Concerns on SSL config within Websphere Application Server - websphere

i'm kind of confused with the SSL setting within Websphere Application Server.
As you can see from the attached picture, the Default SSL setting has been done both in cell and node scope. Below are my qeustions:
is either inbound or outbound data through websphere transfered with SSL way according to the setting?
is the above SSL setting enabled by default? If not, then how to enable it?
in the regard of KeyStore or TrustStore configuration, i can see it refers to path like
${CONFIG_ROOT}/cells/localhostCell01/key.p12
However, i can not find this variable CONFIG_ROOT within Webspehre Variables through Admin Console. Does it mean that SSL is disabled by default so it's ok for this variable having no value?
Thanks in advance

Please see the WebSphere Security Redbook chapter 4 for details - http://www.redbooks.ibm.com/redbooks/pdfs/sg246316.pdf CONFIG_ROOT is a substitution variable, so you should be fine - http://publib.boulder.ibm.com/infocenter/iadthelp/v6r0/index.jsp?topic=/com.ibm.ws.ast.st.v6.doc/topics/tsubvarv6.html. You can test which certificates are enabled using openssl from the command line - http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/

Related

Enable HTTPS in Sonarqube with keystore

i need to enable https into sonarqube. I already have a keystore (JKS File), but i don't know how do this operation.
thanks!
You need to install a reverse proxy with proper TLS configuration.
Here are some information :
https://docs.sonarqube.org/display/SONAR/Securing+the+Server+Behind+a+Proxy
It might be possible for you to configure it according "Running SonarQube 5.2 Over HTTPS". Please take note for the know limitations:
Because Tomcat is embedded in SonarQube in a "black box" mode, only
few Tomcat parameters can be customised
Otherwise it will be necessary to "Secure the Server Behind a Proxy". In that case:
The reverse proxy must be configured to set the value
"X_FORWARDED_PROTO: https" in each HTTP request header. Without this
property, redirection initiated by the SonarQube server will fall back
on HTTP.

Is it possible to configure SPENGO irrespective of fully qualified host name

I have configured SPENGO for WebSphere and current SPENGO is working fine for fully qualified hostname say appserver.robo.com, I want a SPENGO configuration which can work for both
appserver.robo.com/productName as well as appserver/productName.
Is there such configuration is possible ?
Yes, it is possible. Make sure your keytab and SPNEGO configuration is for real hostname, and then enable Use the alias host name for the application server setting in the SPNEGO web authentication enablement (https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/usec_kerb_SPNEGO_config.html).
Also make sure that both names are correctly recognized by the browser as localIntranet or trusted sites and enabled for integrated authentication.
The other option is to create several keytabs and merge them, but it is not recommended as discussed here - https://www.ibm.com/developerworks/websphere/library/techarticles/0809_lansche/0809_lansche.html

