WebSphere TLS Clearing issues

Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?

Answer: TLsv1.2 Suppport on V7.0.0.23 on wards TLsv1.2 Support on 8.0.0.3 onwards and 8.5.0.0.

• TLS v1.2 supported in WebSphere with following JDK version. 7.0.0.23 comes JDK version as follows and TLSv1.2 supported SDK 6
  (32-bit) pap3260sr10fp1-20120321_01(SR10 FP1)
  (64-bit) pap6460sr10fp1-20120321_01(SR10 FP1)​

• 8.0.0.3 comes with JDK version follows and TLSv1.2 supported
  SDK 6.0.1 (J9 2.6)
  (32-bit) pap3260_26sr1fp1-20120309_01(SR1 FP1)
  (64-bit) pap6460_26sr1fp1-20120309_01(SR1 FP1)

• 8.5 comes with JDK version follows and TLSv1.2 supported
  SDK 6.0.1 (J9 2.6)
  (32-bit) pap3260_26sr2ifix-20120419_02(SR2+IV19661)
  (64-bit) pap6460_26sr2ifix-20120419_02(SR2+IV19661)

This change allows TLS 1.1 and 1.2 to be configured at the webserver plugin in 8.0 and later on distributed platforms.

• TLS 1.1 and 1.2 is not supported on zOS at this time.
• Despite this APAR being listed in 7.0 fixpacks, 7.0 does not support TLs1.1 and TLS1.2 due to the use of GSKit V7.

WAS

Click Security > SSL configurations CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig

1. Select each SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties.

2. On the **Quality of protection (QoP)** settings panel, select TLSv1.2 from the pull-down list in the box named Protocol. change the protocol to TLSV1.2

3. update ssl.client.props
This must be done for each **ssl.client.props** file under the following directories:
For Node example WAS_install\profiles\AppSrv01\properties
For DMGR example WAS_install\profiles\Dmgr01\properties

 **com.ibm.ssl.protocol=TLSv1.2**

4. stopNode.sh && stopManager.sh 

5. startManager.sh

6. syncNode.sh dmgrhostname dmgrsoapport -username userid -password password

7. startNode.sh

8. Click Protocol : openssl s_client -connect webspherehostname:9443 -tls1_2

WEB

update httpd.conf

VirtualHost
SSLProtocolEnable TLSv12
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11

Plg

Why do I receive a GSK_ERROR_SOCKET_CLOSED (gsk rc = 420) error, when WebSphere Application Server and IBM HTTP Server are configured to use TLSv1.2? Answer: you need to have StrictSecurity="true" in the plugin-cfg.xml for TLSv1.2 to work. More details see the following link

To use the Liberty installUtility command.

---

version : IBM Liberty Core 20.0.0.6 OS : CentOS 7.2

---

feature Search

# installUtility find {feature_name} --type=feature

feature Download

# installUtility Download {feature_name} --location={download_path} --acceptLicense

repositories

저장소 저장을 위해 repositories.properties 작성

properties file path ${wlp.install.dir}/etc/repositories.properties file.

# feature download path or featue zip path
local-rep.url=/SW/img/LibertyUtility

viewSettings

testConnection

저장소 연결 테스트

# installUtility testConnection default

fixpackCenter feature Download

wlp Info Center
feature fix

WebSphere v9.0.5.1 Basic install guide

---

OS : CentOS 7 3.10.0-957.el7.x86_64

IM imcl install

tip. Check the package name simply {img_file}/Offerings

IM install

./imcl install com.ibm.cic.agent -repositories "/sw/img/im/repository.config" -installationDirectory "/sw/IBM/InstallationManager/eclipse" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP

In this guide, use the existing Installation Manager.

# cd /sw/IBM/InstallationManager/eclipse/tools

WebSphere install

./imcl install com.ibm.websphere.BASE.v90_9.0.5001.20190828_0616 -repositories "/sw/img/base" -installationDirectory "/sw/was/AppServer9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -properties cic.selector.nl=ko -sP

tip. Starting with websphere version 9.0, Java installation should also proceed.

