What is new for security specialists

This topic highlights new and changed features for securing applications and the application server environment.

• OpenID Connect Relying Party custom properties

  Use the provider_<id>.usePkce property to set whether the Trust Association Interceptor (TAI) uses Proof Key for Code Exchange (PKCE) when authenticating with the code authorization flow.

• Security custom properties

  Use the com.ibm.websphere.crypto.config.certexp.notify.emailSubject property to customize the subject line of a notification email for certificate expiration. You can also include the cell scope by appending _addManagementScope to the chosen value. The default value for this property is a placeholder, intended to be replaced with a custom email subject line, with or without the _addManagementScope suffix.

• Security Web Server Plug-in properties in the plugin-cfg.xml file

  The following Web Server Plug-in properties are added to the plugin-cfg.xml file to enhance security.

  • HostVerificationStartupCheck

    Specifies whether the plug-in validates all defined transports within the XML at startup.

  • SecureHostVerification

    Specifies how to process when validation fails.

  • IMSecureConnectorVerification

    Specifies whether the plug-in validates all connectors within the Intelligent Management group.

  • IMSecureEndpointVerification

    Specifies whether the plug-in validates the Endpoint hostname that is returned by the connector.

  • GlobalHostAlias

    Specifies a comma-separated list of either hostname or IP values for which you want certificate validation performed.

  • HostnameAlias

    This property is specifically a transport property to validate a certificate for a single hostname value.

• Changes in FIPS provider, SSL ciphers, and TLS version
  • IBMJCEFIPS provider is replaced with IBMJCEPlusFIPS provider.
  • SSL ciphers are removed.
  • TLS 1 is replaced with TLS 1.2.
• Changes to SSL ciphers and TLS version
  • SSL ciphers are removed.
  • TLS 1 is replaced with TLS 1.2.
• Security custom properties

  Use the com.ibm.websphere.security.ldap.suppressICH31005I property so that the application server handles a javax.naming.Naming Exception exception as an empty result. The exception is sent from an LDAP server that is RACF enabled.

• Configuring the OIDC TAI to perform RP-Initiated Logout

  You can configure the OpenID Connect (OIDC) Relying Party (RP) Trust Association Interceptor (TAI) to log a user out of an OpenID provider when the WebSphere logout is complete.

  Three optional custom properties are added to support RP-Initiated Logout:

  • provider_<id>.endSessionEndpointEnabled

    Set this property to true to enable RP-Initiated Logout with the URL specified on the provider_<id>.endSessionEndpoint property.

  • provider_<id>.endSessionRedirectUrl

    Set this property to the value for the post_logout_redirect_uri parameter on the request to the end session endpoint on the OP.

  • provider_<id>.endSessionUseLogoutExitPage

    Set this property to true to use the value for the logoutExitPage parameter as the value for the post_logout_redirect_uri parameter.

• SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties

  The regular expression (~=) and logical OR (||) operators are added to the list of filter property operators that the SAML web single sign-on, OIDC, OAuth, and SAML web inbound TAIs support.

  The request-uri special input element is valid for the SAML TAI filter property.

  The IdP SAML TAI custom property useJavaScript is added. When this property is set to true and a request is redirected to an IdP, the TAI uses JavaScript. When JavaScript is not used, any fragments that are present on the original inbound request are lost.

  Two SAML TAI custom properties are available for version 8.5.5.23 and later:

  useJavaScript and sso_<id>.sp.useJavaScript

  When either of these properties are set to true, the TAI uses JavaScript when a request is redirected to an IdP. When you do not use JavaScript, any fragments that are present on the original inbound request are lost. These properties override the values for the existing redirectToIdPonServerSide and sso_.sp.redirectToIdPonServerSide properties.

  The sso_<id>.sp.useRealm property is updated so that you can use the default WebSphere realm name by setting this property to WAS_DEFAULT.

• OpenID Connect (OIDC) trust association interceptor (TAI) supports encrypted JSON Web Tokens (JWT)

  Starting in version 8.5.5.23, the OpenID Connect Trust Association Interceptor can process an encrypted JWT. An encrypted JWT can be used with both the traditional OpenID Connect Relying Party and JWT Authentication. Using the OIDC RP allows an encrypted JWT to be the ID token, access token, or both. The following OIDC TAI custom properties are added to support an encrypted JWT:

  • provider_<id>.keyStore

    Specifies the keystore from which to obtain the decrypting key.

  • provider_<id>.decryptAlias

    Specifies the alias of the keyEntry in the keystore that is used to decrypt an encrypted JWT or ID token.

  • provider_<id>.decryptKeyPassword

    Specifies the password for the decrypting key.

• OpenID Connect Relying Party custom properties

  The provider_<id>.endSessionEndpoint property was updated for version 8.5.5.23 and later. Set this property to the value of the end session endpoint for the Open ID provider. When this property is set to a value and the provider_<id>.endSessionEndpointEnabled property is set to true, the TAI redirects logout requests to the configured end session endpoint.

