Fundamental Security difference - Websphere

This is a discussion on Fundamental Security difference - Websphere ; Hi, I want to restrict direct access to an Application Server (allow only requests through the Web Server in the DMZ only) on WAS 6. On WAS 5 I used to do this: (1) Updated default_VirtualHost aliases to *:80 and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Fundamental Security difference

  1. Fundamental Security difference

    Hi,

    I want to restrict direct access to an Application Server (allow only
    requests through the Web Server in the DMZ only) on WAS 6. On WAS 5 I
    used to do this:

    (1) Updated default_VirtualHost aliases to *:80 and *:443. Removed all
    the other ports
    (2) Set the Transport on the AppServer to 9080 and 9443 (SSL).
    (3) Deployed the Test Application to the default_VirtualHost
    (4) Regen the plugin and only 80 and 443 are listed a VirtualHost and
    9080 and 9443 are transports.

    Requests via the WebServer http and https were successful however any
    requests directly to the Application Server over Port 9080 or 9443
    failed. *** Result = The only way to get the Application to respond
    was through the Web server.

    However on v6.1 I ran through the same scenario but the Application
    Server still accepts requests on 9080......

    So either (a) my original understanding of port lockdown was flawed or
    (b) there is something different between v5 and v6.1 (possibly related
    to chains) that I don't get. I have read up about this but still
    cannot see anything.

    Can anyone help?

    Thanks,

    EddieT




  2. Re: Fundamental Security difference

    On Dec 2, 8:53*am, EddieT wrote:
    > Hi,
    >
    > I want to restrict direct access to an Application Server (allow only
    > requests through the Web Server in the DMZ only) on WAS 6. On WAS 5 I
    > used to do this:
    >
    > (1) Updated default_VirtualHost aliases to *:80 and *:443. Removed all
    > the other ports
    > (2) Set the Transport on the AppServer to 9080 and 9443 (SSL).
    > (3) Deployed the Test Application to the default_VirtualHost
    > (4) Regen the plugin and only 80 and 443 are listed a VirtualHost and
    > 9080 and 9443 are transports.
    >
    > Requests via the WebServer http and https were successful however any
    > requests directly to the Application Server over Port 9080 or 9443
    > failed. *** Result = The only way to get the Application to respond
    > was through the Web server.
    >
    > However on v6.1 I ran through the same scenario but the Application
    > Server still accepts requests on 9080......
    >
    > So either (a) my original understanding of port lockdown was flawed or
    > (b) there is something different between v5 and v6.1 (possibly related
    > to chains) that I don't get. I have read up about this but still
    > cannot see anything.
    >
    > Can anyone help?
    >
    > Thanks,
    >
    > EddieT


    I would suggest the obvious - moving the app server back behind a
    firewall as well. This would resolve the problem.

+ Reply to Thread