May 22, 2014

Securing Maximo with SSL/HTTPS

Maximo installation configures by default HTTP unencrypted communication. This basic configuration may represent a security exposure especially when the server is reachable from the public internet.

This article describes all the steps needed to enable HTTPS (SSL) communications for Maximo.
It comprises the following main steps.
  1. Creation of a self-signed certificate
  2. IBM HTTP Server configuration
  3. WebSphere configuration
  4. Adjust DocLinks settings

Create a self-signed certificate

Run IBM Key Management utility - Start > Programs > IBM HTTP Server > Start Key Management Utility.
Click Create a new key database file button.


Leave default values and click OK. Take note of the key.kdb file path.



Enter a password and select Stash password to a file option. Click OK.



Click New Self-Signed... button.


Enter MX_SSL_KEY for Key Label and leave default for other fields. Click OK to create a self-signed certificate.


Select Key Database File > Stash Password and close IBM Key Management utility.





Web server configuration


Backup C:\Program Files\IBM\HTTPServer\conf\httpd.conf file and open it with text editor.

If you want to disable HTTP you have to remove or comment out the following line.

Listen 0.0.0.0:80


To enable HTTPS on the default port 443 paste the following rows.

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 0.0.0.0:443
<VirtualHost *:443>
 SSLEnable
</VirtualHost>
KeyFile "C:\IBM\HTTPServer\key.kdb"

Verify the path of the key.kdb file matches with the one you have generated before.

Restart IBM HTTP Server by following sequence.
  1. Stop Admin Server
  2. Stop HTTP Server
  3. Start Admin Server
  4. Start HTTP Server


WebSphere configuration

Login to WebSphere ISC console and navigate down to Environment > Virtual Hosts > maximo_host > Host Aliases.
Verify that port 443 is present. Add it if missing. You may also wish to remove port 80 and other unused ports.

Navigate to Servers > Server Types > Web servers. Select webserver1 and click Generate Plug-in. Select webserver1 again and click Propagate Plug-in.
Continue from ISC console, restart MXServer in Servers > Server Types > WebSphere application servers.

Verify the connection by logging in at https://[MXHOST]/maximo, where [MXHOST] is the host name of the HTTP server. Now your server is running in SSL.


Adjust DocLinks settings

The last step is to change the URL generated by Maximo to display attachments.
Login as maxadmin and modify the mxe.doclink.path01 System Property to replace http:// with https://
Do a Live Refresh of this property and test by downloading an attachment.


References

Enabling SSL in IBM SmartCloud Control Desk
Guide to properly setting up SSL within the IBM HTTP Server
Enable HTTPS in WebSphere for Maximo, SCCD, TSRM, and Tririga

24 comments:

  1. Hi,

    Is it possible to configure Maximo on HTTP /HTTPS both at the same time?

    Thanks
    Ritesh

    ReplyDelete
    Replies
    1. Hi Ritesh, Were you able to do this. I am looking for the same requirement

      Delete
    2. Hi Madhav,
      Configuring Maximo application on HTTP/HTTPS can be done but not attachments and reports. Since these two URLs are defined in SystemProperties, so you need to keep it either HTTP or HTTPS URL.

      Also if you have any other views on this, Let me know.
      Thanks.

      Delete
    3. Thanks Ritesh. Were you able to enable HTTP and HTTPS on clustered ebvironment?

      Delete
    4. Yes. That can be done, but attachments and reports need to keep either on HTTP or HTTPS.

      Delete
    5. Thanks Ritesh. Is it possible to share the procedure with me? Thanks.

      Delete
  2. Hello Bruno!
    I think there is some mistake in next part:
    *****
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 0.0.0.0:443

    SSLEnable

    KeyFile "C:\IBM\HTTPServer\key.kdb"
    SSLDisable
    ****
    Because, there is no need in "SSLDisable". Original article on IBM site doesn't have this line.
    Isn't it?

    ReplyDelete
    Replies
    1. You are right. I have fixed the sippet.
      Thank you.

      Delete
  3. Hi bruno,

    In the above configuration if i type https://[MXHOST]/ it is fetching all the files and folders in the doclinks even without logging in. any advice?

    ReplyDelete
    Replies
    1. Create an index.html file that re-directs the user to /maximo

      Delete
  4. This is extracted from the 'TPAE SECURITY WHITEPAPER' I'm going to publish soon.

    Maximo has a useful feature that allows attaching documents to several kind of objects trough the web interface. These files are typically stored on a shared filesystem that is accessible from web servers and application servers that comprise the system. Those servers are typically shielded from the outside world form a firewall that block any access to NFS/SAMBA protocols used to access those filesystems. However there two important tips to prevent access to the attached files trough the web server
    Disable HTTP directory listing - http://www.ibm.com/support/docview.wss?uid=swg21296739
    This technique is simpler and just prevents to list all the attached files stored on the server by simply typing the hostname of the server in the web browser (e.g. http://mxhost). When HTTP directory listing is disabled, an attacker can retrieve attachments only if he knows exactly the file name (e.g. http://mxhost/attachments/myfile.doc).

