Installing and using the webscurity webapp.secure client

Linux

Utilities

for

IBM

System

z

Installing

and

using

the

webScurity

webApp.secure

client

Linux

Utilities

for

IBM

System

z

Installing

and

using

the

webScurity

webApp.secure

client

Note

Beforeusingthisinformationandtheproductitsupports,readtheinformationin“Notices,”onpage19.

FirstEdition(August2006)

©CopyrightInternationalBusinessMachinesCorporation2006.Allrightsreserved.

USGovernmentUsersRestrictedRights–Use,duplicationordisclosurerestrictedbyGSAADPScheduleContract withIBMCorp.

Contents

About

this

book

.

.

.

.

.

.

.

.

.

.

. v

Chapter

1.

Overview

.

.

.

.

.

.

.

.

. 1

Chapter

2.

Pre-requisites

.

.

.

.

.

.

. 3

Chapter

3.

Installation

.

.

.

.

.

.

.

.

. 5

Chapter

4.

Configuration

.

.

.

.

.

.

. 7

Initialization . . . 8

Testingtheconfiguration . . . 8

Backinguptheconfiguration . . . 8

Chapter

5.

Operation

.

.

.

.

.

.

.

.

. 9

Userinterface . . . 9

Chapter

6.

Security

.

.

.

.

.

.

.

.

. 11

Chapter

7.

Data

integrity

considerations

.

.

.

.

.

.

.

.

.

.

. 13

Chapter

8.

Tuning

.

.

.

.

.

.

.

.

.

. 15

Chapter

9.

Service

and

upgrade

.

.

.

. 17

Obtainingupdates . . . 17

Appendix.

Notices

.

.

.

.

.

.

.

.

.

. 19

About

this

book

Thisdocumentdescribeshow tosetupandusethewebScuritywebApp.secure componentinthecontextofLinux®Utilities forIBM®Systemz™(LinuxUtilities). LinuxUtilities areasuiteofLinuxsolutions configuredandtestedonSystemz in a z/OSandLinuxworkloadscenario.LinuxUtilitiesprovidespecific infrastructure functionsthatarecomplementary tofunctionsonz/OS.WithLinuxUtilities you haveanadditionaloption tooptimizeyour z/OSenvironment.LinuxUtilitieshelp toprovidequickdeployment,easyinstallation,andreducedtime-to-marketof infrastructurefunctionswithminimalimpactonz/OSskillsandresources. For moreinformationonLinuxUtilitiesvisitwww.ibm.com/zseries/os/linux/ utilities. Onthis siteyoumightalso findupdatestothisdocument.

For informationonrunningLinuxonSystemzmainframessee:

v

z/VMandLinuxonIBMSystemz:The VirtualizationCookbookforSLES9,SG24-6695

v z/VMandLinuxonIBMSystemz:The VirtualizationCookbookforRed HatEnterprise

Chapter

1.

Overview

ThewebScurity® webApp.secure®client forLinuxonSystemz protectsweb application serversrunningonIBMsystemsunderz/OS®fromwebapplication attackswhichtakeadvantageofthestatelessnatureoftheWebprotocol(HTTP). Theclient stopsindiscriminateHTTPwormorvirusattacks,andalso discriminate targetedInternet attacksdirectedattheapplicationsourcecode.

Even whenprotectedbya generalfirewall,webapplicationsarestill vulnerableto criticalattackssuchasSQLinjection,cross-sitescripting,cookiepoisoning,hidden fieldmanipulation, andothers.ThewebScuritywebApp.secure clientoperates invisiblyandprotectstheapplicationbyexaminingtheHTTPnetworktrafficto ensurethatit conformstoIntendedUseGuidelinesspecifiedforthesite. Thefunctionsprovidedbytheutilityinclude:

v Provisionofatrusted gatewaythatprotectsall webapplicationcode,z/OS,

WebSphere®or othermiddleware andtheirvulnerabilities,

v Checkingof webcontentinthede-militarisedzone(DMZ)withnorisktothe

applicationserversrunningonz/OS,

v Set&Forgetcontrolsthatautonomically deriveandupdatepolicy,

v Anaddedlayerofregulatory compliancethatexceeds governmentguidelines

forGLBA,HIPAAand SOX,

v Isolationofz/OSfromInternet trafficandthreats,usingHiperSockets

™_forfast communicationsthatare physicallysecure.