#install
./imcl install com.ibm.websphere.BASE.v90_9.0.5001.20190828_0616 com.ibm.java.jdk.v8_8.0.5041.20190924_1031 -repositories "/sw/img/base","/sw/img/sdk" -installationDirectory "/sw/was/AppServer9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -properties cic.selector.nl=ko -sP

#fix install
./imcl install com.ibm.websphere.BASE.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/was/AppServer9" -repositories "/sw/img/fixwas"  -sP

IBM HTTPServer install

./imcl install "com.ibm.websphere.IHS.v90_9.0.5001.20190828_0616" "com.ibm.java.jdk.v8_8.0.5041.20190924_1031" -repositories "/sw/img/ihs","/sw/img/sdk"  -installationDirectory "/sw/web/IHS9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP -properties user.ihs.httpPort="80"

#fix
./imcl install com.ibm.websphere.IHS.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/web/IHS9" -repositories "/sw/img/fixweb" -sP

Plugins install

./imcl install com.ibm.websphere.PLG.v90_9.0.5001.20190828_0616 com.ibm.java.jdk.v8_8.0.5041.20190924_1031 -repositories "/sw/img/plg","/sw/img/sdk"  -installationDirectory "/sw/web/Plugins9" -sharedResourcesDirectory "/sw/IBM/IMShared" -acceptLicense -sP

#fix
./imcl install com.ibm.websphere.PLG.v90_9.0.5003.20200226_0941 -acceptLicense -installationDirectory "/sw/web/Plugins9" -repositories "/sw/img/fixweb" -sP

version Info

1. imcl listInstalledPackages
2. {install_home}/bin/versionInfo.sh

Windows 10 | edge change the default search engine

Test Environment
Test OS : Windows 10

---

1. 설정

tip. Copy and paste "edge://settings/search" (without the quotes) into your address bar.

2. 개인 정보 및 서비스

3. 주소 표시줄 > 원하는 검색 엔진 변경

특정 확장자 권한 일괄 변경

사용 환경에서 필요한 내용만 정리.

시스템 환경

OS : CentOS 7 3.10.0-957.el7.x86_64

사용 방법

보안 취약점 디렉토리 및 파일 권한 변경 조치에 따른 예시

• Permission Change (주로 사용 하는 방법) :

chown -R wasadm:wasadm ./*
chmod -R 750 ./*

find . -name *.xml -exec chmod 640 {} \;
find . -name *.log -exec chmod 640 {} \;
find . -name *.properties -exec chmod 640 {} \;

WebSphere - How to disable server name header

Test Version

• Test OS : CentOS 7.2
• Test WAS : WebSphere v8.5

X-Powered-By disable setting

• 보안 취약점 사항

• IBM HTTPServer (apache)
  This can be mitigated by adding (httpd.conf):

AddServerHeader Off
ServerTokens Prod
ServerSignature Off

• WebSphere
  v8.5.0.2 이하 버전에서는 두가지 옵션으로 server version 노출을 방지.

• ServerHeaderValue :
  Use the ServerHeaderValue property to replace the default value of the Server header that is added to all outgoing HTTP responses by server if a Server header does not already exist. The default value for the Server header is WebSphere Application Server v/x.x, where x.x is the version of WebSphere Application Server that is running on your system.

• RemoveServerHeader :
  Use the RemoveServerHeader property to force the removal of any server header from HTTP responses that the application server sends, thereby hiding the identity of the server program.

setting link : https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rrun_chain_httpcustom.html

Starting with Version 8.5.0.2, a Server header is no longer automatically added to all outgoing HTTP responses if a Server header does not already exist. If you add this property with a value, that value is included in the Server header that appears in the response. If you specify the value DefaultServerValue, WebSphere Application Server v/x.x is used as the Server header value.

WebSphere - How to disable X-Powered-By header

Test Version

• Test OS : CentOS 7.2
• Test WAS : WebSphere v.8.5

X-Powered-By disable setting

• 보안 취약점 사항

You can set the property 'com.ibm.ws.webcontainer.disablexPoweredBy' to true as described in the section

setting link : https://www.ibm.com/support/knowledgecenter/ko/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/rweb_custom_props.html#com.ibm.ws.webcontainer.DisableXPoweredByHeader

설정 이후 서버 재 기동 필요.