  Starting in version 8.5.5.23, you can set the value for the provider_<id>.useRealm custom property to WAS_DEFAULT to use the default WebSphere realm name.

  The default value for the provider_<id>.signatureAlgorithm custom property is now HEADER.

  When the provider_<id>.discoveryEndpointUrl custom property is included in the OIDC TAI configuration, the provider_<id>.signatureAlgorithm custom property is no longer overridden.

  Two optional custom properties are available for version 8.5.5.23 and later:

  provider_<id>.signatureAllowList and provider_<id>.signatureDenyList

  The properties specify a comma-separated list of signature algorithms that are allowed to secure messages from the OpenID Connect provider. If the provider_<id>.signatureAlgorithm custom property is set to a value other than HEADER, both properties are ignored.

• Optional custom property for OpenID Connect Relying Party TAI

  The custom property provider_<id>.revokeEndpointEnabled is added to ignore the setting for the provider_<id>.revokeEndpointUrl property.

• Configuring Kerberos constrained delegation for outbound SPNEGO tokens in WebSphere Application Server

  Kerberos v5 extension called S4U (Services for Users) also known as constrained delegation is supported.

• Adding a file-based repository to a federated repositories configuration

  You can use the file adapter repository to lock a user account when the user fails to authenticate. Specify the lockout configuration with the administrative console or with the createIdMgrFileRepository or updateIdMgrFileRepository wsadmin commands.

• Open ID Connect Relying Party custom properties
  Starting in version 8.5.5.22, you can use the following Open ID Connect Relying Party custom properties.

  provider_<id>.useIssuer

  When this property is set to true, the runtime can use the provider entry to service JSON Web Token (JWT) verification requests by API.

  provider_<id>.allowJwtIssuerSelection

  When this property is set to true, the runtime filter requests based on the iss claim in the JWT in the Authorization header of the HTTP request.

• Configuring the application server and Db2 to authenticate with Kerberos

  Use Kerberos credentials to authenticate with Db2 data sources for XA recovery by specifying the Krb5RecoveryPrincipal custom property in your data source configuration.

• Creating a Secure Sockets Layer configuration

  You can specify a custom list of protocols for the SSL handshake, rather than a single protocol. Specify the list with Custom protocol list on the console Quality of protection (QoP) settings or with the createSSLConfig or modifySSLConfig wsadmin command.

• Auditable security events

  You can add the com.ibm.audit.terse.form.login and com.ibm.audit.terse.form.logout properties in the audit.xml file for web logins and logouts to environments where Kerberos or SPNEGO are configured. The events that are enabled are SECURITY_FORM_LOGIN, SECURITY_KERBEROS_LOGIN, SECURITY_SPNEGO_LOGIN, SECURITY_FORM_LOGOUT, SECURITY_KERBEROS_LOGOUT, and SECURITY_SPNEGO_LOGOUT.

  You can set the com.ibm.audit.terse.progname property to true to include the name of the application that is being logged in to or out of in the terse audit record.

• LTPA timeout value for forwarded credentials between servers

  In version 8.5.5.20 and later, the range value for LTPA timeouts for forwarded credentials is an integer in the range 5 - 5265000. The maximum timeout value is 5256000 minutes, the equivalent of 10 years. Before version 8.5.5.20, the value is an integer in the range 5 - 153722867280911.

• Security custom properties
  A new security custom property is available for version 8.5.5.20 and later:

  com.ibm.websphere.security.useOnlyCustomCookieName

  When this property is set to true, the product looks only for the cookie with the names that are specified in the com.ibm.websphere.security.customLTPACookieName and com.ibm.websphere.security.customSSOCookieName custom properties. The server no longer evaluates the LtpaToken2 and LtpaToken cookies in the default name that are specified with the LtpaToken2 and LtpaToken values.

• Support for the product to self-issue SAML tokens that contain an Audience element is available:
  • The Audience SAMLIssuerConfig.properties property is added to SAML Issuer Config Properties.
  • The com.ibm.wsspi.wssecurity.saml.config.issuer.Audience policy bindings property is added to Web services security SAML token custom properties.
• Support for the Transport Layer Security (TLS) protocol, version 1.3

  In version 8.5.5.20 and later, the TLSv1.3 protocol is added to the list of supported protocols for the SSL or TLS handshake. For more information, see SSL configurations.

• Kerberos authentication for XA recovery with Db2 data sources

  In version 8.5.5.20 and later, you can use Kerberos credentials to authenticate with Db2 data sources for XA recovery by specifying the Krb5RecoveryPrincipal custom property in your data source configuration.