Asshown inFigure1, webApp.securerunsintheDMZbetweentheexternal firewalland theLinuxwebproxy.Afterthepackagingof networktraffichasbeen verifiedbytheexternal firewall,and beforethetrafficispassed throughthe internalfirewalltothez/OSapplication,thecontentsofthetrafficareverifiedby webApp.secure.

Internet

System z

DMZ

Transaction

z/OS

server

Linux

Web server

webApp

.secure

Firewall

Firewall

Thiscanbeusedasastartingpointinthetransitionfromthedistributed

environment,but themaximum benefitsfromwebApp.securecanbegainedinan environment suchasthatillustratedinFigure2.Herethenecessaryfirewall functionsare performedbyIPSecandIPSinthez/OSTCP/IPstack. Inthisway thecomplexityandexpense ofthe″choke″orprivatefirewallcanbeeliminated and increasedperformance willresult.

Internet

System z

DMZ

z/OS

Transaction

server

IPSec/IPS

Linux

Web server

webApp

.secure

Firewall

Figure2.Advancedscenario

Chapter

2.

Pre-requisites

Thissectionidentifies pre-requisitesforthewebScuritywebApp.secureclientfor LinuxonSystemz.

v Theutilitymustbe installedinto LinuxonSystemz runninginanLPAR or

underz/VM®_.

v SystemRequirements– Compatibility

– All majorwebbrowsers

– All HTTPwebservers

– All HTTPapplication servers

– Fully compatiblewith HTTP1.0and1.1

– Fully compatiblewith HTML3.2and4.0,includingcascadingstylesheets

– Fully compatiblewith clientsidescriptinglanguages(JavaScript

™_,VBScript, etc.)

– SSL40/128bitencryptionand globalID

v SystemRequirements– Minimum

– 128 MbytesRAMrecommended

– 300 Mbytesfreediskspacerecommended

v Ifyouhostmultiple websites onthesameserverusingIP-based virtualhosting,

thenyouwillneedtoset upaseparate instanceforeachIP.Setthe<listen-ip> property(seeChapter4,“Configuration,”onpage7) ofeachinstancetotheIP addressofeachwebsite.

Check “Obtainingupdates”onpage17for thelatestversionof thewebApp.secure client.

Chapter

3.

Installation

InstallationofthewebScuritywebApp.secureclient onSystemz

AsthewebScuritywebApp.secure clientrunsentirelyonLinuxthereisnothingto install onz/OS.

TheLinuxsoftware issupplied asa RPMpackage,forexample

webApp.secure.pe-3.0-1.s390x.rpm.ThisisinstalledinLinuxonSystemz using the rpm -i command.

Fulldetailsaregivenin thewebApp.secure Installationand SetupGuide, http://www.webscurity.com/pdfs/wa_installation_setup_guide.pdf.More informationaboutinstallationonLinuxorUNIX®_{iscontainedinthedocument}

Chapter

4.

Configuration

How toconfigurewebApp.secureonz/OSandonLinuxonSystemz.

Configurationonz/OSwillgenerallybe unnecessary.Theonlyexceptionwouldbe if webApp.secureisrequiredto monitorwebaccessoriginatinginz/OS.Inthis caseitisnecessarytomodifytheroutingtableonz/OStodirectthenettraffic through thewebApp.secureclient.Theoriginalroutingtableentriesare usedin theconfigurationoftheutilityonLinux.

ThewebScuritywebApp.secureclientisconfiguredonLinuxinaset ofXMLfiles whichare maintainedwith theuseofatexteditorsuchasvi.Thefirstofthese files isthelocationsfile,etc/wa.conf.Thisfileholdsapointer tothemain

configurationsettingsinproperties_file,aswellaspointerstologfilesandflags forlogsettings.BasicdetailsaregiveninthesectionToInstallwebApp.secure on LinuxinthewebApp.secureInstallationandSetupGuide,http://

www.webscurity.com/pdfs/wa_installation_setup_guide.pdf.

