version 9.0.5.2 and later.
provider_<id>.loginErrorUrl
- This property specifies the URL to which the Relying Party redirects when a login error is received from an OpenID Connect Provider.
provider_<id>.sendOpErrorParamsToLoginErrorUrl
- When this property is set to true, the Relying Party forwards the error, error description, and error URI parameters that were received from the OpenID Connect Provider to the error URL.
- Security custom
propertiesA new Security custom property is available for version 9.0.5.2 and later.
com.ibm.websphere.security.audit.includeHostName
- This property specifies whether audit records include hostname information. When audit records
include remote hostname information, DNS lookup is required. If DNS lookup is slow, it can take a
long time for the server to write audit records. When this property is set to
false
, audit records include the IP address of the remote host but do not include the remote hostname information.
- IdMgrRepositoryConfig command group for the AdminTask objectNew and updated parameters are available for the following IdMgrRepositoryConfig commands:
- Updated
hashing algorithm for file and database repositories
The database and file repositories are updated to support the
PBKDF2WithHmacSHA1
hashing algorithm, which is now the default for file-based repositories. Key and salt sizes are increased, as is the number of hashing iterations. These parameters are configurable either in the web console or by using wsadmin commands. Previously, file and database repositories defaulted toSHA-1
, which is not a sufficiently secure algorithm.These updates for the hashing algorithm are also available on the administrative console.