Configure trusted mode for the internal HTTP transport

WebSphere Application Server - Express has further tightened security by introducing a configuration option that permits administrators to specify if they trust private HTTP headers or not. You should carefully evaluate enabling the WebSphere Application Server - Express internal HTTP transport in the trusted mode in the production environment to determine if sufficient trust is established.

When the trusted mode is enabled, the WebSphere Application Server - Express internal HTTP transport allows the assertion of the user identity by adding the client certificate to the HTTP header. The Web server plug-in can use this feature to support client certificate authentication. The HTTP header does not contain any information that WebSphere Application Serve - Express can use to detemine the server identity which asserts the client certificate. You should establish a secure communication channel with transport level authentication between the Web server plug-in and WebSphere Application Server - Express to avoid HTTP header spoofing.

You can configure the trusted mode for each HTTP port independently and disable on any port that client machines can access directly, both from the Internet and the intranet. Requiring the Web server plug-in to establish a Secure Sockets Layer (SSL) connection with client certificate authentication ensures that only a trusted Web server plug-in asserts the user certificate. Moreover, you should use a self-signed certificate so that only those servers that have the self-signed certificate can establish a secure connection to the trusted internal HTTP transport. For more information on setting up the SSL connection with self-signed certificate authentication, see Configure SSL for WebSphere Application Server - Express.

Other than SSL, you can use mechanisms such as Virtual Private Network (VPN) and IPSec to protect the internal HTTP transport from being accessed by unauthorized users.

The trusted mode is set to true by default. Perform the following steps in the WebSphere administrative console to add a custom transport property to disable the trusted mode:

  1. Expand Servers, and click Application Servers.
  2. Click your application server name.
  3. Click Web Container --> HTTP Transports --> host_name --> Custom Properties, where host_name is the host name of your server.
  4. Click New and enter the property name Trusted with the value of false.
  5. Restart the server.

After the server restarts, the transports for which you set trusted to false do not accept client certificate assertion. An HTTP Error 403 is returned with the error message similar to the following in your log file:

  Requests through proxies such as the WebSphere webserver plug-in are not permitted
  to this port. The HTTP transport on port 9080 is not configured to be trusted.