Thedefaultlocationforthepropertiesfileis/usr/local/wa/etc/WAProperties.xml.The principle entriesinthis filearetheweb-server-name,web-server-port,listenport, and host-namewhichidentifythewebservertobeprotected. Otherentriesmaybe addedto definepoliciesand detectionsettings.

Theformatsof theprincipalentriesare: Web ServerName

<web-server-name>server_ip_address</web-server-name> forexample:

<web-server-name>our.server</web-server-name> or:

<web-server-name>192.168.0.2</web-server-name>

ThisistheinternalreferenceofthewebserverwebApp.secure isprotecting.Itis typicallyanIPaddressoran internalservername.

Web ServerPort

<web-server-port>server_port</web-server-port> forexample:

<web-server-port>8080</web-server-port>

IfwebApp.secureisrunningonthephysicalwebserverthisshouldbea non-standard portnumber.However,ifthey arerunningonseparate machines, this canbeanyvalidTCPportnumbernotaccessiblefromtheoutside.

Listen IP

<listen-ip>ip_to_monitor</listen-ip> forexample:

ThisisanoptionalIPaddressthatwebApp.secure shoulduse. IfnoIPisspecified, webApp.securewilluseallavailable.

Listen Port

<listen-port>normal_port</listen-port> for example:

<listen-port>80</listen-port>

ThisistheTCPportnumberwebApp.securewilluseforunencryptedtraffic. Normally thiswillbethestandardHTTPport80.

Host Names <host-names>

<host-name>host</host-name> <host-names> for example: <host-names> <host-name>www.maindomain.com</host-name> <host-name>www.subdomain.com</host-name> <host-names>

Theseareoneormore fully-qualifiedexternalhostnamesofthewebsites

webApp.secureisprotecting.Addanentryforeveryname-basedvirtualwebsite hosted onthewebserver.

Full detailsofthese fieldsandotherconfigurationsettingsaregiveninthe documentWelcometowebApp.secure,/usr/local/wa/doc/Welcome_unix.pdf.

Initialization

The webApp.secureprocessisstartedwiththecommand/usr/local/wa/bin/wa. Thiswillnormallybe addedtoasystemboot procedure.Nofurtherinitialization isrequired.

Testing

the

configuration

TestingthatthewebScuritywebApp.secureclienthasbeensuccessfullyconfigured. The configurationcanbetestedbyfollowingtheexamples giveninthe

Testing/Experimenting sectionofthewebApp.secureInstallationandSetupGuide, http://www.webscurity.com/pdfs/wa_installation_setup_guide.pdf,and the

EvaluationInstallationExamplessectionintheWelcometowebApp.securedocument,

/usr/local/wa/doc/Welcome_unix.pdf.

Backing

up

the

configuration

BackinguptheconfigurationsettingsofthewebScuritywebApp.secureclient The configurationsettingsareheld intextformatinanXMLfileanda conffile (seeChapter4,“Configuration,”onpage7 fordetails.)Thisfileshouldbe backed upbycopyingittoasecurelocationwheneveritismodified.Restorationissimply a matterof copyingitbackagain.

Chapter

5.

Operation

How tousethewebScuritywebApp.secureclient

webApp.secureoperatesinvisiblyintheSystemz DMZ,byprotectingeachURL within aSystemz machinewith“Set &Forget”controlsthatautonomicallyderive and updatewebsitepolicyascontentexitsthewebserver.ThewebApp.secure Administration ConsolerecordsandreportsstatisticsforallHTTPdaemon requests,showingtotalallowedandtotalblockedbyattackattempttype.

User

interface

ThewebScuritywebApp.secureclientforLinuxonSystemziscontrolledusing thebrowser-basedAdministrationOption.

Examplescreens fromtheAdministrationOptioncanbefoundfromthe http://www.webscurity.com/products.htm page,byfollowingthe″QuickStart Guide″link.