• Kerberos bind authentication with Generic Security Services API (GSSAPI) is available for stand-alone LDAP servers and LDAP servers in federated repositories. The following topics contain information about the new function:
  • Configuring Lightweight Directory Access Protocol in a federated repository configuration
  • Lightweight Directory Access Protocol test query utility settings
  • Lightweight Directory Access Protocol repository configuration settings
  • Configuring a federated repository or stand-alone LDAP registry using wsadmin
  • Standalone LDAP registry settings
  • Setting up Kerberos as the bind authentication mechanism for LDAP
  • SecurityConfigurationCommands command group for the AdminTask object, specifically the configureAdminLDAPUserRegistry and configureAppLDAPUserRegistry commands
  • Kerberos bind authentication troubleshooting tips
• SSLConfigCommands command group for the AdminTask object
  A new parameter for the getSSLConfig command is available for version 8.5.5.19 and later:

  -returnAttributes

  This parameter specifies a comma-separated list of SSL configuration attributes that the getSSLConfig command returns.

• Security custom properties
  A new security custom property is available for version 8.5.5.19 and later:

  com.ibm.websphere.security.spnego.includeCustomCacheKeyInSubject

  When this property is set to true, LTPA tokens that are created from SPNEGO authentication include a custom cache key that is derived from the associated Kerberos credentials. If the server receives an LTPA token with the custom cache key and the authentication cache is empty, the server initiates a new SPNEGO authentication to obtain new Kerberos credentials.

• Open ID Connect Relying Party custom properties
  The following Open Id Connect Relying Party custom properties are new for Version 8.5.5.19 and later:

  provider_<id>.accessTokenIsJwt

  Set this property to the true value if the access token that is returned from the OP is a JWT and you want the TAI to validate the JWT.

  provider_<id>.endSessionEndpoint

  Set this property to the value of the session endpoint for the Open ID provider so that the Open ID provider can then be accessed with an API.

  provider_<id>.userinfoEndpointEnabled

  Set this property to the false value to ignore the setting for the provider_<id>. userinfoEndpointUrl property during login.

  provider_<id>.introspectClientId

  Specifies the clientId to include in the requests to the introspection endpoint of the OpenId Provider.

  provider_<id>.introspectClientSecret

  Specifies the clientSecret to include in the requests to the introspection point of the OpenId Provider.

  provider_<id>.jwkClientId

  Specifies the client identifier to include in the basic authentication scheme of the JWK request.

  provider_<id>.jwkClientSecret

  Specifies the client password to include in the basic authentication scheme of the JWK request.

  The following Open Id Connect Relying Party custom properties were updated for Version 8.5.5.19 and later:

  provider_<id>.filter

  The property is updated so that the callback URI from the OP, /callbackServletContext/identifier, is automatically intercepted by the TAI.

  provider_<id>.setLtpaCookie

  • The default value is true when the useJwtFromRequest OIDC property is set to the required value.
  • The default value is false when the useJwtFromRequest OIDC property is set to the ifPresent value or the no value.

• com.ibm.websphere.security.addSameSiteAttributeToCookie

  Set this custom property to specify the SameSite attribute value for the single sign-on (SSO) associated with a Lightweight Third Party Authentication (LTPA) cookie.

• Encrypting passwords by using AES
  You can encrypt passwords in the client environment and the server environment by using Advanced Encryption Standard (AES). You can create and enable an AES custom key manager when the default key manager does not implement a specific requirement for your needs. The following topics provide details:

  • Enabling AES password encryption for the server environment
  • Enabling AES password encryption for the client environment
  • Creating a custom AES key manager
  • Enabling a custom AES key manager
• Intelligent Management: application edition manager custom properties
  The following new Intelligent Management: application edition manager custom property is available for version 8.5.5.18 and later:

  appedition.rollout.softreset.waitToQuiesceApplication

  You can set the appedition.rollout.softreset.waitToQuiesceApplication system property on the deployment manager to limit the amount of time, in seconds, that the application edition quiesce manager waits for the application to be quiesced. By default, the application edition quiesce manager waits until the sessions complete before stopping an application edition instance.

• Open ID Connect Relying Party custom properties
  The following new Open Id Connect Relying Party custom properties are available for version 8.5.5.18 and later:

  provider_<id>.grantType

  Set this property to client_credentials to use the provider entry to obtain an access token from the OpenID Provider token endpoint by using the client_credentials grant type.

  provider_<id>.discoveryEndpointUrl

  This property specifies the endpoint URL that calls the OpenID Connect Provider discovery endpoint.

  provider_<id>.useDiscovery

  If this property is set to true and no value is specified for the discoveryEndpointUrl property, the default value for the discoveryEndpointUrl property is used. If this property is set to false, the value for the discoveryEndpointUrl property is ignored.

  provider_<id>.useJavaScript

  Set this property false if you do not want to use JavaScript when you redirect to the OpenID Connect Provider for the initial authentication request.

