What is new for security specialists
This topic highlights new and changed features for securing applications and the application server environment.
- OpenID Connect Relying Party custom properties
Use the
provider_<id>.usePkce
property to set whether the Trust Association Interceptor (TAI) uses Proof Key for Code Exchange (PKCE) when authenticating with the code authorization flow. - Security custom properties
Use the
com.ibm.websphere.crypto.config.certexp.notify.emailSubject
property to customize the subject line of a notification email for certificate expiration. You can also include the cell scope by appending _addManagementScope to the chosen value. The default value for this property is a placeholder, intended to be replaced with a custom email subject line, with or without the _addManagementScope suffix. - Security Web
Server Plug-in properties in the plugin-cfg.xml file
The following Web Server Plug-in properties are added to the plugin-cfg.xml file to enhance security.
HostVerificationStartupCheck
Specifies whether the plug-in validates all defined transports within the XML at startup.
SecureHostVerification
Specifies how to process when validation fails.
IMSecureConnectorVerification
Specifies whether the plug-in validates all connectors within the Intelligent Management group.
IMSecureEndpointVerification
Specifies whether the plug-in validates the Endpoint hostname that is returned by the connector.
GlobalHostAlias
Specifies a comma-separated list of either hostname or IP values for which you want certificate validation performed.
HostnameAlias
This property is specifically a transport property to validate a certificate for a single hostname value.
- Changes in FIPS
provider, SSL ciphers, and TLS version
IBMJCEFIPS
provider is replaced withIBMJCEPlusFIPS
provider.- SSL ciphers are removed.
- TLS 1 is replaced with TLS 1.2.
- Changes to SSL ciphers and TLS
version
- SSL ciphers are removed.
- TLS 1 is replaced with TLS 1.2.
- Security custom properties
Use the
com.ibm.websphere.security.ldap.suppressICH31005I
property so that the application server handles ajavax.naming.Naming
Exception exception as an empty result. The exception is sent from an LDAP server that is RACF enabled. - Configuring the OIDC TAI
to perform RP-Initiated Logout
You can configure the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) to log a user out of an OpenID provider when the WebSphere logout is complete.
Three optional custom properties are added to support RP-Initiated Logout:
provider_<id>.endSessionEndpointEnabled
Set this property to
true
to enable RP-Initiated Logout with the URL specified on theprovider_<id>.endSessionEndpoint
property.provider_<id>.endSessionRedirectUrl
Set this property to the value for the
post_logout_redirect_uri
parameter on the request to the end session endpoint on the OP.provider_<id>.endSessionUseLogoutExitPage
Set this property to
true
to use the value for thelogoutExitPage
parameter as the value for thepost_logout_redirect_uri
parameter.
- SAML web single
sign-on (SSO) trust association interceptor (TAI) custom properties
The regular expression (
~=
) and logical OR (||
) operators are added to the list of filter property operators that the SAML web single sign-on, OIDC, OAuth, and SAML web inbound TAIs support.The
request-uri
special input element is valid for the SAML TAI filter property.The IdP SAML TAI custom property
useJavaScript
is added. When this property is set totrue
and a request is redirected to an IdP, the TAI uses JavaScript. When JavaScript is not used, any fragments that are present on the original inbound request are lost.Two SAML TAI custom properties are available for version 8.5.5.23 and later:useJavaScript
andsso_<id>.sp.useJavaScript
- When either of these properties are set to
true
, the TAI uses JavaScript when a request is redirected to an IdP. When you do not use JavaScript, any fragments that are present on the original inbound request are lost. These properties override the values for the existingredirectToIdPonServerSide
andsso_.sp.redirectToIdPonServerSide
properties.
The
sso_<id>.sp.useRealm
property is updated so that you can use the default WebSphere realm name by setting this property toWAS_DEFAULT
. - OpenID Connect (OIDC) trust
association interceptor (TAI) supports encrypted JSON Web Tokens (JWT)
Starting in version 8.5.5.23, the OpenID Connect Trust Association Interceptor can process an encrypted JWT. An encrypted JWT can be used with both the traditional OpenID Connect Relying Party and JWT Authentication. Using the OIDC RP allows an encrypted JWT to be the ID token, access token, or both. The following OIDC TAI custom properties are added to support an encrypted JWT:
provider_<id>.keyStore
Specifies the keystore from which to obtain the decrypting key.
provider_<id>.decryptAlias
Specifies the alias of the keyEntry in the keystore that is used to decrypt an encrypted JWT or ID token.
provider_<id>.decryptKeyPassword
Specifies the password for the decrypting key.
