From 274c4de2ce4546e0677bbc50b23bf635fdf025c1 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Wed, 26 May 2021 16:42:12 -0400 Subject: [PATCH 1/9] add item to LTPA --- modules/ROOT/pages/network-hardening.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/ROOT/pages/network-hardening.adoc b/modules/ROOT/pages/network-hardening.adoc index 1570fbe3f1..a92490e8b4 100644 --- a/modules/ROOT/pages/network-hardening.adoc +++ b/modules/ROOT/pages/network-hardening.adoc @@ -135,6 +135,13 @@ Browsers that support the `HttpOnly` field don't allow client-side scripts to ac ---- +To ensure that an LTPA token cannot be reused on the same server after a user logs out, you can set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA single sign-on tokens that are logged out on the server so that a token can not be reused on the same server. + +[source,xml] +---- + +---- + [#welcome-page-headers] == Welcome page and headers For production, you can disable the Open Liberty welcome page. @@ -163,6 +170,7 @@ Setting the `disableXPoweredBy` attribute to the value of `true` disables the X- ---- + [#session-overflow] == Session overflow Restrict the number of sessions that can be created for applications that use in-memory sessions by disabling HTTP session overflow. From d43026603cff3513fd8f4a1dad2554a5544fbbab Mon Sep 17 00:00:00 2001 From: David Mueller Date: Wed, 26 May 2021 16:51:21 -0400 Subject: [PATCH 2/9] Update network-hardening.adoc --- modules/ROOT/pages/network-hardening.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/ROOT/pages/network-hardening.adoc b/modules/ROOT/pages/network-hardening.adoc index a92490e8b4..c6900735fa 100644 --- a/modules/ROOT/pages/network-hardening.adoc +++ b/modules/ROOT/pages/network-hardening.adoc @@ -135,7 +135,9 @@ Browsers that support the `HttpOnly` field don't allow client-side scripts to ac ---- -To ensure that an LTPA token cannot be reused on the same server after a user logs out, you can set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA single sign-on tokens that are logged out on the server so that a token can not be reused on the same server. +When a user logs out from an application that is protected by LTPA, the LTPA token value is destroyed on the client side. However, there is a chance that the token value could be manually copied before logout, then manually added to subsequent browser requests in an attempt to gain unauthorized access to the application after logout. + +To ensure that an LTPA token cannot be reused on the same server after a user logs out, set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA single sign-on tokens that are logged out on a server so that a token cannot be reused on the same server after logout: [source,xml] ---- From 920ca5ea71b037a75b5ab30daf16956da38ecd4c Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 27 May 2021 10:22:09 -0400 Subject: [PATCH 3/9] change java 16 back to 15 in 21.0.0.5 --- modules/ROOT/pages/java-se.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/java-se.adoc b/modules/ROOT/pages/java-se.adoc index af8bf60c26..78d0e2cd7b 100644 --- a/modules/ROOT/pages/java-se.adoc +++ b/modules/ROOT/pages/java-se.adoc @@ -23,6 +23,6 @@ For more information, see https://openliberty.io/blog/2019/02/06/java-11.html[Op Due to differences between Java SE 8 and Java SE 11, an Open Liberty application that runs on Java SE 8 might not run on Java SE 11. For more information, see https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-C25E2B1D-6C24-4403-8540-CFEA875B994A[Oracle Java SE 11 migration guide]. -== Java SE 16 -Open Liberty runs on any recent Java SE 16 release from AdoptOpenJDK, OpenJDK, or Oracle. Java SE 16 is not a long-term supported release and standard support is scheduled to end in September 2021. Keep in mind, if you download your Java SDK from https://adoptopenjdk.net/index.html?variant=openjdk16&jvmVariant=openj9[AdoptOpenJDK], https://www.eclipse.org/openj9/[Eclipse OpenJ9] has a better memory footprint and startup profile than https://openjdk.java.net/groups/hotspot/[HotSpot]. +== Java SE 15 +Open Liberty runs on any recent Java SE 15 release from AdoptOpenJDK, OpenJDK, or Oracle. Java SE 15 is not a long-term supported release and standard support is scheduled to end in March 2021. Keep in mind, if you download your Java SDK from https://adoptopenjdk.net/index.html?variant=openjdk16&jvmVariant=openj9[AdoptOpenJDK], https://www.eclipse.org/openj9/[Eclipse OpenJ9] has a better memory footprint and startup profile than https://openjdk.java.net/groups/hotspot/[HotSpot]. For more information, see https://openliberty.io/blog/2019/02/06/java-11.html[Open Liberty and Java 11]. From 2ab8b5205ac4c128e53df59ec31092f9a60938d8 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 27 May 2021 10:41:37 -0400 Subject: [PATCH 4/9] fix java level --- modules/ROOT/pages/java-se.