Converting p12 to kdb files using gskcmd

Test Environment

-Test Version : IBM HTTPServer v9.x

Key file conversion

1. pem to p12

# openssl pkcs12 -export -inkey Wildcard.test.co.kr_pem.key -in Wildcard.cardif.co.kr_pem.pem -out Wildcard.test.co.kr.p12

2. p12 to kdb

  1. You can invoke the gskcapicmd from the install_root/bin directory

  2. Converting key file

# ./gskcapicmd -cert -export -target key.kdb -db /sw/img/Wildcard.cardif.co.kr.p12 -fips -target_type cms -type pkcs12

# ./gskcapicmd -cert -import -target ../ssl/key.kdb -target_pw {password} -db /sw/img/Wildcard.cardif.co.kr.p12 -pw {password}

# ./gskcapicmd -cert -setdefault -db ../ssl/key.kdb -pw {password} -label "*.test.co.kr"

WebSphere 보안 취약점 관련 access Log 설정

Test Environment

  • Test Version : WebSphere v8.5

NCSA access Log and HTTP error log set up

HTTP Access

  1. 전체 로그 설정
  • Click Servers > Server Types > WebSphere application servers > server_name > NCSA access and HTTP error logging.
  • Select Enable logging service at server start-up.
  • Ensure that Enable access logging is selected.
  1. 컨테이너별 로그 설정 part 1
  • Application servers > server1 > Web container transport chains > HttpQueueInboundDefault > HTTP inbound channel (HTTP_2)
  • Select Enable logging.
  1. 컨테이버별 로그 설정 part 2
  • Application servers > server1 > Web container transport chains > WCInboundDefault > HTTP inbound channel (HTTP_2)

로그 포맷 변경시

참조 링크

https://www.ibm.com/support/knowledgecenter/ko/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/ttrb_access_logging.html

설정 위치

  • Go to the custom properties page for the wanted transport chain. Click Servers > Server Types > WebSphere application servers > server_name > Web Container Settings > Web container transport chains > chain_name > HTTP_channel_name > Custom properties.

  • Costum properties

    • key

    accessLogFormat

    • value

    %h %u %t "%r" %s %b %D "%{Referer}i" "%{User-agent}I" %{JESSIONID}C
    %h %i %u %t "%r" %s %b %D

WebSphere TLS Clearing issues

Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?

Answer: TLsv1.2 Suppport on V7.0.0.23 on wards TLsv1.2 Support on 8.0.0.3 onwards and 8.5.0.0.

  • TLS v1.2 supported in WebSphere with following JDK version. 7.0.0.23 comes JDK version as follows and TLSv1.2 supported SDK 6
    (32-bit) pap3260sr10fp1-20120321_01(SR10 FP1)
    (64-bit) pap6460sr10fp1-20120321_01(SR10 FP1)​

  • 8.0.0.3 comes with JDK version follows and TLSv1.2 supported
    SDK 6.0.1 (J9 2.6)
    (32-bit) pap3260_26sr1fp1-20120309_01(SR1 FP1)
    (64-bit) pap6460_26sr1fp1-20120309_01(SR1 FP1)

  • 8.5 comes with JDK version follows and TLSv1.2 supported
    SDK 6.0.1 (J9 2.6)
    (32-bit) pap3260_26sr2ifix-20120419_02(SR2+IV19661)
    (64-bit) pap6460_26sr2ifix-20120419_02(SR2+IV19661)

This change allows TLS 1.1 and 1.2 to be configured at the webserver plugin in 8.0 and later on distributed platforms.

  • TLS 1.1 and 1.2 is not supported on zOS at this time.
  • Despite this APAR being listed in 7.0 fixpacks, 7.0 does not support TLs1.1 and TLS1.2 due to the use of GSKit V7.

WAS

Click Security > SSL configurations CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig

1. Select each SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties.

2. On the **Quality of protection (QoP)** settings panel, select TLSv1.2 from the pull-down list in the box named Protocol. change the protocol to TLSV1.2

3. update ssl.client.props
This must be done for each **ssl.client.props** file under the following directories:
For Node example WAS_install\profiles\AppSrv01\properties
For DMGR example WAS_install\profiles\Dmgr01\properties

 **com.ibm.ssl.protocol=TLSv1.2**

4. stopNode.sh && stopManager.sh 

5. startManager.sh

6. syncNode.sh dmgrhostname dmgrsoapport -username userid -password password

7. startNode.sh

8. Click Protocol : openssl s_client -connect webspherehostname:9443 -tls1_2

WEB

update httpd.conf

VirtualHost
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11

Plg

Why do I receive a GSK_ERROR_SOCKET_CLOSED (gsk rc = 420) error, when WebSphere Application Server and IBM HTTP Server are configured to use TLSv1.2? Answer: you need to have StrictSecurity="true" in the plugin-cfg.xml for TLSv1.2 to work. More details see the following link

To use the Liberty installUtility command.

version : IBM Liberty Core 20.0.0.6 OS : CentOS 7.2

feature Search

# installUtility find {feature_name} --type=feature

feature Download

# installUtility Download {feature_name} --location={download_path} --acceptLicense

repositories

저장소 저장을 위해 repositories.properties 작성

properties file path ${wlp.install.dir}/etc/repositories.properties file.

# feature download path or featue zip path
local-rep.url=/SW/img/LibertyUtility

viewSettings

testConnection

저장소 연결 테스트

# installUtility testConnection default

fixpackCenter feature Download

wlp Info Center
feature fix

WebSphere v9.0.5.1 Basic install guide

OS : CentOS 7 3.10.0-957.el7.x86_64

IM imcl install

tip. Check the package name simply {img_file}/Offerings

IM install

./imcl install com.ibm.cic.agent -repositories "/sw/img/im/repository.config" -installationDirectory "/sw/IBM/InstallationManager/eclipse" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP

In this guide, use the existing Installation Manager.