- OpenID Connect Relying Party
custom properties
The
provider_<id>.endSessionEndpoint
property was updated for version 8.5.5.23 and later. Set this property to the value of the end session endpoint for the Open ID provider. When this property is set to a value and theprovider_<id>.endSessionEndpointEnabled
property is set to true, the TAI redirects logout requests to the configured end session endpoint.Starting in version 8.5.5.23, you can set the value for the
provider_<id>.useRealm
custom property toWAS_DEFAULT
to use the default WebSphere realm name.The default value for the
provider_<id>.signatureAlgorithm
custom property is nowHEADER
.When the
provider_<id>.discoveryEndpointUrl
custom property is included in the OIDC TAI configuration, theprovider_<id>.signatureAlgorithm
custom property is no longer overridden.Two optional custom properties are available for version 8.5.5.23 and later:provider_<id>.signatureAllowList
andprovider_<id>.signatureDenyList
- The properties specify a comma-separated list of signature algorithms that are allowed to secure
messages from the OpenID Connect provider. If the
provider_<id>.signatureAlgorithm
custom property is set to a value other thanHEADER
, both properties are ignored.
- Optional custom property for OpenID
Connect Relying Party TAI
The custom property
provider_<id>.revokeEndpointEnabled
is added to ignore the setting for theprovider_<id>.revokeEndpointUrl
property. - Configuring Kerberos
constrained delegation for outbound SPNEGO tokens in WebSphere Application Server
Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation is supported.
- Adding a file-based
repository to a federated repositories configuration
You can use the file adapter repository to lock a user account when the user fails to authenticate. Specify the lockout configuration with the administrative console or with the createIdMgrFileRepository or updateIdMgrFileRepository wsadmin commands.
- Open ID Connect Relying Party custom
propertiesStarting in version 8.5.5.22, you can use the following Open ID Connect Relying Party custom properties.
provider_<id>.useIssuer
- When this property is set to
true
, the runtime can use the provider entry to service JSON Web Token (JWT) verification requests by API. provider_<id>.allowJwtIssuerSelection
- When this property is set to
true
, the runtime filter requests based on theiss
claim in the JWT in the Authorization header of the HTTP request.
- Configuring the application server and Db2 to authenticate with Kerberos
Use Kerberos credentials to authenticate with Db2 data sources for XA recovery by specifying the
Krb5RecoveryPrincipal
custom property in your data source configuration. - Creating a Secure
Sockets Layer configuration
You can specify a custom list of protocols for the SSL handshake, rather than a single protocol. Specify the list with Custom protocol list on the console Quality of protection (QoP) settings or with the createSSLConfig or modifySSLConfig wsadmin command.
- Auditable security events
You can add the
com.ibm.audit.terse.form.login
andcom.ibm.audit.terse.form.logout
properties in theaudit.xml
file for web logins and logouts to environments where Kerberos or SPNEGO are configured. The events that are enabled are SECURITY_FORM_LOGIN, SECURITY_KERBEROS_LOGIN, SECURITY_SPNEGO_LOGIN, SECURITY_FORM_LOGOUT, SECURITY_KERBEROS_LOGOUT, and SECURITY_SPNEGO_LOGOUT.You can set the
com.ibm.audit.terse.progname
property totrue
to include the name of the application that is being logged in to or out of in the terse audit record. - LTPA
timeout value for forwarded credentials between servers
In version 8.5.5.20 and later, the range value for LTPA timeouts for forwarded credentials is an integer in the range 5 - 5265000. The maximum timeout value is 5256000 minutes, the equivalent of 10 years. Before version 8.5.5.20, the value is an integer in the range 5 - 153722867280911.
- Security custom propertiesA new security custom property is available for version 8.5.5.20 and later:
- com.ibm.websphere.security.useOnlyCustomCookieName
- When this property is set to
true
, the product looks only for the cookie with the names that are specified in thecom.ibm.websphere.security.customLTPACookieName
andcom.ibm.websphere.security.customSSOCookieName
custom properties. The server no longer evaluates theLtpaToken2
andLtpaToken
cookies in the default name that are specified with theLtpaToken2
andLtpaToken
values.
- Support for the product to self-issue SAML tokens that contain an
Audience element is available:
- The Audience SAMLIssuerConfig.properties property is added to SAML Issuer Config Properties.
- The com.ibm.wsspi.wssecurity.saml.config.issuer.Audience policy bindings property is added to Web services security SAML token custom properties.
