The following general information describes the requirements for configuring your
application server environment.
By default the settings available from
WebSphere®
Application Server
are sufficient for general usage. Refer
to the
WebSphere
Application Server
documentation for
general set-up. For basic architecture of Leap,
see Leap
Basic Architecture.
Security: When you consider security, standard web application security
practices must be considered.
Leap
provides application-level security. However it relies on the server environment for extra security.
- Ensure that your information is secure by using SSL whenever possible. Communication between the
web browser and Leap
when you use service descriptions and web services through the HTTP Service Transport, and the JDBC
connection between Leap
and the Leap
database must be secured.
- Setting up an HTTP Strict Transport Security provides a method
to ensure SSL communications from your application environment.
- Restrict cookies to HTTP requests whenever possible to prevent
access from JavaScript, especially relating to sessions and authentication (LTPA tokens).
- Restrict the ability to put Leap
content in an iFrame if embedding is not part of your planned integration. Adding HTTP headers such
as X-Frames-Options or Content-Security-Policy provides an extra layer of security.
- Use IBM HTTP Server as a front end server to prevent direct access to the Application Server
environment. Using a front end server allows for clustering through the
WebSphere
Application Server
plug-in.
- Keep your system updated with all security and maintenance patches to ensure a safe and stable
environment. Watch for security bulletins in the HCL Support Portal, or by subscribing to My
Notifications for updates.
For more
WebSphere
Application Server
information,
see
WebSphere
Application Server
documentation, and
Advanced Security Hardening
WebSphere
Application Server
.