1. Topics:
  2. Zero socket opener (ZSO) management extensions
  3. |
  4. NONE
  1. Modules:
  2. Atom support
  3. |
  4. Using RSS support

Deployment recommendations

Before deploying a IBM® WebSphere® sMash application into production, there are several steps that are recommended to secure and protect your application.

The level of security and testing required depends greatly on the type of environment into which the application is deployed. For example, an internal department level application will not require the same level of security and testing as a publicly available, internet facing application. However, the following recommendations are applicable to all applications, whether the application serves a small internal user population or a large, internet user population.

Remove WebTools

The zero.core.webtools package can be very helpful when developing an application. Its tools allow more advanced, developer focused error pages, a virtualized directory browser, and a user registry editor.

But these tools, while useful for a developer, are usually not appropriate for users, and it is recommended that the dependency be removed from your application before deployment.

Runtime Mode

There are two basic runtime modes for an application, "development" and "production", that can be controlled through the configuration of your application. Changing this value to "production" optimizes some of the recycle parameters to be more appropriate for a production application. For example, the default values for idle timeout and max request will be 10 minutes and 10,000 requests, respectively. These values will allow a more standard usage pattern for an application with multiple users meant to be always available, than the values used for development mode. In development mode, the application is recycled much more often.

Add the following to the configuration of your application. 

/config/runtime/mode = "production"

Securing Management URIs

By default, the URIs used for the management functions are accessible from any web client from any IP address. This behavior makes sense during development, where control of the application from the development tools could be coming from multiple development workstations.

But, it is suggested that when an application is deployed, that these URIs be secured, such that management commands can only be accessed by trusted clients. This will prevent unauthorized clients from performing management commands, such as shutting down the application. The following configuration stanza protects the management URIs such that they can only be accessed from the machine hosting the application. 

# Security for Management REST APIs
@include "security/requirelocalhost.config"{
   "conditions" : "/request/path =~ /opsmanager(/.*)?",
   "requireLocalhost": true
}

@include "security/requirelocalhost.config"{
   "conditions" : "/request/path =~ /configmanager(/.*)?",
   "requireLocalhost": true
}

Version 1.0.0.3.25591