TheRemoteAdministration propertygroupallowsyoutospecifyparametersfor browser-based administration.Therearesafeguardstolimit accessibilitytothe remote administrationfeature,anditdoesuseSSL(https://),but itwasdesigned tobe usedoveranintranet.Theparametersare:

<remote-admin>

<enable>status</enable> </remote-admin>

forexample: <remote-admin>

<enable>true</enable> </remote-admin>

Setto“True”toenablebrowser-basedadministration.

<remote-admin>

<listen-ip>ip_to_monitor</listen-ip> </remote-admin>

forexample: <remote-admin>

<listen-ip>192.168.0.2</listen-ip> </remote-admin>

Thisisthespecific IPaddresswebApp.secureshoulduseforbrowser-based administration.

Ifleft blankallavailable IPaddresseswillbeused.

<remote-admin>

<listen-port>normal_port</listen-port> </remote-admin>

<remote-admin>

<listen-port>8020</listen-port> </remote-admin>

ThisistheTCPportnumberwebApp.secureshoulduseforbrowser-based administration.

<remote-admin>

<password>password</password> </remote-admin>

for example: <remote-admin>

<password>admin</password> </remote-admin>

Thisisaone-wayhashedpasswordtouseforbrowser-basedadministrationaccess. Note: Thedefaultpasswordis“admin”andcanonlybechangedfromthebrowser

whenthisoption isenabled.

<remote-admin> <client-ips>

<client-ip>client_ip</client-ip>

</client-ips> </remote-admin> for example: <remote-admin> <client-ips> <client-ip>192.168.0.105</client-ip> </client-ips> </remote-admin>

Theseareoneormore clientIPaddressesthatareallowed toconnectto webApp.secureforbrowser-basedadministration.

IfnoIPs arespecifiedconnectionswillbe acceptedfromanyIPaddress. Example addressingfroma browser:

https://192.168.0.2:8020/

(Pleasenotetheuseofhttps inthisexample.)

Chapter

6.

Security

Data securityisachievedwhenusingthewebScuritywebApp.secureclientfor LinuxonSystemz.

webApp.secureprotectsallelementsofthewebenvironmentincludingoperating system,HTTPdaemon,developmentanddeploymentframework, andDBMS. It also ensuresthatwebsites,theirapplications,and theirassociateddatabasesare accessedand usedexactlyasintended,witha positivemodel,byenforcingweb siteguidelines,rulesandpolicy.

Websitepolicyisautomaticallysecuredafter webApp.securemapstheweb application businesslogic,includingvulnerabilities(forexamplelegacyand new application software),uponinstallationandautonomicallyderivesandupdates policyascontentexits theserver.

webApp.secureisawebapplicationfirewall,residingintheDMZbetweenthe standardfirewallandtheLinuxwebserver,andprotectsagainstattacksseeking to exploitsoftwarevulnerabilitiesthrough:

v SQLinjection,

v Cross-sitescripting,

v Hiddenfieldmanipulation,

v Cookiepoisoning,

v Stealthcommanding,

v Forcefulbrowsing,

v Bufferoverruns,and

Chapter

7.

Data

integrity

considerations

EnsuringdataintegritybetweenthewebScuritywebApp.secureclientforLinuxon Systemz andz/OS.

Data integrityisautomaticallyassuredbyvalidationwith websitepolicywhenthe HTTPstreampassesthrough astandardfirewall,andautonomicallyuponexit fromthewebserver.

Chapter

8.

Tuning

TuningthewebScuritywebApp.secure clientforLinuxonSystemz. Tuningonz/OSisnotapplicable;alltuningisperformedonLinux. Theparameterswhichcanbemodifiedtoadjusttheperformanceof webApp.secureforLinuxonSystemzare:

<max-connections></max-connections>

Themaximum numberofsimultaneousclientconnectionsthatwillbe served.Once thethresholdisreachedtheoperatingsystem’slistenqueue willbeused.

<max-listen-queue></max-listen-queue>

Themaximum numberofpendingconnectionsthatwillbe servedfromthe operatingsystem’slistenqueue.

Chapter

9.

Service

and

upgrade

Migrating tothelatestversionofthewebScuritywebApp.secureclientforLinux onSystemz.