- Support for the Transport Layer Security (TLS) protocol, version
1.3
In version 8.5.5.20 and later, the
TLSv1.3
protocol is added to the list of supported protocols for the SSL or TLS handshake. For more information, see SSL configurations. - Kerberos authentication for XA
recovery with Db2 data sources
In version 8.5.5.20 and later, you can use Kerberos credentials to authenticate with Db2 data sources for XA recovery by specifying the
Krb5RecoveryPrincipal
custom property in your data source configuration. - Kerberos bind authentication with Generic Security Services API (GSSAPI)
is available for stand-alone LDAP servers and LDAP servers in federated repositories. The following
topics contain information about the new function:
- Configuring Lightweight Directory Access Protocol in a federated repository configuration
- Lightweight Directory Access Protocol test query utility settings
- Lightweight Directory Access Protocol repository configuration settings
- Configuring a federated repository or stand-alone LDAP registry using wsadmin
- Standalone LDAP registry settings
- Setting up Kerberos as the bind authentication mechanism for LDAP
- SecurityConfigurationCommands command group for the AdminTask object, specifically the configureAdminLDAPUserRegistry and configureAppLDAPUserRegistry commands
- Kerberos bind authentication troubleshooting tips
- SSLConfigCommands command group for
the AdminTask objectA new parameter for the getSSLConfig command is available for version 8.5.5.19 and later:
-returnAttributes
- This parameter specifies a comma-separated list of SSL configuration attributes that the getSSLConfig command returns.
- Security custom properties
A new security custom property is available for version 8.5.5.19 and later:
com.ibm.websphere.security.spnego.includeCustomCacheKeyInSubject
-
When this property is set to true, LTPA tokens that are created from SPNEGO authentication include a custom cache key that is derived from the associated Kerberos credentials. If the server receives an LTPA token with the custom cache key and the authentication cache is empty, the server initiates a new SPNEGO authentication to obtain new Kerberos credentials.
- Open ID Connect Relying Party custom
propertiesThe following Open Id Connect Relying Party custom properties are new for Version 8.5.5.19 and later:
provider_<id>.accessTokenIsJwt
- Set this property to the
true
value if the access token that is returned from the OP is a JWT and you want the TAI to validate the JWT. provider_<id>.endSessionEndpoint
- Set this property to the value of the session endpoint for the Open ID provider so that the Open ID provider can then be accessed with an API.
provider_<id>.userinfoEndpointEnabled
- Set this property to the
false
value to ignore the setting for the provider_<id>. userinfoEndpointUrl property during login. provider_<id>.introspectClientId
- Specifies the clientId to include in the requests to the introspection endpoint of the OpenId Provider.
provider_<id>.introspectClientSecret
- Specifies the clientSecret to include in the requests to the introspection point of the OpenId Provider.
provider_<id>.jwkClientId
- Specifies the client identifier to include in the basic authentication scheme of the JWK request.
provider_<id>.jwkClientSecret
- Specifies the client password to include in the basic authentication scheme of the JWK request.
The following Open Id Connect Relying Party custom properties were updated for Version 8.5.5.19 and later:provider_<id>.filter
- The property is updated so that the callback URI from the OP, /callbackServletContext/identifier, is automatically intercepted by the TAI.
provider_<id>.setLtpaCookie
-
- The default value is
true
when the useJwtFromRequest OIDC property is set to therequired
value. - The default value is
false
when the useJwtFromRequest OIDC property is set to theifPresent
value or theno
value.
- The default value is
- com.ibm.websphere.security.addSameSiteAttributeToCookie
Set this custom property to specify the SameSite attribute value for the single sign-on (SSO) associated with a Lightweight Third Party Authentication (LTPA) cookie.
- Encrypting passwords by using
AESYou can encrypt passwords in the client environment and the server environment by using Advanced Encryption Standard (AES). You can create and enable an AES custom key manager when the default key manager does not implement a specific requirement for your needs. The following topics provide details:
- Intelligent Management: application edition manager custom propertiesThe following new Intelligent Management: application edition manager custom property is available for version 8.5.5.18 and later:
- appedition.rollout.softreset.waitToQuiesceApplication
- You can set the
appedition.rollout.softreset.waitToQuiesceApplication
system property on the deployment manager to limit the amount of time, in seconds, that the application edition quiesce manager waits for the application to be quiesced. By default, the application edition quiesce manager waits until the sessions complete before stopping an application edition instance.
- Open ID Connect Relying Party custom
propertiesThe following new Open Id Connect Relying Party custom properties are available for version 8.5.5.18 and later:
provider_<id>.grantType
- Set this property to
client_credentials
to use the provider entry to obtain an access token from the OpenID Provider token endpoint by using theclient_credentials
grant type. provider_<id>.discoveryEndpointUrl
- This property specifies the endpoint URL that calls the OpenID Connect Provider discovery endpoint.
provider_<id>.useDiscovery
- If this property is set to true and no value is specified for the
discoveryEndpointUrl
property, the default value for thediscoveryEndpointUrl
property is used. If this property is set to false, the value for thediscoveryEndpointUrl
property is ignored. provider_<id>.useJavaScript
- Set this property false if you do not want to use JavaScript when you redirect to the OpenID Connect Provider for the initial authentication request.
