Tuesday, 22 January 2013

Testing the AJAX Proxy in WebSphere Application Server 8.0

I'm actually using IBM Business Monitor 8.0.1 ( aka Business Activity Monitoring or IBM BM or IBM ! ), but this relates to IBM Business Process Manager 8.X, which also includes the AJAX Proxy to support the Business Space UI.

I'm still on a learning curve with this, but I just wanted to report back on some basic AJAX Proxy security/configuration testing.

So, the way I see it, the AJAX Proxy can be used to allow an iWidget rendering in Business Space to access services on other Business Space servers ….. -OR- on other web servers, regardless of whether they're in your network or not :-(

In addition, the AJAX Proxy can be used by ALL authenticated users.

Ulp !!

So, with more recent versions of IBM BAM and IBM BPM, the AJAX Proxy has been "locked down" to prevent users from going to servers outside of a small number of defaults.

This is controlled by the file - proxy-config.xml - for my environment, this is located here: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/BusinessSpace/BAM801.WebApp/mm.runtime.prof/config/proxy-config.xml

Within the file, I can see: -

...
        <proxy:policy url="endpoint://*" acf="none" basic-auth-support="true">
                <proxy:actions>
                        <proxy:method>GET</proxy:method>
                        <proxy:method>POST</proxy:method>
                        <proxy:method>PUT</proxy:method>
                        <proxy:method>DELETE</proxy:method>
                </proxy:actions>

I believe this allows Business Space to access iWidgets etc. from the BAM ( or BPM ) server itself e.g. only access resources from the server on which Business Space is running.

I *MAY* be wrong, and will be checking this out.

However, I can also see: -

        <proxy:policy url="http://www.ibm.com/*" acf="none" basic-auth-support="true">
        <proxy:policy url="http://www-03.ibm.com/*" acf="none" basic-auth-support="true">
        <proxy:policy url="http://www.redbooks.ibm.com/*" acf="none" basic-auth-support="true">
        <proxy:policy url="http://www.google.com/ig/*"  acf="none" basic-auth-support="true">
    <proxy:mapping contextpath="/cognosProxy/*">
           <proxy:policy url="endpoint://*" acf="none" basic-auth-support="true">

the first four of which mean that the AJAX Proxy will allow requests to be made from Business Space to any of those four external URLs.

To "prove" this, I attempted to access another URL via the Proxy, with the following request: -


As expected, this failed with: -

403 BMWPX0006E: The URL https://rhel6.uk.ibm.com:8443/ cannot be accessed through the proxy.

Had I added a <proxy:policy url="http://rhel6.uk.ibm.com:8443/* …/> entry to my proxy-config.xml, I would not have seen that exception.

I proved this by adding the following lines: -

..
        <proxy:policy url="https://rhel6.uk.ibm.com:8443/*"  acf="none" basic-auth-support="true">
                <proxy:actions>
                        <proxy:method>GET</proxy:method>
                </proxy:actions>
        </proxy:policy>
...

to the proxy-config.xml file.

I then needed to "check in" the updated file to the cluster within which Business Space is executing - BAM801.WebApp - as follows: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/bin/wsadmin.sh -lang jython -user wasadmin -password passw0rd

WASX7209I: Connected to process "dmgr" on node bamDM using SOAP connector;  The type of process is: DeploymentManager
WASX7031I: For help, enter: "print Help.help()"
wsadmin>

wsadmin> AdminTask.updateBlobConfig('[-clusterName "BAM801.WebApp" -propertyFileName "/opt/IBM/WebSphere/AppServer/profiles/Dmgr01/BusinessSpace/BAM801.WebApp/mm.runtime.prof/config/proxy-config.xml" -prefix "Mashups_"]')

'updateBlobConfig is executed succesfully'

wsadmin> AdminConfig.save()

''

wsadmin> AdminNodeManagement.syncActiveNodes()

---------------------------------------------------------------
 AdminNodeManagement:        Synchronize the active nodes
 Usage: AdminNodeManagement.syncActiveNodes()
 Return: If the command is successfully invoked, a value of 1 is returned.
---------------------------------------------------------------


bamNode01
1

wsadmin> exit

Now, when I attempt to have the AJAX Proxy get content directly from the web server, using the following URL: -


I get some small element of the IBM HTTP Server default "welcome" page - index.html - as follows: -


I suspect that I need to enable more HTTP methods than merely GET, but this proves the point with regard to the AJAX Proxy configuration.

PS I should point out that this is well documented in various places, including the following IBM Technote: -

Troubleshooting IBM Business Process Manager: "403 BMWPX0006E: The URL you tried to access through the proxy is not allowed"

 

What this should show us is that (a) the AJAX Proxy is a very powerful piece of kit and (b) with great power comes great responsibility.

There are a number of IBM recommendations with regard to "hardening" the AJAX proxy, including: -

(1) Forcing SSL and disallow untrusted signers
(2) Reducing the number of endpoints to which the proxy can connect
(3) Configuring IP whitelisting to ensure that the proxy is only used with certain IP address ranges

For more detail, please contact IBM.

Of course,  IBM Software Services for WebSphere (ISSW), the team for whom I work, can certainly help with this, if required.

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...