ThiswillnormallybeperformedbydownloadingandinstallingthelatestRPM fromwebScurityasdescribedinChapter3,“Installation,” onpage5. Installation willreplacetheexecutable/usr/local/wa/bin/waexecutablewiththelatest webApp.secureversion(currentlyversion4.0).

Thetasks toperformare: 1. Shut downwebApp.secure,

2. Copytheexecutable,

3. StartwebApp.secure.

Obtaining

updates

ObtainingfixestothecurrentreleaseofthewebScuritywebApp.secureclient,and acquiring anewrelease

Thelatest versionofthewebScuritywebApp.secureclientcanbedownloaded fromhttp://www.webscurity.com/download.htm

Appendix.

Notices

Thisinformationwasdevelopedforproductsandservices offeredintheU.S.A. IBM maynotoffertheproducts,services,orfeaturesdiscussedinthisdocumentin othercountries.Consultyour localIBMrepresentativeforinformationonthe productsand servicescurrentlyavailableinyourarea.Anyreferencetoan IBM product, program,orserviceisnotintendedtostateorimplythatonlythatIBM product, program,orservicemaybe used.Anyfunctionallyequivalentproduct, program, orservicethatdoesnotinfringeanyIBMintellectualpropertyrightmay be usedinstead.However, itistheuser’sresponsibility toevaluateandverifythe operationofanynon-IBMproduct,program, orservice.

IBM mayhavepatentsorpendingpatent applicationscoveringsubjectmatter described inthisdocument.Thefurnishingofthisdocumentdoesnotgrantyou anylicensetothesepatents.Youcansend licenseinquiries,inwriting,to: IBM DirectorofLicensing

IBM Corporation North CastleDrive Armonk,NY10504-1785 U.S.A.

For licenseinquiriesregardingdouble-byte(DBCS)information,contacttheIBM IntellectualProperty Departmentinyourcountryorsendinquiries,in writing,to: IBM WorldTradeAsiaCorporation

Licensing

2-31 Roppongi3-chome,Minato-ku Tokyo106-0032,Japan

Thefollowingparagraphdoesnotapplyto theUnited Kingdomor anyother country wheresuchprovisionsareinconsistentwithlocallaw:

INTERNATIONALBUSINESSMACHINESCORPORATIONPROVIDES THIS PUBLICATION“ASIS”WITHOUT WARRANTYOFANYKIND,EITHER EXPRESSORIMPLIED,INCLUDING,BUTNOTLIMITED TO,THEIMPLIED WARRANTIESOFNON-INFRINGEMENT,MERCHANTABILITYORFITNESS FORAPARTICULARPURPOSE.Somestatesdo notallowdisclaimerofexpress or impliedwarrantiesincertaintransactions,therefore,thisstatementmaynotapply toyou.

Thisinformationcouldinclude technicalinaccuraciesortypographicalerrors. Changes areperiodicallymadetotheinformationherein;these changeswillbe incorporatedinneweditionsof thepublication.IBM maymakeimprovements and/or changesintheproduct(s)and/ortheprogram(s)describedinthis publication atanytimewithoutnotice.

Anyreferencesinthisinformationtonon-IBMWebsitesareprovidedfor

convenienceonlyanddonotinanymannerserveasanendorsementofthoseWeb sites.Thematerialsat thoseWebsitesarenotpartof thematerials forthisIBM productanduseofthoseWebsitesisatyour ownrisk.

IBM mayuseordistribute anyoftheinformationyousupplyinanywayit believes appropriatewithoutincurringanyobligationtoyou.

Licensees ofthisprogramwhowishtohaveinformationaboutit forthepurpose of enabling:(i)theexchangeofinformationbetweenindependentlycreated programs andotherprograms(includingthis one)and(ii)themutualuseofthe informationwhichhasbeenexchanged,shouldcontact:

IBM Corporation

SoftwareInteroperabilityCoordinator,Department49XA 3605Highway52N

Rochester,MN55901 U.S.A.

Such informationmaybeavailable,subjecttoappropriatetermsandconditions, includinginsomecases,paymentof afee.

The licensedprogramdescribedinthis informationandalllicensedmaterial available foritareprovidedbyIBMundertermsoftheIBMCustomerAgreement, IBM InternationalProgramLicenseAgreement,oranyequivalentagreement betweenus.