  For version 8.5.5.18 and later, a new value is available for the provider_<id>.signatureAlgorithm OpenID Connect Relying Party custom property. You can now specify RS512 as the algorithm that is used to secure messages from the OpenID Connect provider. For more information, see OpenID Connect Relying Party custom properties.

• Certificate support for key usage and SAN extensions

  In Version 8.5.5.18 and later, you can configure key usage, extended key usage, and SAN extensions for certificates with commands or with the administrative console. For more information, see Creating a self-signed certificate, Creating a chained personal certificate in SSL, and Creating a certificate authority request.

• Open ID Connect Relying Party custom properties
  Four new Open Id Connect Relying Party custom properties are available for Version 8.5.5.17 and later.

  provider_<id>.loginErrorUrl

  This property specifies the URL to which the Relying Party redirects when a login error is received from an OpenID Connect Provider.

  provider_<id>.sendOpErrorParamsToLoginErrorUrl

  When this property is set to true, the Relying Party forwards the error, error description, and error URI parameters that were received from the OpenID Connect Provider to the error URL.

  provider_<id>.nonceEnabled

  When the responseType property is set to code, this parameter defaults to false. If the responseType property is set to anything other than code, this property is set to true, and cannot be altered.

  provider_<id>.contentSecurityPolicy

  If you want a Content-Security-Policy HTTP header to be included in the initial login request that is sent to your OP, set the provider_<id>.contentSecurityPolicy property to the value that you want to use for the Content-Security-Policy HTTP header. If your Content-Security-Policy value requires a nonce, you can use the %NONCE% keyword to indicate where the nonce is to be placed in the text.

• Security custom properties
  New security custom properties are available for Version 8.5.5.17 and later.

  com.ibm.websphere.security.audit.includeHostName

  This property specifies whether audit records include hostname information. When audit records include remote hostname information, DNS lookup is required. If DNS lookup is slow, it can take a long time for the server to write audit records. When this property is set to false, audit records include the IP address of the remote host. However, the audit records do not include the remote hostname information.

  com.ibm.websphere.security.dumpJaasConfig

  This property specifies whether Java Authentication and Authorization Service (JAAS) configuration information is written to the first failure data capture (FFDC) file.

  com.ibm.websphere.security.platform.cache.eviction

  This property enables z/OS® localOS registry permission changes to be quickly reflected in the runtime by forcing the deletion of the z/OS PlatformCredential object whenever subjects are removed from the AuthCache.

  com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit

  When this custom property is specified, WebSphere looks for a Kerberos authentication token (KRBAuthnToken) in the cache, even if Kerberos authentication is not enabled. If a KRBAuthnToken exists, this property adds it to the subject. The default is value false

• IdMgrRepositoryConfig command group for the AdminTask object
  New and updated parameters are available for the following IdMgrRepositoryConfig commands in Version 8.5.5.17 and later:

  • createIdMgrDBRepository
  • createIdMgrFileRepository
  • updateIdMgrDBRepository
  • updateIdMgrFileRepository

  Specify the lockout configuration with the administrative console

• Updated hashing algorithm for file and database repositories

  For Version 85517 and later, the database and file repositories are updated to support the PBKDF2WithHmacSHA1 hashing algorithm, which is now the default for file-based repositories. Key and salt sizes are increased, as is the number of hashing iterations. These parameters are configurable either in the web console or by using wsadmin commands. Previously, file and database repositories defaulted to SHA-1, which not a sufficiently secure algorithm.

  These updates for the hashing algorithm are also available on the administrative console.

• Configuring authentication with JSON Web Tokens (JWT)

  JSON Web Tokens (JWT) are a URL-safe means of representing claims between two parties. You can configure your application server to accept an inbound JWT for authentication.

• Security com.ibm.websphere.security.notification.useWebSphereMailSession custom property

  The com.ibm.websphere.security.notification.useWebSphereMailSession security custom property is available for Version 8.5.5.14 and later. The property specifies whether to allow users to use the WebSphere Mail session resource for the certificate expiration monitor.

• Security com.ibm.websphere.security.cert.authCache.lookup custom property

  The com.ibm.websphere.security.cert.authCache.lookup security custom property is available for Version 8.5.5.13 and later. The property specifies an option to look up the authentication cache more extensively for certificate login. The default setting is false. Change the setting to true to enable the lookup.

• Testing Lightweight Directory Access Protocol server connections and search filters

  You can test Lightweight Directory Access Protocol (LDAP) server connections and search filters from the administrative console before you configure them.

• Security com.ibm.websphere.tls.disabledAlgorithms custom property

  The com.ibm.websphere.tls.disabledAlgorithms security custom property is available for Version 8.5.5.10 and later. The property enables changing the setting for the jdk.tls.disabledAlogrithms Java security property.