Overview

How security works

WebSphere administrators register their WebSphere Application Server or WebSphere Application Server Liberty servers with WebSphere Automation. The WebSphere Automation vulnerability manager makes an assessment of the security compliance status of each server. Common vulnerabilities or exposures (CVEs) for each server are displayed in the WebSphere Automation UI in an interactive list, and each server is assessed a risk level. Administrators can learn more about the pertinent CVEs, plan their response, and complete the application of the required security fixes to their managed servers using the WebSphere Automation UI.

When the IBM Product Security Incident Response Team (PSIRT) publishes new or updated security bulletins, the WebSphere Automation CVE/PSIRT monitor detects them and collects the data about the CVEs from the bulletins. The WebSphere Automation vulnerability manager checks the applicability of the new CVEs to the registered servers. If exposures are found, the WebSphere Automation vulnerability notifier sends email notifications to a customizable list of addresses that new vulnerabilities exist.

After defining an exposure mitigation plan, administrators then use the WebSphere Automation UI to select published fix packs or interim fixes to repair vulnerabilities. During the fix installation process, WebSphere Automation requests the selected fix from IBM Fix Central, stores it in the Kafka data store, and then installs it on the indicated server.

How health works

WebSphere administrators register their WebSphere Application Server or WebSphere Application Server Liberty servers with WebSphere Automation. They also set up SSH or WinRM connectivity between their WebSphere Automation system and the WebSphere Application Server and WebSphere Application Server Liberty servers to enable automated collection of diagnostics.

An Instana monitoring system is set up to monitor WebSphere Application Server or WebSphere Application Server Liberty servers. The Instana administrator configures Instana to send alerts to the WebSphere Automation webhook API whenever a memory leak is detected. Additionally, a WebSphere administrator can initiate a memory analysis of a server at any time by using the WebSphere Automation user interface.

When the WebSphere Automation webhook API is invoked to report a memory leak, the WebSphere Automation investigation manager opens a new investigation, and notifications are sent. The investigation manager uses the runbook manager to gather a heap dump from the server with the memory leak. The investigation manager then uses the analysis manager to analyze the collected files. When the analysis is complete, administrators can view information about leak suspects in the WebSphere Automation UI. From the UI, administrators can download any or all of the files from the investigation to share with application owners. Application owners can use this information to fix memory leaks in their applications.

Component overview (security)

IBM Support, PSIRT, and security bulletins

The IBM Product Security Incident Response Team (PSIRT) publishes security bulletins to communicate the mitigation details of disclosed common vulnerabilities and exposures (CVEs) to their offerings. The CVE/PSIRT monitor in WebSphere Automation regularly checks for new or updated security bulletins for WebSphere Application Server and WebSphere Application Server Liberty at ibm.com. If new or changed bulletins exist, WebSphere Automation then retrieves and populates a local database with the pertinent details of any new CVEs in those bulletins.

A security bulletin is a structured document that details the type of vulnerability and its potential impact. For more information about IBM security bulletins, see IBM Security Bulletins. For a list of security bulletins for WebSphere Application Server and IBM HTTP Server, see WebSphere Application Server and IBM HTTP Server Security Bulletin List.

Each CVE is scored according to the industry standard Common Vulnerability Scoring System (CVSS), a numerical representation of the risk level of the vulnerability on a scale of 0 to 10. The CVSS standard is maintained by the CVSS-SIG (Special Interest Group) of the Forum of Incident Response and Security Teams (FIRST). For more information, see https://www.first.org/cvss/.

CVE/PSIRT monitor

By default, the monitor accesses the WebSphere Application Server and IBM HTTP Server Security Bulletin List on an hourly basis to check for new or updated security bulletins. When one is detected, the details are retrieved from the published information and stored in a local database.

Note: In an air gap environment, the CVE/PSIRT monitor is unable to communicate with the WebSphere Application Server and IBM HTTP Server Security Bulletin List. In this case, WebSphere Automation evaluates your servers by using the installed CVE data.

Vulnerability manager

The WebSphere Automation vulnerability manager compares information about the registered servers against the applicability data for the common vulnerabilities and exposures (CVEs) in its database. WebSphere Automation tabulates and displays the security status of the servers to help administrators understand the vulnerabilities or exposures that affect their servers.

When new server data or new CVE data becomes available, the vulnerability manager compares the information that it has for each server against the information it knows about the CVE. If it determines that a CVE affects a registered server, the server is declared to have a security risk. Notifications can be configured for such events, and this vulnerability is displayed in the WebSphere Automation UI.

Because WebSphere Automation uses the usage metering feature to collect data about servers, no active scanning or penetration testing occurs. Therefore, registering a server for vulnerability tracking results does not impact the performance of that server.