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/java-se.adoc b/modules/ROOT/pages/java-se.adoc index 78d0e2cd7b..794c5d8dc9 100644 --- a/modules/ROOT/pages/java-se.adoc +++ b/modules/ROOT/pages/java-se.adoc @@ -24,5 +24,5 @@ For more information, see https://openliberty.io/blog/2019/02/06/java-11.html[Op Due to differences between Java SE 8 and Java SE 11, an Open Liberty application that runs on Java SE 8 might not run on Java SE 11. For more information, see https://docs.oracle.com/en/java/javase/11/migrate/index.html#JSMIG-GUID-C25E2B1D-6C24-4403-8540-CFEA875B994A[Oracle Java SE 11 migration guide]. == Java SE 15 -Open Liberty runs on any recent Java SE 15 release from AdoptOpenJDK, OpenJDK, or Oracle. Java SE 15 is not a long-term supported release and standard support is scheduled to end in March 2021. Keep in mind, if you download your Java SDK from https://adoptopenjdk.net/index.html?variant=openjdk16&jvmVariant=openj9[AdoptOpenJDK], https://www.eclipse.org/openj9/[Eclipse OpenJ9] has a better memory footprint and startup profile than https://openjdk.java.net/groups/hotspot/[HotSpot]. +Open Liberty runs on any recent Java SE 16 release from AdoptOpenJDK, OpenJDK, or Oracle. Java SE 16 is not a long-term supported release and standard support is scheduled to end in September 2021. Keep in mind, if you download your Java SDK from https://adoptopenjdk.net/index.html?variant=openjdk16&jvmVariant=openj9[AdoptOpenJDK], https://www.eclipse.org/openj9/[Eclipse OpenJ9] has a better memory footprint and startup profile than https://openjdk.java.net/groups/hotspot/[HotSpot]. For more information, see https://openliberty.io/blog/2019/02/06/java-11.html[Open Liberty and Java 11]. From 96201beacd6bc612e502cda7296f411c9f527fd2 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 27 May 2021 10:48:29 -0400 Subject: [PATCH 5/9] Update network-hardening.adoc --- modules/ROOT/pages/network-hardening.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/network-hardening.adoc b/modules/ROOT/pages/network-hardening.adoc index c6900735fa..792cb80df3 100644 --- a/modules/ROOT/pages/network-hardening.adoc +++ b/modules/ROOT/pages/network-hardening.adoc @@ -135,7 +135,7 @@ Browsers that support the `HttpOnly` field don't allow client-side scripts to ac ---- -When a user logs out from an application that is protected by LTPA, the LTPA token value is destroyed on the client side. However, there is a chance that the token value could be manually copied before logout, then manually added to subsequent browser requests in an attempt to gain unauthorized access to the application after logout. +When a user logs out from an application that is protected by LTPA, the LTPA token value is destroyed on the client side. However, the token value might be manually copied before logout, then manually added to subsequent browser requests in an attempt to gain unauthorized access to the application after logout. To ensure that an LTPA token cannot be reused on the same server after a user logs out, set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA single sign-on tokens that are logged out on a server so that a token cannot be reused on the same server after logout: From 204a357415e994bf2bed21a455944ffad577939e Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 27 May 2021 14:54:47 -0400 Subject: [PATCH 6/9] fix quotes and update LTPA hardening --- modules/ROOT/pages/network-hardening.adoc | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/modules/ROOT/pages/network-hardening.adoc b/modules/ROOT/pages/network-hardening.adoc index 792cb80df3..afd9cd237f 100644 --- a/modules/ROOT/pages/network-hardening.adoc +++ b/modules/ROOT/pages/network-hardening.adoc @@ -76,15 +76,15 @@ This configuration element permits proxies by using the specified IP addresses t [source,xml] ---- - + ---- If your Open Liberty deployment doesn't include any proxies, set