# cd /sw/IBM/InstallationManager/eclipse/tools

WebSphere install

./imcl install com.ibm.websphere.BASE.v90_9.0.5001.20190828_0616 -repositories "/sw/img/base" -installationDirectory "/sw/was/AppServer9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -properties cic.selector.nl=ko -sP

tip. Starting with websphere version 9.0, Java installation should also proceed.

#install
./imcl install com.ibm.websphere.BASE.v90_9.0.5001.20190828_0616 com.ibm.java.jdk.v8_8.0.5041.20190924_1031 -repositories "/sw/img/base","/sw/img/sdk" -installationDirectory "/sw/was/AppServer9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -properties cic.selector.nl=ko -sP

#fix install
./imcl install com.ibm.websphere.BASE.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/was/AppServer9" -repositories "/sw/img/fixwas"  -sP

IBM HTTPServer install

./imcl install "com.ibm.websphere.IHS.v90_9.0.5001.20190828_0616" "com.ibm.java.jdk.v8_8.0.5041.20190924_1031" -repositories "/sw/img/ihs","/sw/img/sdk"  -installationDirectory "/sw/web/IHS9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP -properties user.ihs.httpPort="80"

#fix
./imcl install com.ibm.websphere.IHS.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/web/IHS9" -repositories "/sw/img/fixweb" -sP

Plugins install

./imcl install com.ibm.websphere.PLG.v90_9.0.5001.20190828_0616 com.ibm.java.jdk.v8_8.0.5041.20190924_1031 -repositories "/sw/img/plg","/sw/img/sdk"  -installationDirectory "/sw/web/Plugins9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP

#fix
./imcl install com.ibm.websphere.PLG.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/web/Plugins9" -repositories "/sw/img/fixweb" -sP

version Info

  1. imcl listInstalledPackages
  2. {install_home}/bin/versionInfo.sh

Windows 10 | edge change the default search engine

Test Environment
Test OS : Windows 10

1. 설정

part1

tip. Copy and paste "edge://settings/search" (without the quotes) into your address bar.

2. 개인 정보 및 서비스

part2

3. 주소 표시줄 > 원하는 검색 엔진 변경

part3

특정 확장자 권한 일괄 변경

사용 환경에서 필요한 내용만 정리.

시스템 환경

OS : CentOS 7 3.10.0-957.el7.x86_64

사용 방법

보안 취약점 디렉토리 및 파일 권한 변경 조치에 따른 예시

  • Permission Change (주로 사용 하는 방법) :
chown -R wasadm:wasadm ./*
chmod -R 750 ./*

find . -name *.xml -exec chmod 640 {} \;
find . -name *.log -exec chmod 640 {} \;
find . -name *.properties -exec chmod 640 {} \;

WebSphere - How to disable server name header

Test Version

  • Test OS : CentOS 7.2
  • Test WAS : WebSphere v8.5

X-Powered-By disable setting

  • 보안 취약점 사항

  • IBM HTTPServer (apache)
    This can be mitigated by adding (httpd.conf):

AddServerHeader Off
ServerTokens Prod
ServerSignature Off

  • WebSphere
    v8.5.0.2 이하 버전에서는 두가지 옵션으로 server version 노출을 방지.

  • ServerHeaderValue :
    Use the ServerHeaderValue property to replace the default value of the Server header that is added to all outgoing HTTP responses by server if a Server header does not already exist. The default value for the Server header is WebSphere Application Server v/x.x, where x.x is the version of WebSphere Application Server that is running on your system.

  • RemoveServerHeader :
    Use the RemoveServerHeader property to force the removal of any server header from HTTP responses that the application server sends, thereby hiding the identity of the server program.

setting link : https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rrun_chain_httpcustom.html

Starting with Version 8.5.0.2, a Server header is no longer automatically added to all outgoing HTTP responses if a Server header does not already exist. If you add this property with a value, that value is included in the Server header that appears in the response. If you specify the value DefaultServerValue, WebSphere Application Server v/x.x is used as the Server header value.

WebSphere - How to disable X-Powered-By header

Test Version

  • Test OS : CentOS 7.2
  • Test WAS : WebSphere v.8.5

X-Powered-By disable setting

  • 보안 취약점 사항

You can set the property 'com.ibm.ws.webcontainer.disablexPoweredBy' to true as described in the section

setting link : https://www.ibm.com/support/knowledgecenter/ko/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rweb_custom_props.html#com.ibm.ws.webcontainer.DisableXPoweredByHeader

설정 이후 서버 재 기동 필요.

파일 업로드후 개행 문자 제거 방법

Test environment

OS : AIX

Issue

windows 에서 작업후 파일 업로드하고 vi로 열면 아래와 같이 개행 문자가 보임.

vi로 열면 아래와 같이 개행 문자가 보임

#!/bin/sh^M
#./startServer.sh server_name^M
#./stopServer.sh server_name -username username -password password^M
  • Perl 명령어를 통해 개행 문자 제거

    perl -pi -e 's/^M//g' {file_name}
test1 root [/was8/bin]#perl -pi -e 's/^M//g' stopWasAll.sh
perl -pi -e 's/\015//g' startWeb.sh
perl -pi -e 's/\015//g' stopWeb.sh

vi로 열어 보면 이제 개행 문자가 사라진 모습을 확인 할 수 있다.

test1 root [/was8/bin]#vi stopW*.sh
#!/bin/sh
#./startServer.sh server_name
#./stopServer.sh server_name -username username -password password
#PropFilePasswordEncoder.sh
#export LANG=en_us.utf8
© Copyright A boring day ~ Designed by Template Trackers Published By Gooyaabi Templates