Secure Communications Between Browsers and the ibi WebFOCUS Client Using HTTPS and HSTS

This best practice addresses the need to secure connections between the browsers of WebFOCUS users and the WebFOCUS Client to ensure the confidentiality, authenticity, and integrity of all communications. It can be applied by a WebFOCUS administrator.

Overview

Hypertext Transfer Protocol over Secure Socket Layer (https) technology, which includes the Transport Layer Security (TLS) protocol previously known as Secure Socket Layer (SSL), establishes a secure connection between users and the WebFOCUS client. It adds confidentiality, integrity, and authenticity to communications by:

• Encrypting any communication between browsers assigned to end users and the WebFOCUS Client.
• Ensuring that any data sent between browsers and the WebFOCUS Client is not tampered with or modified in any way.
• Validating that a user is communicating directly with the WebFOCUS Client and not with an impostor.

An HTTP Strict Transport Security (HSTS) policy is a security enhancement issued by a server that requires the use of the https protocol for all incoming requests. When this policy is in place, the server that hosts a website responds to the first request from a browser that does not use the https protocol by returning a message with a response header that contains the Strict-Transport-Security field. The presence of this field in the response header indicates that the server cannot accept any further requests from that browser that do not arrive over an https connection.

The response header can also include a field identifying the time limit, typically 1 year, over which the policy is enforced. Any subsequent requests from that browser that do not use this protocol receive an error message in response.

When the browser receives a message with a response header that contains a Strict-Transport-Security field, it knows to use the https protocol when sending any future messages to the site. The browser also knows that any other site using the same name that does not require the use of this protocol is not legitimate, and it automatically redirects requests to the site that does require the use of the https protocol.

By imposing this policy within a WebFOCUS Security Zone, you introduce this extra level of security to all communications between users in that zone and the Application Server. The policy ensures that all communications within that zone use the https protocol and are therefore encrypted and validated by a public key certificate. It also helps prevent requests from users in that zone from being inadvertently misdirected to an illegitimate site that does not require the https protocol.

Best Practice

We recommend that you establish secure connections between all browsers assigned to end users, the WebFOCUS Client, and any other server that requires a secured connection. We also recommend that you establish the HTTP Strict Transport Security (HSTS) policy for all users.

The establishment of the SSL/TLS protocol is a detailed process that requires a secure implementation. If you are using Apache Tomcat as your web server, follow the procedures in the Configure WebFOCUS for SSL topics, which are located in the Security and Administration technical content. If you are using a web server from a different vendor, follow the instructions describing how to configure SSL/TLS for that server provided by your vendor.

Additional Resources

For more information, see the ibi™ WebFOCUS® Security and Administration technical content.