Security hardening for production
Hardening is a general term that is used to describe the measures that are taken to enhance your system security against potential threats and risks in production. Harden your Open Liberty server configuration, application configuration, and network to reduce vulnerabilities and prevent security intrusions.
Different types of security intrusions can threaten different parts of your system. You can employ best practices to make each part less vulnerable. Security intrusions and vulnerabilities can be broken down into different groups:
Server configuration
Operating system intrusions occur when users with local access attempt to cause damage or extract sensitive information. One example of this type of intrusion is malware. If malware is introduced into a system, unauthorized users might be able to access the server configuration and its contents. For more information, see Server configuration security hardening.
Server configuration hardening best practices
Network
Network intrusions occur when unauthorized users monitor or alter network traffic. Replay attacks and man-in-the-middle (MITM) attacks are two examples of network intrusions. For more information, see Network security hardening.
Network hardening best practices
In container environments, isolate workloads from one another across a cluster of nodes.
Follow Lightweight Third-Party Authentication (LTPA) single sign-on (SSO) best practices.
Restrict the number of sessions that can be created for applications that use in-memory sessions.
If you use IBM HTTP Server, secure access to the Open Liberty JMX connector.
Application configuration
Application configuration intrusions occur when external users run applications that derive or inherit privileges that they are not authorized to have. One example of this type of intrusion happens when an application inherits the identity of the server, giving the application unauthorized permissions. For more information, see Application configuration security hardening.
Liberty CIS benchmarks
The Center for Internet Security (CIS) benchmarks are a collection of industry-wide cybersecurity standards to configure networked digital resources and ensure their compliance with the established best practices for security and privacy. Open Liberty maintains security hardening guidelines that comply with the CIS benchmark standards.
You can access the benchmarks on the CIS IBM WebSphere Benchmarks page. Complete the information form to download the benchmarks.
If you have a free CIS user account, you can open tickets to address any questions or concerns with the benchmarks in the Liberty benchmarks user portal.