파일 업로드후 개행 문자 제거 방법

---

Test environment

OS : AIX

Issue

windows 에서 작업후 파일 업로드하고 vi로 열면 아래와 같이 개행 문자가 보임.

vi로 열면 아래와 같이 개행 문자가 보임

#!/bin/sh^M
#./startServer.sh server_name^M
#./stopServer.sh server_name -username username -password password^M

• Perl 명령어를 통해 개행 문자 제거
  
  perl -pi -e 's/^M//g' {file_name}

test1 root [/was8/bin]#perl -pi -e 's/^M//g' stopWasAll.sh
perl -pi -e 's/\015//g' startWeb.sh
perl -pi -e 's/\015//g' stopWeb.sh

vi로 열어 보면 이제 개행 문자가 사라진 모습을 확인 할 수 있다.

test1 root [/was8/bin]#vi stopW*.sh
#!/bin/sh
#./startServer.sh server_name
#./stopServer.sh server_name -username username -password password
#PropFilePasswordEncoder.sh
#export LANG=en_us.utf8

apache 설치 가이드

실 사용 환경에서 필요한 내용만 정리

---

Test environment

OS : CentOS 7 3.10.0-957.el7.x86_64

사전 작업

Install APR (Apache Protable Runtime)

컴파일방식으로 설치 하기 때문에 사전에 APR을 다운로드

최신 Apache HTTP Server 사용하기 위해서는 버전에 맞는 APR 설치가 필요.

• 패키지 사전 설치 확인
  
  yum -y install gcc make gcc-c++ pcre-devel

apr

Download link : https://apr.apache.org/download.cgi

[root@was11 apr]$ ./configure --prefix=/SW/web/tools/apr
[root@was11 apr]$ make && make install

apr-util

#압축 해제
[root@was11 apr-util]$ ./configure --prefix=/SW/web/tools/apr-util --with-apr=/SW/web/tools/apr
[root@was11 apr-util]$ make && make install

PCRE

https://www.pcre.org/

[root@was11 pcre]# ./configure --prefix=/SW/web/tools/pcre
[root@was11 pcre]# make && make install

openssl

Download link : https://www.openssl.org/source/

[root@was11 openssl]# ./config --openssldir=/SW/web/tools/openssl

make

make uninstall

주요 내용

[root@was11 httpd24]$ tar -zxvf httpd-2.4.41.tar.gz
[root@was11 openssl]# make && make install

configure command

[root@was11 httpd24]# ./configure -prefix=/SW/web/httpd24 -enable-so -enable-rewrite --enable-proxy -enable-ssl -enable-mods-shared=all -enable-modules=shared -enable-mpms-shared=all --with-mpm=worker --with-apr=/SW/web/tools/apr --with-apr-util=/SW/web/tools/apr-util --with-pcre=/SW/web/tools/pcre --with-ssl=/SW/web/tools/openssl --enable-ssl -enable-unique-id

[root@was11 httpd24]# make && make install

start

/SW/web/httpd24/bin/apachectl start

find 명령어 간단 사용법

실 사용 환경에서 필요한 내용만 정리.

---

Test environment

OS : CentOS 7 3.10.0-957.el7.x86_64

주요 내용

기본 명령어

find ~ -name readme.txt
find [-H] [-L] [-P] [path...] [expression]

• 이름으로 파일 찾기

[root@localhost /]# find /sw -name "Mem.sh"
/sw/Mem.sh

• 이름으로 현재 디렉토리의 파일 찾기 (.)

[root@localhost /]# find . -name "Mem.sh"
find: ‘./run/user/1000/gvfs’: Permission denied
./sw/Mem.sh

• 대소문자 구분 없이 파일 찾기 (iname)

[root@localhost sw]# find /sw -iname "Mem.sh"
/sw/Mem.sh
/sw/MEM.sh

• n일 이내의 변경된 파일 찾기

[root@localhost /]# find /sw -name "*.sh" -mtime -1
/sw/Mem.sh
/sw/Mem1.sh
/sw/MEM.sh

• 검색된 파일의 문자열 찾기

[root@localhost /]# find /sw -name "*.sh" -mtime -1 | xargs grep "Mem"
/sw/Mem.sh:MEMINFO=`cat /proc/meminfo | grep 'MemTotal\|MemFree\|Buffers\|Cached'`
/sw/Mem1.sh: TOTAL=`free | grep ^Mem: | awk '{print $2}'`
/sw/Mem1.sh: USED=`free | grep ^Mem: | awk '{print $3}'`
/sw/Mem1.sh: FREE=`free | grep ^Mem: | awk '{print $4}'`
/sw/Mem1.sh: BUFFER=`free | grep ^Mem: | awk '{print $6}'`