Troubleshooting
Problem
The IBM WebSphere Application Server where IBM Rational ClearQuest is deployed contains some testing and debugging scripts and sample applications. Some of these scripts and applications provide information such as system paths and versions. You can remove these sample scripts and applications from a production environment to prevent malicious attacks created by using the information obtained from the target host.
Symptom
There are no adverse symptoms apparent to ClearQuest users.
Cause
The IBM Installation Manager deploys ClearQuest Web into the WebSphere Application Server profile by using a WebSphere Application Server default template. The default template places some sample testing and debugging scripts and sample applications on the server.
Diagnosing The Problem
The following sample scripts and applications might be included in your WebSphere Application Server profile for ClearQuest Web. These scripts might also be referenced in the plugin-cfg.xml
file for IBM HTTP Server (IHS) and WebSphere Application Server:
https://<server>/snoop
https: //<server>/hello
https: //<server>/ivt/
https: //<server>/hitcount
https: //<server>/HitCount.jsp
https: //<server>/HelloHTMLError.jsp
https: //<server>/HelloHTML.jsp
https: //<server>/HelloVXMLError.jsp
https: //<server>/HelloVXML.jsp
https: //<server>/HelloWMLError.jsp
https: //<server>/HelloWML.jsp
https: //<server>/cqweb/j_security_check
Note: The http
protocol might be referenced in the plugin-cfg.xml
file instead of https
, as specified above.
Resolving The Problem
Depending on your business and security requirements, the following configuration changes might be appropriate to remove, disable, or hide the sample scripts and applications that are included with the WebSphere Application Server default template.
Option 1
Procedure
- Log on to the WebSphere Application Server administrative console for the profile associated with ClearQuest Web. Here is the default location of the console:
http://localhost:12060/ibm/console<⁄code>
- Click Applications > Application Types > WebSphere enterprise applications.
- Select the check box in the Select column beside DefaultApplication.
Important: There is a green arrow indicating that this application is running. An application that is not running is indicated by a red 'X' icon.
- Click Stop to simulate what will happen if you remove this web application.
- You can verify that the
DefaultApplication
stopped by attempting to access each script specified in theplugin-cfg.xml
file. This is an indication of what it will be like when theDefaultApplication
is removed. - If satisfied, repeat Steps 1-4. However, in Step 4, click Uninstall instead of Stop. Repeat Step 5 to verify that the
DefaultApplication
stopped. - You might need to repeat this procedure each time after upgrading ClearQuest Web.
Result
The
DefaultApplication
is removed.Option 2
Procedure
- Log on to the WebSphere Application Server administrative console for the profile associated with ClearQuest Web. Here is the default location of the console:
http:// localhost:12060/ibm/console<⁄code>
- Click Applications > Application Types > WebSphere enterprise applications.
- Click DefaultApplication.
- In the "Web Module Properties" section, click Context Root For Web Modules.
- In the Content Root text box, change the value of '/' (a single forward slash) to a longer string, for example,
/inaccessible
or/unplugged
or/un1qu3_p4th
, retaining the initial forward slash '/' character.
Important: Select a unique name for the context root. For security purposes, be sure to specify a non-intuitive path. - Click OK. On the next screen, click the Save.
- Restart the Web Sphere Application Server profile.
Result
ClearQuest Web continues to work. However, you can no longer access any scripts that are hosted by the
DefaultApplication
on port 80. For example, if you specify /inaccessible
in the Context Root text box in Step 5 above, the following sample scripts and applications will fail with a 404 not found
error:http://localhost/hitcount<⁄code>
http://localhost/hello<⁄code>
http://localhost/inaccessible/hitcount<⁄code>
http://localhost/inaccessible/hello<⁄code>
The next URLs, which bypass IHS and connect directly to the WebSphere Application Server port, will fail as well:
"SRVE0255E: A WebGroup/Virtual Host to handle /fail/hitcount has not been defined."
http://localhost:12080/hitcount<⁄code>
http://localhost:12080/hello<⁄code>
However, the following URLs will continue to work, although no one will know the root context of inaccessible
:
http://localhost:12080/inaccessible/hitcount<⁄code>
http://localhost:12080/inaccessible/hello<⁄code>
Important: To properly firewall your server, ensure that only port 80 and SSL port 443 are directly accessible. Do not allow direct access to WebSphere Application Server port 12080.
Note: This issue was identified as a product defect and logged under APAR PM66896 and is fixed in Rational ClearQuest Fix Pack 4 (8.0.0.4) for 8.0. Upgrading from ClearQuest V8.0.0.x to V8.0.0.4 does not resolve the issue because a new profile is not created during an upgrade.
- If you perform the steps described in Option 1 or Option 2 to remove the
DefaultApplication
scripts in ClearQuest V8.0.0.x, and then upgrade to V8.0.0.4, the DefaultApplication
scripts remain uninstalled.
- If you upgrade from ClearQuest V8.0.0.x to V8.0.0.4 without removing the
DefaultApplication
scripts, and then uninstall and reinstalling the ClearQuest Web component, the issue is resolved.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21599361