Hardening Connections – Part 1: IBM HTTP Server

Created: 26. October 2012
Last Update: 6. December 2021
Author: Christoph Stoettner
Read in about 2 min · 348 words

HCL Connections IBM HTTP Server Security

Fountain pen and a notebook — Photo by Aaron Burden | Unsplash

Preamble

Before i begin with my securing article, i want to say something on security on IBM Connections. Mainly i don’t like the thing, that IBM only support very special versions of software.

So we must use WebSphere 7.0.0.21, DB2 9.7.0.5, IHS 7.0.0.11 and so on. Each product had updates the last months and i think we won’t get support when we use other versions.

So i have to chances. On the first side i can update my software to limit vulnerabilities and get perhaps no support, or i will have vulerable software with support.

Just my 2 cent and i hope i will get answer, if i will get support with higher program versions.

SSL and IHS

One of our customers had a pentest the last months and had some vulnerabilities with IBM HTTP Server (IHS), which is used to access IBM Connections.

I used a 2048 Bit key for ssl which was generated with iKeyman, but the pentest doc told me, that short keys were used for encryption (smaller 112 bit). So i read a little bit.

This 2048 bit mean the public key of my hostkey. SSL uses this key to encrypt the connection between browser and webserver. Within the ssl handshake session keys are generated on basis of this hostkey. Browser and Server check which protocols are enabled on both sides and use one of the protocols both support.

You can check your SSL enabled server here: https://www.ssllabs.com/ssltest/index.html .

Information on ciphers with IHS: http://www-01.ibm.com/software/webservers/httpservers/doc/v10/ibm/9acdciph.htm

You can limit the available ciphers and protocols on your IBM HTTP Server.

First you should disable SSL v2: SSLProtocolDisable SSLv2

I configure the directives in my virtual hosts section:

Listen 0.0.0.0:443
ServerName  connections.example.com
SSLEnable
SSLProtocolDisable SSLv2
SSLCipherSpec 3A
SSLCipherSpec 34
SSLCipherSpec 35
SSLCipherSpec 2F
SSLCipherSpec 35b

Poorly TLS v1.1 and v1.2 support comes with IHS 8 and we can’t use it with IHS 7.

This is my first article on securing IHS and Connections. Next part will continue with IHS, i want to disable some parts, which comes with the default httpd.conf and are not used with connections.

Install IC4 Lotus Notes Plugins on Mac OS X 10.8.x

Daily Newsletter in IBM Connections 4

Author

Christoph Stoettner

I work at Vegard IT GmbH as a senior consultant with a focus on collaboration software, Kubernetes, security and automation. I mainly deal with HCL Connections, WebSphere Application Server, Kubernetes, Ansible, Terraform and Linux.

Sometimes my daily work results in technical talks and blog articles, which you can follow here more or less regularly. You can find the presentations in the main menu under public speaking .

I created a list of tools I use regularly, most of which have been released under an open source license.

In my spare time I read a lot, test all kinds of technical software and gadgets and try to follow about 200 RSS feeds.
Here you can find a collection of them.

This is my private blog, all opinions are my own.

Add a comment

Error

There was an error sending your comment, please try again.

Thank you!

Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with ^*

Videostreaming in HCL Connections

In late 2021 I had an HCL Connections environment starting swapping, because the AppCluster used more than 30 GB of memory.

The system has

two nodes
is installed with the medium-sized deployment option
About 7500 users with a high adoption rate, because Connections is also used as intranet

Created: 7. March 2022
Last Update: 9. March 2022 Read in about 5 min

Upload Files via IBM HTTPServer (mod_ibm_upload) to HCL Connections

The last days I analyzed an issue, that file uploads to HCL Connections via IBM HTTPServer stopped working on a fresh installed 6.5CR1.

Today I configured a Connections 7 and tried with it. I think that the official documentation is old in some important parts for the upload configuration.

First of all my IBM HTTPServer 8.5.5.18 is not 32-bit like the documentation tells us:

Created: 26. April 2021
Last Update: 21. March 2022 Read in about 5 min

IBM Connections 6.0CR1 Allowlisting, CSS and Wiki TOC

So up to IBM Connections 6.0 everything was allowed until it was not excluded in one of the blocklist files. This files are stored within the Deployment Manager profile/config/cells/<cellname>/LotusConnections-config/extern. Now with Connections 6.0CR1 everything is forbidden, until it is enabled in the allowlist. This concept is rolled out for widgets (homepage and communities) and active content. Active content means HTML content too. So everything you or your users add to Connections (blog-posts, wiki pages) gets filtered during the save procedure. This removes all HTML tags and attributes which are not explicitly allowed!

Created: 31. January 2018
Last Update: 11. July 2022 Read in about 5 min