For version 8.5.5.18 and later, a new value is available for the
provider_<id>.signatureAlgorithm
OpenID Connect Relying Party custom property. You can now specifyRS512
as the algorithm that is used to secure messages from the OpenID Connect provider. For more information, see OpenID Connect Relying Party custom properties. - Certificate support for key usage and SAN extensions
In Version 8.5.5.18 and later, you can configure key usage, extended key usage, and SAN extensions for certificates with commands or with the administrative console. For more information, see Creating a self-signed certificate, Creating a chained personal certificate in SSL, and Creating a certificate authority request.
- Open ID Connect Relying Party custom
properties
Four new Open Id Connect Relying Party custom properties are available for Version 8.5.5.17 and later.
provider_<id>.loginErrorUrl
- This property specifies the URL to which the Relying Party redirects when a login error is received from an OpenID Connect Provider.
provider_<id>.sendOpErrorParamsToLoginErrorUrl
- When this property is set to true, the Relying Party forwards the error, error description, and error URI parameters that were received from the OpenID Connect Provider to the error URL.
provider_<id>.nonceEnabled
- When the responseType property is set to code, this parameter defaults to false. If the responseType property is set to anything other than code, this property is set to true, and cannot be altered.
provider_<id>.contentSecurityPolicy
- If you want a Content-Security-Policy HTTP header to be included in the initial login request
that is sent to your OP, set the
provider_<id>.contentSecurityPolicy
property to the value that you want to use for the Content-Security-Policy HTTP header. If your Content-Security-Policy value requires anonce
, you can use the%NONCE%
keyword to indicate where thenonce
is to be placed in the text.
- Security custom propertiesNew security custom properties are available for Version 8.5.5.17 and later.
com.ibm.websphere.security.audit.includeHostName
- This property specifies whether audit records include hostname information. When audit records
include remote hostname information, DNS lookup is required. If DNS lookup is slow, it can take a
long time for the server to write audit records. When this property is set to
false
, audit records include the IP address of the remote host. However, the audit records do not include the remote hostname information. com.ibm.websphere.security.dumpJaasConfig
- This property specifies whether Java Authentication and Authorization Service (JAAS) configuration information is written to the first failure data capture (FFDC) file.
com.ibm.websphere.security.platform.cache.eviction
- This property enables z/OS®
localOS
registry permission changes to be quickly reflected in the runtime by forcing the deletion of the z/OSPlatformCredential
object whenever subjects are removed from theAuthCache
. com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit
- When this custom property is specified, WebSphere looks for a Kerberos authentication token
(
KRBAuthnToken
) in the cache, even if Kerberos authentication is not enabled. If aKRBAuthnToken
exists, this property adds it to the subject. The default is value false
- IdMgrRepositoryConfig command group for the AdminTask objectNew and updated parameters are available for the following IdMgrRepositoryConfig commands in Version 8.5.5.17 and later:
Specify the lockout configuration with the administrative console
- Updated hashing algorithm
for file and database repositories
For Version 85517 and later, the database and file repositories are updated to support the
PBKDF2WithHmacSHA1
hashing algorithm, which is now the default for file-based repositories. Key and salt sizes are increased, as is the number of hashing iterations. These parameters are configurable either in the web console or by using wsadmin commands. Previously, file and database repositories defaulted toSHA-1
, which not a sufficiently secure algorithm.These updates for the hashing algorithm are also available on the administrative console.
- Configuring authentication with JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are a URL-safe means of representing claims between two parties. You can configure your application server to accept an inbound JWT for authentication.
- Security
com.ibm.websphere.security.notification.useWebSphereMailSession
custom propertyThe
com.ibm.websphere.security.notification.useWebSphereMailSession
security custom property is available for Version 8.5.5.14 and later. The property specifies whether to allow users to use the WebSphere Mail session resource for the certificate expiration monitor. - Security
com.ibm.websphere.security.cert.authCache.lookup
custom propertyThe
com.ibm.websphere.security.cert.authCache.lookup
security custom property is available for Version 8.5.5.13 and later. The property specifies an option to look up the authentication cache more extensively for certificate login. The default setting isfalse
. Change the setting totrue
to enable the lookup. - Testing Lightweight Directory Access Protocol server connections and search filters
You can test Lightweight Directory Access Protocol (LDAP) server connections and search filters from the administrative console before you configure them.
- Security
com.ibm.websphere.tls.disabledAlgorithms
custom propertyThe
com.ibm.websphere.tls.disabledAlgorithms
security custom property is available for Version 8.5.5.10 and later. The property enables changing the setting for the jdk.tls.disabledAlogrithms Java security property.