Restricting external access to your servers

Update the CRE Proxy policy in IBM Connections to prevent man-in-the-middle attacks by limiting where requests from widgets can flow.

About this task

API calls from widgets route requests to the appropriate servers using routing rules that are defined in the proxy policy of the Widget database table. As an extra layer of protection against a man-in-the-middle attack (which could load potentially malicious code from a non-Connections server), you can update the proxy policy to restrict what servers each widget can access.

Previous versions of Connections used a default setting that allowed external applications to access any server, although administrators have always been able to provide further restrictions. Starting with HCL Connections 6.0, the default setting limits access to only Connections servers.

Important: You must complete this procedure to apply the new default setting to your Connections deployment.

You can modify the default setting by updating the proxy policy defined in the Widget database table as explained in the following procedure. You can also use the commands in setNewWidgetPolicy.py as a template to update any custom widgets. For more information on modifying widgets, see Gadget registration commands.

There are three ways to route requests from widgets:
  • Custom: (New default setting) Widgets can only access Connections servers. You can further limit this setting with a rule set that specifies exactly which servers can be accessed by each widget.
  • External_only/Internet: Widgets cannot access your intranet servers. This is useful for managing requests from external gadgets that are hosted by third-party applications.
  • All servers: Widgets can access all of the servers in your deployment. Prior to V6.0, this was the default setting. Complete the steps that follow to update your deployment to the more secure Custom setting.

Procedure

Update the proxyPolicy setting by completing the following steps.
  1. Install the APAR LO92151 fix, which enables the new default setting. For information on updating your Connections deployment, see the technote Update strategy for IBM Connections 6.0.
  2. On the deployment manager, open a command prompt and change to the following directory: 
    app_server_root/profiles/dm_profile_root/bin

    where where dm_profile_root is the Deployment Manager profile directory; this directory is usually called dmgr01. For example, on Windows, the directory is C:\Program Files\IBM\WebSphere\AppServer\profiles\Dmgr01\bin.

  3. Run the following command to export the Widget table in JSON format. 
    ./wsadmin.sh -lang jython -user admin_user_id} -password admin_password -f browseWidgets.py
  4. Save a copy of the exported information so you can use it in step 6.
  5. Run the following command to update the proxyPolicy field for all widgets that were provided by Connections. 
    ./wsadmin.sh -lang jython -user admin_user_id -password admin_password -f setNewWidgetPolicy.py
  6. Run the following command and then compare the output with the information you saved in step 4. Verify that only the proxyPolicy field was updated and that custom widgets were not modified. 
    ./wsadmin.sh -lang jython -user admin_user_id} -password admin_password -f browseWidgets.py
  7. Restart WidgetContainer.ear so your changes can take effect.