Password restrictions | DEV profile | PROD profile |
Password Enforcement Mode watt.server.password.mode | lax | strict |
Minimum Number of Uppercase Characters watt.server.password.minUpperChars | 0 | 1 |
Minimum Number of Lowercase Characters watt.server.password.minLowerChars | 0 | 1 |
Minimum Number of Digits watt.server.password.minDigits | 0 | 1 |
Minimum Number of Special Characters (neither alphabetic nor digits) watt.server.password.minSpecialChars | 0 | 1 |
Number of Old Passwords to Remember (per user) watt.server.password.historyLength | 0 | 2 |
Permission to invoke a service. watt.server.scheduler.checkUserAcl | false Allows any user to run a scheduler service without checking whether the user has the Execute ACL permission for the service. | true Prevents unauthorized users from invoking a scheduler service by checking whether a user has the Execute ACL for the service. |
Headers | DEV profile | PROD profile |
X-XSS-Protection watt.server.http.X-XSS-Protection | none Poses an XSS attack threat to the client application, which in turn makes Integration Server susceptible to malicious requests. | 1; mode=block Prevents XSS attacks on client applications, which in turn protects Integration Server from malicious requests. |
SameSite watt.server.http.header.sameSite | none Poses a CSRF attack threat to Integration Server. | Lax Prevents CSRF attacks on Integration Server. |
Strict-Transport-Security watt.server.http.Strict-Transport-Security | none Makes Integration Server susceptible to protocol downgrade attacks. | max-age=300 ; includeSubDomains Forces the client site and its sub domains to use only HTTPS in all requests to Integration Server for the first 5 minutes after the initial response from the server. |
X-Content-Type-Options watt.server.http.X-Content-Type-Options | none Makes Integration Server susceptible to different types of cross-site scripting attacks by allowing MIME sniffing in client applications. | nosniff Prevents MIME sniffing in client applications protecting Integration Server from malicious requests. |
HTTP Content-Security-Policy watt.server.http.Content-Security-Policy | none Makes Integration Server susceptible to malicious requests by allowing client applications to load scripts from unknown sources. | script-src 'self' Prevents loading scripts from unknown sources in client applications protecting Integration Server from malicious requests. |
X-Permitted-Cross-Domain-Policies watt.server.http.X-Permitted-Cross-Domain-Policies | none Prevents client applications from using any cross-domain policies to access resources hosted on Integration Server. | none Prevents client applications from using any cross-domain policies to access resources hosted on Integration Server. |
Response body | DEV profile | PROD profile |
Service exception details watt.server.http.returnException | verbose Returns all the fields of a service exception including stack trace, potentially compromising sensitive technical details. | message Returns all the fields of a service exception except the stack trace. |
Declared service output watt.server.serviceResults.returnDeclaredOutputOnly | false Integration Server returns a response that includes all of the pipeline contents at the time service execution completed. This could result in sensitive data being returned to the client. | true Integration Server limits the response to output parameters declared in the service signature. Note: If the service does not have a declared output signature, or if the output is not populated, Integration Server returns a response that includes all of the pipeline contents at the time service execution completed. |
Service results cache watt.server.serviceResults.cache.strict | false Disables strict service results caching. For a service execution, Integration Server saves and returns the entire output pipeline. The pipeline includes the output fields explicitly defined in the cached service, as well as any output fields produced by earlier services in the flow. Caching the entire output pipeline may consume large amounts of memory and disk space. Additionally, returning the cached output pipeline may result in overwriting the values of fields that are not declared in the service output signature. | true Enables strict service results caching. For a service execution, Integration Server saves and returns values for fields defined in the service output signature only. Note: If the service does not have a declared output signature, or if the output is not populated, Integration Server caches and returns a response that includes all of the pipeline contents at the time service execution completed. |
Hosts and ports | DEV profile | PROD profile |
HTTP ports watt.server.http.enable | true Enables all HTTP ports, potentially allowing clients to make insecure HTTP requests to Integration Server. | false Disables all HTTP ports, allowing clients to access Integration Server only through an HTTPS port. |
Specific directives for specific ports watt.server.allowDirective | <blank> Allows all incoming connections from client applications to Integration Server. | invoke,5555,7777,web,6666,7777,soap,7777 Restricts the use of : The invoke directive to ports 5555, 5543, and 7777 The web directive to ports 6666 and 7777 The SOAP directive to port 7777 |
Note: If you change primary ports during installation or later, you must override this setting accordingly. For example, if you change the primary HTTP port to 5551, HTTPS port to 5552, then add the following entry in the custom-security.properties file: settings.watt.server.allowDirective=invoke,5551,5552,7777,web,6666,7777,soap,7777 For more information, see
Overriding Security Profile Settings | ||
Requests from cross-origin hosts watt.server.cors.enabled | false Allows Integration Server to accept cross-origin requests, which is a risk factor. | true Prevents Integration Server from accepting cross-origin requests. |
Certificate and compliance | DEV profile | PROD profile |
FIPS watt.security.fips.mode | false Allows Integration Server to use non-FIPS compliant cryptographic algorithms in its services, potentially allowing the use of weak algorithms. | true Ensures that Integration Server uses only FIPS-compliant cryptographic algorithms, preventing the use of weak algorithms. |
Certificate verification watt.security.cert.wmChainVerifier.enforceExtensionsChecks | false Integration Server does not validate the certificates presented by other servers or clients. | true Forces Integration Server to not only check the validity of the certifications but also the propriety of their extensions to prevent certificate-based attacks. |
Certificate verification watt.security.cert.wmChainVerifier.trustByDefault | true By default, Integration Server trusts all the certificates presented by other servers or clients. | false Forces Integration Server to check certificates presented by other servers or clients to prevent certificate-based attacks. |
Cipher suites | DEV profile | PROD profile |
Cipher suite list for client watt.net.jsse.client.enabledCipherSuiteList | default Allows Integration Server to present any cipher suite enabled by the JVM for securing outgoing connections. However, the cipher suite chosen by Integration Server can be weak or outdated posing a security risk to the client. | Forces the client to use only the following cipher suites to secure communications with the Integration Server. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA__AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 |
Cipher suite list for server watt.net.jsse.server.enabledCipherSuiteList | default Allows Integration Server to accept any cipher suite presented by the client for securing incoming connections. However, the cipher suite chosen by the client can be weak or outdated posing a risk to Integration Server. | Integration Server uses only the following cipher suites to secure communications with the client. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA__AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 |