Hardening Loadbalancer with webMethods API Portal

webMethods API Portal tutorial

We have seen in the previous article on the role of LoadBalancer component with API Portal. As stated in previous article, this is the only component in API Portal stack which is external end user facing. Due to this fact, LoadBalancer is subject to external security attacks. In this article we could explore the options to harden the security aspects of LB. 

Enforce HTTPS only

The default installation of API Portal configures the loadbalancer component with a http(18101) and https(18102) ports. And hence with the default settings user will be able to access the API Portal both http/https ports. With this recommendation we could enforce only https traffic from external world. When someone tries to acces the portal by http (18101) port, loadbalancer will respond back with a redirect(301) to https port(18102). 

reconfigure loadbalancer_s +HTTPD.EnforceHTTPS=true

HTTP Strict Transport Security(HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should interact with it using only secure HTTPS connections.

reconfigure loadbalancer_m HTTPD.header.Strict-Transport-Security=\"max-age=12614400; includeSubDomains\"

With this change, whenever the portal is accessed, the response would contain "Strick-Transport-Security" header

SSL Protocols

SSL stands for Secure Sockets Layer and was originally created by Netscape. SSLv2 and SSLv3 are the 2 versions of this protocol. After SSLv3, SSL was renamed to TLS. TLS stands for Transport Layer Security and started with TLSv1.0 which is an upgraded version of SSLv3 Current default setting of LB with API Portal will disable all currently known weak protocols (SSLv2, SSLv3, TLS 1.0), but leaves in TLS1.1 (which isn't yet known insecure) to not break support for old clients. 

reconfigure loadbalancer_s +HTTPD.SSLProtocol="all -SSLv2 -SSLv3 -TLSv1"

If you would like alter the default settings you could use above command and remove the any specific protocol that you would like to avoid.

SSL Ciphersuites

Default setting will disable all currently known weak ciphers from the HIGH ciphers list.

reconfigure loadbalancer_s +HTTPD.SSLCipherSuite="HIGH:!aNULL:!MD5:!IDEA:!3DES" 

You can view the list of ciphers supported in HIGH configuration using below open ssl command

openssl ciphers HIGH

The list is attached here.

You can view the list ciphers supported with default configuration (HIGH:!aNULL:!MD5:!IDEA:!3DES)

openssl ciphers HIGH:!aNULL:!MD5:!IDEA:!3DES

The list is attached here.


Its value will be used as the value of the X-FRAME-OPTIONS header. According to the spec of the X-FRAME-OPTIONS header,It can be set to the following (categories of) values:

  • DENY (prevent any embedding)
  • SAMEORIGIN (allow embedding only from the same origin (i.e., same server))
  • ALLOW-FROM <uri> (only allow embedding from the specified URI. NOTE: this is not supported by many browsers, in particular Chrome completely ignores it. So setting the header to such a value will not protect users of such browsers from clickjacking 

There is no explicit value for the header to indicate that embedding should be allowed from any origin. Therefore, the parameter supports a special value "ALLOWALL" (case-sensitive). if set to this value, NO X-FRAME-OPTIONS header will be set, and any X-FRAME-OPTIONS header set by any downstream application will be UNset(!).

The default value is ALLOWALL. You can modify it by running 

reconfigure loadbalancer_s HTTPD.header.X-FRAME-OPTIONS=SAMEORIGIN