Anyperformancedatacontained hereinwas determinedinacontrolled

environment.Therefore,theresultsobtained inotheroperatingenvironmentsmay vary significantly.Somemeasurementsmayhavebeenmadeondevelopment-level systemsandthereisnoguaranteethatthesemeasurementswillbethesameon generallyavailable systems.Furthermore,somemeasurementsmayhavebeen estimatedthrough extrapolation.Actualresultsmayvary.Usersof thisdocument shouldverifytheapplicabledatafortheirspecific environment.

Informationconcerningnon-IBMproductswasobtained fromthesuppliers of those products,theirpublished announcementsorotherpubliclyavailablesources. IBM hasnottestedthoseproductsandcannotconfirmtheaccuracy of

performance, compatibilityoranyotherclaims relatedtonon-IBMproducts. Questionsonthecapabilitiesofnon-IBMproductsshouldbe addressedtothe suppliers ofthoseproducts.

All statementsregardingIBM’sfuturedirectionorintentaresubjecttochangeor withdrawal withoutnotice,andrepresentgoalsandobjectivesonly.

Thisinformationisforplanningpurposesonly.Theinformationhereinissubjectto changebefore theproductsdescribed becomeavailable.

Thisinformationcontainsexamples ofdataandreportsusedindailybusiness operations.Toillustratethemascompletelyaspossible,theexamples includethe namesof individuals,companies,brands,and products.Allofthesenamesare fictitiousand anysimilaritytothenamesandaddressesusedbyanactualbusiness enterpriseisentirelycoincidental.

Ifyouareviewingthisinformationsoftcopy,thephotographsand color illustrations maynotappear.

Trademarks

The followingtermsaretrademarksofInternationalBusinessMachines Corporation intheUnitedStates,othercountries,orboth:

HiperSockets IBM

System z

WebSphere z/OS z/VM

All Java-basedtrademarksare trademarksofSunMicrosystems, Inc.intheUnited States, othercountries,orboth.

Linuxisa trademarkofLinusTorvaldsintheUnitedStates,othercountries,or both.

UNIX isa registeredtrademarkofTheOpenGroupintheUnitedStatesand other countries.

webScurityinc. andwebApp.secure aretrademarksofwebScurityInc.inthe UnitedStates, othercountries,orboth.

Other company,product, orservicenamesmaybetrademarksorservicemarksof others.

Readers’

Comments

—

We’d

Like

to

Hear

from

You

InstallingandusingthewebScuritywebApp.secureclient PublicationNo. SC33-8322-00

Overall,howsatisfiedareyouwiththeinformationinthisbook?

VerySatisfied Satisfied Neutral Dissatisfied Very Dissatisfied

Overallsatisfaction h h h h h

Howsatisfiedareyouthattheinformationinthisbookis:

VerySatisfied Satisfied Neutral Dissatisfied Very Dissatisfied

Accurate h h h h h

Complete h h h h h

Easytofind h h h h h

Easytounderstand h h h h h

Wellorganized h h h h h

Applicabletoyourtasks h h h h h

Pleasetellushowwecanimprovethisbook:

Thankyouforyourresponses.Maywecontactyou? h Yes h No

WhenyousendcommentstoIBM,yougrantIBManonexclusiverighttouseordistributeyourcommentsinany wayitbelievesappropriatewithoutincurringanyobligationtoyou.IBMoranyotherorganizationswillonlyuse thepersonalinformationthatyousupplytocontactyouabouttheissuesthatyoustateonthisform.

Name Address

Readers’

Comments

—

We’d

Like

to

Hear

from

You

SC33-8322-00

SC33-8322-00

򔻐򗗠򙳰

AlongLine

CutorFold AlongLine FoldandTape Pleasedonotstaple FoldandTape

FoldandTape Pleasedonotstaple FoldandTape PLACE POSTAGE

STAMP HERE

IBMDeutschlandEntwicklungGmbH InformationDevelopment

Department3248

SchoenaicherStrasse220 71032Boeblingen Germany _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

___________________________________________________________________________________________________

򔻐򗗠򙳰