Fix manager

The WebSphere Automation fix manager uses credentials that you provide to access IBM Fix Central to request fixes. Fixes are fetched and stored in the file storage that is defined for the websphereSecure custom resource. The fix manager manages the storage space according to frequency of use, deleting older fixes to make room for more recently requested fixes.

Installation manager

The WebSphere Automation installation manager communicates with the registered server by using the administrator privileges that you provide. When you initiate the installation of a fix, the installation manager ensures that the target server has sufficient space for the fix, transfers the fix to the target server, installs the fix, and creates a log file of the steps taken. If you request a backup of the server environment as part of the fix installation, the installation manager checks for sufficient disk space on the server, and creates an archive of the Installation Manager, Installation Manager data, and WebSphere Application Server or WebSphere Application Server Liberty server installation directories.

Component overview (health)

Webhook API

The Webhook API receives memory leak notifications from an Instana monitoring system and triggers the investigation manager to start a memory leak investigation.

Investigation manager

When triggered by the webhook API, the investigation manager initiates an investigation. The investigation manager directs the runbook manager to run a runbook to collect identity information about the server with the suspected memory leak. If the server registration processor is aware of the server the investigation manager directs the runbook manager to collect a heap dump from that server. The investigation manager then directs the analysis manager to run a diagnostic tool to process the heap dump to obtain details about the memory leak. The progress and results of investigations are displayed in the WebSphere Automation UI. Notifications are sent to indicate when an investigation starts or completes.

Runbook manager

The runbook manager is responsible for running runbooks on WebSphere Application Server or WebSphere Application Server Liberty systems to gather information and diagnostics required to help investigate problems. The runbook manager starts runbook jobs, which use Ansible playbooks to automate remote data gathering. Ansible communicates securely with your servers by using SSH or WinRM.

Analysis manager

The analysis manager is responsible for analyzing collected diagnostic files. For memory leaks, the analysis manager starts analysis jobs, which in turn start a memory analysis tool to analyze the heap dump and provide details about memory leak suspects.

Component overview (common)

WebSphere Application Server, WebSphere Application Server Liberty, and the server registration processor

WebSphere Automation uses the usage metering feature within WebSphere Application Server and WebSphere Application Server Liberty to collect data about the servers you want to monitor so that their vulnerability status or health status can be assessed. The usage metering feature must be manually configured on each server to be managed so that it can communicate with WebSphere Automation. The usage metering feature is a supported, stabilized component of WebSphere Application Server and WebSphere Application Server Liberty for use with WebSphere Automation. It was previously used with the now removed metering service in IBM Cloud Private. Stabilization of the feature supersedes any mention of its deprecation in the documentation for WebSphere Application Server or WebSphere Application Server Liberty.

WebSphere Automation cannot communicate with servers that do not have this feature. Because of this limitation and the date that the usage metering feature was released, WebSphere Automation does not evaluate security bulletins that were created before 2018. The following application servers can be managed:

• WebSphere Application Server (all editions) 8.5.5.15 and later
• WebSphere Application Server (all editions) 9.0.0.9 and later
• WebSphere Application Server Liberty (all editions) 18.0.0.3 and later

As service updates or new versions of WebSphere software are installed, the security status of the server inventory is updated.

Notifier

The notifier can send emails to a list of email addresses when security vulnerabilities or memory leaks are discovered, when security fixes are applied, or when a memory leak investigation is completed. For the standard email notifications, administrators use the WebSphere Automation UI to configure an SMTP server and define a list of email addresses to receive these notifications. The email contains relevant information, such as the CVSS of the CVE for a vulnerability notification, but does not contain sensitive information. The email also contains a link to the corresponding page in the UI. Users with appropriate privileges can then log in to the WebSphere Automation UI for more information about the vulnerability or memory leak.

Starting with WebSphere Automation 1.6.2, an administrator can customize notifications for certain events that occur in WebSphere Automation. Events that can be set up to trigger notifications include creating, updating, or deleting an action, asset, bulletin, fix, installation, investigation, or vulnerability. The notifier can now invoke webhooks in addition to sending emails. Email notifications currently have limited customization options.

WebSphere Automation UI and API

WebSphere Automation is based on the IBM Cloud Pak foundational services. Therefore, the WebSphere Automation UI is integrated into the IBM Cloud Pak foundational services UI and is accessible by using a browser. The WebSphere Automation UI displays interactive lists of registered servers with security vulnerabilities and the specific CVE data. Data can also be output in CSV format. The WebSphere Automation UI also displays lists of memory leak investigations. The UI uses API to retrieve data.

IBM Cloud Pak foundational services

WebSphere Automation is based on the IBM Cloud Pak foundational services. WebSphere Automation uses Apache Kafka for data streaming and event processing, and the IBM Cloud Pak foundational services Identity Access Management (IAM) feature for connecting to a user registry (LDAP). For more information, see the documentation for IBM Cloud Pak foundational services.