The four fundamental areas that security tests on Workload Automation cover include: OpenSSL, GSKit, WAS Security and cURL
OpenSSL (Open Secure Sockets Layer) Overview
OpenSSL is a popular Open Source implementation of the SSL/TLS protocols. The project is managed by a worldwide community of volunteers. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available. Versions are available for most UNIX and UNIX-like operating systems (including Solaris, Linux, macOS, QNX, and the various open-source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400).
The SSL and TLS protocols enable two parties to identify and authenticate each other and communicate with confidentiality and data integrity. The TLS protocol evolved from the Netscape SSL 3.0 protocol but TLS and SSL do not interoperate.
The SSL and TLS protocols provide communications security over the internet, and allow client/server applications to communicate in a way that is confidential and reliable. The protocols have two layers: A Record Protocol and a Handshake Protocol, and these are layered above a transport protocol such as TCP/IP. They both use asymmetric and symmetric cryptography techniques.
An SSL or TLS connection is initiated by an application, which becomes the SSL or TLS client. The application which receives the connection becomes the SSL or TLS server. Every new session begins with a handshake, as defined by the SSL or TLS protocols.
OpenSSL on Workload Automation
GSKit (Global Security Kit) Overview
Global Security Kit (GSKit) is an optional software package that is required only if Secure Sockets Layer (SSL) Security or Transport Layer Security (TLS) is required. Directory Server alone does not provide the capability for SSL connections from Directory Server clients. You can enable the SSL feature by installing the GSKit package. The GSKit package includes SSL support and associated RSA Security, Inc. technology.
OpenSSL is included in GSKit and may be used for cryptographic operations (as per the OpenSSL license requirements).
The GSKit that is shipped with Workload Automation contains multiple security vulnerabilities including the TLS/SSL client and server vulnerability.
Global Security Kit is a common component that is used by several IBM products for its cryptographic and SSL/TLS capabilities.
GSKit on Workload Automation
WebSphere Application Server (WAS) Security & Vulnerability Exposure Overview
WAS is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java based web applications.
WAS is built using open standards such as Java EE, XML, and Web Services. It is supported on the following platforms: Windows, AIX, Linux, Solaris, IBM i and z/OS.
It works with several Web servers including Apache HTTP Server, Netscape Enterprise Server, Microsoft Internet Information Services (IIS), IBM HTTP Server for i5/OS, IBM HTTP Server for z/OS, and IBM HTTP Server for AIX/Linux/Microsoft Windows/Solaris.
WAS Team Releases Fix Pack, Interim Fix (IFIX), and Limited Availability Fix (LA FIX) for fix potential WAS security and vulnerability exposure.
WAS Security & Vulnerability Exposure on Workload Automation
cURL was originally designed to move files between endpoints using different protocols, such as FTP, HTTP, SCP, and others. It started as a command-line utility but is now also a library with bindings to more than 30 languages. So now, instead of just using cURL from the shell, you can build applications that incorporate this important functionality. The libcurl library is also portable, supporting Linux®, IBM® AIX® operating system, BSD, Solaris, and many other UNIX® variants.
cURL supports HTTPS and performs SSL certificate verification by default when a secure protocol is specified such as HTTPS. When cURL connects to a remote server via HTTPS, it will first obtain the remote server certificate and check against its CA certificate store the validity of the remote server to ensure the remote server is the one it claims to be. Some cURL packages have bundled with CA certificate store file.
cURL on Workload Automation
If you want to know more about security tests on Workload Automation, contact Simone Grammatico firstname.lastname@example.org.