    Secure attachment links - http://www.ibm.com/support/docview.wss?uid=swg21628427
    The second technique generates a very complex URL for each file so that is practically impossible to find it. The only drawback of this technique is that adds a little additional workload on the application servers and may be a little hard to debug in case of problems. The decision to apply it or not depends on the kind of attachments that will be stored and the required security level.

    ReplyDelete
    Replies
    1. Hi Bruno,

      If we have a customer maximo installation so that intranet users uses maximo with http and users coming outside (from Internet) uses with https, is there

      (1) any kind of mechanism to prevent any user to access any document from attachment folder even user know url exactly, so to force user to be authenticated before seeing document
      (2) So that it will works also if both protocols (http/https) are used simultaneously

      Paavo

      Delete
  5. Hi
    I have done the above. BUT how do I get rid of the security screen befor the Maximo logon screen

    The security certificate presented by this website was not issued by a trusted certificate authority.

    The security certificate presented by this website was issued for a different website's address.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

    We recommend that you close this webpage and do not continue to this website.

    Recommended Click here to close this webpage.

    Not recommended Continue to this website (not recommended).

    More information

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. Is this the process

      https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Anything%20about%20Tivoli/page/Enable%20HTTPS%20in%20WebSphere%20for%20Maximo,%20SCCD,%20TSRM,%20and%20Tririga

      that I need to follow to remove the web page that displays the following message before the Maximo logon screen appears


      The security certificate presented by this website was not issued by a trusted certificate authority.


      Delete
  6. There is also any other website that describes this ssl process but uses
    - Key database type: JKS

    https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Anything%20about%20Tivoli/page/Enable%20HTTPS%20in%20WebSphere%20for%20Maximo,%20SCCD,%20TSRM,%20and%20Tririga

    What is this best solution to use? The one on this web page or the other one above?

    ReplyDelete
  7. So I'm having a little issue with this. First, we have a legitimate CA certificate we'd like to use instead of a self-signed one. Secondly, why are we editing the conf for "webserver1" and not "MXServer"? Currently we have "webserver1" running on port 80 and "MXServer" running on all its ports (9080, 9443, etc). Ideally I'd like to have Maximo run on port 443 so that users can simply put in the url without a port number (since 443 is default) and even more ideally, have port 80 (http non-ssl requests) redirect to port 443 as ssl request. Is this possible in WebSphere 8.5 and Maximo 7.6?

    ReplyDelete
    Replies
    1. From the websphere console goto
      1. Servers > Server Types > Web servers
      2. Click on the webserver1
      3. Change the Port from 80 to 443
      4. click Apply and save


      1. Environment > Virtual Hosts
      2. Click on maximo_host
      3. Click the Host Aliases
      4. Change the port from 80 to 443
      5. Delete port 9080
      6. Click OK and save

      Delete
  8. Hi Bruno,
    After applying the changes as suggested above and if I try to login to the application by accessing the url https://[HOSTNAME]/maximo, I get an error
    The requested URL /maximo was not found on this server
    and in the HTTPServer error log it shows File does not exist: //HOSTNAME/doclinks/maximo.
    any recommendations please?

    ReplyDelete
  9. Cyber security is one of the most important measures that we should consider. Thanks for the great piece of content. The info is great.I would also recommend a website https://mysslonline.com to people who want to know more about ssl certificates.

    ReplyDelete
  10. Hi Bruno,
    First I'd like to thank you for the instruction. I've successfully done this issue for my testing system (internal ip address, I can access my testing system via https by internal ip now). Now I'd like to make it public (access my testing system via internet by a domain name). I have a domain name, which point to a public and static ip address and then redirect to my internal ip address. I cannot get access to my system via internet and the domain name or public ip address by https (still can access by http). Please instruct me how to do that. Thanks alot.

    ReplyDelete
  11. Hi Bruno,
    First I'd like to thank you for the instruction. I've successfully done this issue for my testing system (internal ip address, I can access my testing system via https by internal ip now). Now I'd like to make it public (access my testing system via internet by a domain name). I have a domain name, which point to a public and static ip address and then redirect to my internal ip address. I cannot get access to my system via internet and the domain name or public ip address by https (still can access by http). Please instruct me how to do that. Thanks alot.

    ReplyDelete
  12. Can you speak to what needs to be changed for SSL with the MIF and things like WebServices? DO we need to change things like the mxe.int.webappurl to be an https URL ???? and away from port 9080?

    ReplyDelete