Unable to add SSL support for database

I am using Spring3, Hibernate4 and postgres9.2.
For enabling the SSL database connection, I followed following steps :
Creating self signed Certificate : refer : http://www.postgresql.org/docs/9.2/static/ssl-tcp.html#SSL-CERTIFICATE-CREATION
Copied the generated server.crt and server.key into postgres/9.2/data folder.
URL for hibernate connection : jdbc:postgresql://localhost:5432/DB_NAME?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
After restarting the postgres I run my application and it gives error as :
org.postgresql.util.PSQLException: The server does not support SSL.
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:307)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:105)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:65)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:140)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:21)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:31)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:23)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
Even I tried to add this line at the end of pg_hba.conf file but postgres does not get restarted :
hostssl all all 127.0.0.1/32 trust
EDIT
It is for other folks who received such error or wants to add database ssl connection :
I added ssl = true and removed comments for ssl related entries from postgresql.conf and it worked. :)
The root of your problem appears to be that your server does not support SSL or does not have it enabled. The message:
The server does not support SSL
may only be emitted by org/postgresql/core/v3/ConnectionFactoryImpl.java in enableSSL(...) when the server refuses or doesn't understand SSL requests.
Sure enough, in your update you say that you had the SSL-related options in postgresql.conf commented out. Them being commented out is the same as them being not there at all to the server; it will ignore them. This will cause the server to say it doesn't support SSL and refuse SSL connections because it doesn't know what server certificate to send. PgJDBC will report the error above when this happens.
When you un-commented the SSL options in postgresql.conf and re-started the server it started working.
You were probably confused by the fact that:
&ssl
&ssl=true
&ssl=false
all do the same thing: they enable SSL. Yes, that's kind of crazy. It's like that for historical reasons that we're stuck with, but it's clearly documented in the JDBC driver parameter reference:
ssl
Connect using SSL. The driver must have been compiled with SSL
support. This property does not need a value associated with it. The
mere presence of it specifies a SSL connection. However, for
compatibility with future versions, the value "true" is preferred. For
more information see Chapter 4, Using SSL.
As you can see, you should still write ssl=true since this may change in future.
Reading the server configuration and client configuration sections of the manual will help you with setting up the certificates and installing the certificate in your local certificate list so you don't have to disable certificate trust checking.
For anyone else with this problem: There will be more details in your PostgreSQL error logs, but my guess is your PostgreSQL config isn't right or you're using a hand-compiled PostgreSQL and you didn't compile it with SSL support.
If you are using a self-signed certificate you need to add it to your trusted key store of your Java installation on the client side.
You find the detailed instructions to achieve this here: telling java to accept self-signed ssl certificate
In your connection string, try
?sslmode=require
instead of
?ssl=true
Use param sslmode=disable. Work for me. Postgresql 9.5 with jdbc driver SlickPostgresDriver.

Websphere CWWIM6004E

I am trying to start an application in Websphere 8, and keep on getting the following error.
From the message, it means we are missing the bindPassword, but we never have to define in WAS 6.1
Currently we are using Standalone LDAP registry. Does anyone have any idea where I should start looking to fix this error?
UserManagemen E com.ibm.ws.wim.management.UserManagementProcess handleNo
tification CWWIM6004E Initialization of the dynamic reload manager failed.
com.ibm.websphere.wim.exception.MissingInitPropertyException: CWWIM0004E The initialization property 'bindPassword' is missing from the configuration.
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initializeEnvironmentProperties(LdapConnection.java:194
7)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initializeServers(LdapConnection.java:1904)
at com.ibm.ws.wim.adapter.ldap.LdapConnection.initialize(LdapConnection.java:1832)
at com.ibm.ws.wim.adapter.ldap.LdapAdapter.initialize(LdapAdapter.java:235)
at com.ibm.ws.wim.RepositoryManager.initialize(RepositoryManager.java:610)
at com.ibm.ws.wim.RepositoryManager.<init>(RepositoryManager.java:131)
In regards to ".... never have to define in WAS 6.1"
The requirement for a LDAP bind password is enforced by the LDAP server, this is not a WAS requirement
If in fact you didn't define it in WAS v6.1, the LDAP server in use for WAS V6.1 didn't require it.
Based on the error, you've either changed LDAP servers or the LDAP server configuration has changed (or both)
As mentioned in the other post, you can troubleshoot this using a tool like ldapsearch
The technote at http://www-01.ibm.com/support/docview.wss?uid=swg21470063 discusses obtaining "must gather" and troubleshooting these types of issues (refer to the "collecting data manually" section)
You must check your ldap connection to the ldap server
User IBM WebSphere Console, Security settings, LDAP and take note about the LDAP connection settings.
Use a tool like ldapsearch in order to check the connection via shell command line.
It is possible that these bind password is not correct.
If you are using un Novell eDirectory Server you must take special attention in the bind user creation ( field password )

Concerns on security function within Websphere Application Server

i'm confused with the relationship between the file security.xml and inbound/outbound SSL from attached picture within websphere application server.
file security.xml locates under this path PROFILE_HOME/config/cells/CELL_NAME
if i make security disabled by setting the enable property as false from that secuirty.xml, is the SSL function also being disabled? that also means, if enable set as **true**, that SSL enabled accordingly.
Please correct me if i'm understanding wrongly.
In general security and SSL are not the same but there is a strong relationship there.
If security is enabled then SSL might be enforced in certain communications. As Davanum srinivas mentioned, the communication between the node agents and dmgr start using SSL. The deployment descriptors entries which mandate confidentiality would start enforcing when security is enabled etc.
HTH

Resources