Cloud Platform


This is an IBM Automation portal for Cloud Platform products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Delivered
Workspace WebSphere Liberty
Created by Guest
Created on Aug 17, 2015

RELATED IDEAS

Request WLP and WLP IHS plugin to have built-in validation mechanism for 2-way SSL inbound request

We would like to request WLP and WLP IHS plugin to have built-in mechanism to verify if request information received by WLP is from trusted WLP IHS plugin and the information has not been altered during transmission.

Idea priority Urgent
RFE ID 75547
RFE URL
RFE Product WebSphere Application Server
  • Admin
    Alasdair Nottingham
    Reply
    |     Jun 4, 2021

    This should be achievable in 19.0.0.3 and later.



    Liberty 19.0.0.3 (and later) only accepts client certificate details in private/extension


    headers from an explicit list of trusted proxies. The "trustedSensitiveHeaderOrigin"


    attribute of the "httpDispatcher" configuration element names the peers these headers


    are trusted from.



    More details on "trustedSensitiveHeaderOrigin" is available here:


    https://www.ibm.com/support/pages/potential-websphere-application-server-problems-when-deployed-behind-websphere-aware-proxy-server



    Requiring (1-way) TLS for connections to the application satisfies the tampering concern.



    It is also possible to require TLS mutual authentication at the transport layer (between IHS and Liberty),


    which further limits what software/users from the trusted proxies can send requests to the server. This


    is accomplished via the "clientAuthentication" attribute of the "ssl" configuration element.


  • Guest
    Reply
    |     Sep 25, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - WebSphere
    Product family - Application Platform
    Product - WebSphere Application Server

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Application Servers
    Product - WebSphere Application Server

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.