the following attributes in the `server.xml` file: [source,xml] ---- - or - + or + ---- The `trusted` attribute on the `webContainer` configuration element enables the application server to use inbound private headers from the web server plug-in. @@ -110,7 +110,7 @@ Set the following attribute in the `server.xml` file to require that LTPA cookie [source,xml] ---- - + ---- As a best practice, replace LTPA keys regularly. @@ -123,7 +123,7 @@ The following example tells browsers to restrict the use of LTPA cookies to only [source,xml] ---- - + ---- You can also use the `cookieHttpOnly` attribute to help prevent cross-site scripting attacks. @@ -132,16 +132,15 @@ Browsers that support the `HttpOnly` field don't allow client-side scripts to ac [source,xml] ---- - + ---- -When a user logs out from an application that is protected by LTPA, the LTPA token value is destroyed on the client side. However, the token value might be manually copied before logout, then manually added to subsequent browser requests in an attempt to gain unauthorized access to the application after logout. - -To ensure that an LTPA token cannot be reused on the same server after a user logs out, set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA single sign-on tokens that are logged out on a server so that a token cannot be reused on the same server after logout: +When a user logs out from an application that is protected by LTPA, the LTPA token value is destroyed on the client side. +To ensure that an LTPA token cannot be reused on the same server after a user logs out, set the `trackLoggedOutSSOCookies` attribute to `true`. This attribute specifies whether to track LTPA tokens that are logged out on a server so that a token cannot be reused on the same server after logout: [source,xml] ---- - + ---- [#welcome-page-headers] From 114aec3f6bbfd071a90833f56b156dff62d3cafc Mon Sep 17 00:00:00 2001 From: David Mueller Date: Fri, 28 May 2021 09:43:08 -0400 Subject: [PATCH 7/9] fix conflicts --- modules/ROOT/pages/admin-center.adoc | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/ROOT/pages/admin-center.adoc b/modules/ROOT/pages/admin-center.adoc index 677e1e4d39..df73a1d9ad 100644 --- a/modules/ROOT/pages/admin-center.adoc +++ b/modules/ROOT/pages/admin-center.adoc @@ -67,7 +67,7 @@ image::ui_login.png[The Admin Center login screen,align="center"] == Select tools from the Toolbox -After you log in to Admin Center, the browser displays the **Toolbox**, which contains tools such as the **Server Config** and **Explore** tools and a bookmark to link:https://openliberty.io[openliberty.io]. The following screen capture shows the Admin Center **Toolbox**: +After you log in to Admin Center, the browser displays the **Toolbox**, which contains tools such as the **Server Config** and **Explore** tools and a bookmark to link:https://openliberty.io[openliberty.io]. The following screen capture shows the Admin Center **Toolbox**: image::ui_toolbox.png[align="center"] @@ -128,7 +128,7 @@ You can add more resource metrics to the **Monitor** view by selecting the **Edi [#batch] === Manage Java batch jobs with the Java Batch tool -If you configure the feature:batchManagement[display=Batch Management] feature, you can access the **Java Batch** tool. With this tool, you can view the progress and status of your Java batch jobs, manage their instances, and view their log files. The following screen capture shows the **Java Batch** tool: +If you configure the feature:batchManagement[display=Batch Management] feature, you can access the **Java Batch** tool. With this tool, you can view the progress and status of your Java batch jobs, manage their instances, and view their log files. The following screen capture shows the **Java Batch** tool: image::ui_javaBatchTool.png[align="center"] @@ -136,6 +136,28 @@ Each batch job has an **Actions** icon, which you can select to stop, restart, o If batch jobs or job logs are on remote servers, link:/guides/cors.html[configure cross origin region sharing (CORS)] on each remote server. CORS enables Admin Center to request job information from remote servers. +The Batch Management feature requires custom authorization to view and manage batch jobs. To use the Java Batch tool, you must configure a `com.ibm.ws.batch` custom authorization role, in addition to the reader or administrator management role that is required to access the Admin Center. The following server.xml example shows configuration for a `wanda` user who is granted the administrator management role and the batchAdmin custom authorization role: + +[source,xml] +---- + + wanda + + + + + + + +---- + +With this configuration, the user has authorization to view and manage any configured Java batch jobs. + +A `com.ibm.ws.batch` custom authorization role can also be combined with the reader management role. This combination still allows full access to the Java Batch tool but provides read-only access to other Admin Center resources. + +However, if no custom batch authorization role is configured, even a user in the administrator management role cannot view or manage Java batch jobs. For more information, see https://www.ibm.com/docs/en/was-liberty/nd?topic=liberty-securing-batch-environment[Securing the Liberty batch environment]. + + [#openid] === Administer Open ID Connect Provider tasks with the OpenID Connect (OIDC) tools From 2c6b27c1c461c810f9cdb974312b25cac8bc0550 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Fri, 28 May 2021 10:31:16 -0400 Subject: [PATCH 8/9] fix typo --- modules/ROOT/pages/admin-center.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/admin-center.adoc b/modules/ROOT/pages/admin-center.adoc index df73a1d9ad..17bbf8654b 100644 --- a/modules/ROOT/pages/admin-center.adoc +++ b/modules/ROOT/pages/admin-center.adoc @@ -136,7 +136,7 @@ Each batch job has an **Actions** icon, which you can select to stop, restart, o If batch jobs or job logs are on remote servers, link:/guides/cors.html[configure cross origin region sharing (CORS)] on each remote server. CORS enables Admin Center to request job information from remote servers. -The Batch Management feature requires custom authorization to view and manage batch jobs. To use the Java Batch tool, you must configure a `com.ibm.ws.batch` custom authorization role, in addition to the reader or administrator management role that is required to access the Admin Center. The following server.xml example shows configuration for a `wanda` user who is granted the administrator management role and the batchAdmin custom authorization role: +The Batch Management feature requires custom authorization to view and manage batch jobs. To use the Java Batch tool, you must configure a `com.ibm.ws.batch` custom authorization role, in addition to the reader or administrator management role that is required to access the Admin Center. The following `server.xml` file example shows configuration for a `wanda` user who is granted the administrator management role and the batchAdmin custom authorization role: [source,xml] ---- From 60bdc880a8481025c4371b98b3b010c802996ec7 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Fri, 28 May 2021 10:33:23 -0400 Subject: [PATCH 9/9] Update admin-center.adoc --- modules/ROOT/pages/admin-center.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/admin-center.adoc b/modules/ROOT/pages/admin-center.adoc index 17bbf8654b..77c0121fb6 100644 --- a/modules/ROOT/pages/admin-center.adoc +++ b/modules/ROOT/pages/admin-center.adoc @@ -136,7 +136,7 @@ Each batch job has an **Actions** icon, which you can select to stop, restart, o If batch jobs or job logs are on remote servers, link:/guides/cors.html[configure cross origin region sharing (CORS)] on each remote server. CORS enables Admin Center to request job information from remote servers. -The Batch Management feature requires custom authorization to view and manage batch jobs. To use the Java Batch tool, you must configure a `com.ibm.ws.batch` custom authorization role, in addition to the reader or administrator management role that is required to access the Admin Center. The following `server.xml` file example shows configuration for a `wanda` user who is granted the administrator management role and the batchAdmin custom authorization role: +The Batch Management feature requires custom authorization to view and manage batch jobs. To use the Java Batch tool, you must configure a `com.ibm.ws.batch` custom authorization role, in addition to the reader or administrator management role that is required to access the Admin Center. The following `server.xml` file example shows configuration for a `wanda` user who is granted the administrator management role and the batchAdmin custom authorization role: [source,xml] ----