Password Enforcement Mode

watt.server.​password.mode

lax

strict

Minimum Number of Uppercase Characters

watt.server.​password.minUpperChars

0

1

Minimum Number of Lowercase Characters

watt.server.​password.minLowerChars

0

1

Minimum Number of Digits

watt.server.​password.minDigits

0

1

Minimum Number of Special Characters (neither alphabetic nor digits)

watt.server.​password.minSpecialChars

0

1

Number of Old Passwords to Remember (per user)

watt.server.​password.historyLength

0

2

Permission to invoke a service. watt.server.scheduler.checkUserAcl

false

Allows any user to run a scheduler service without checking whether the user has the Execute ACL permission for the service.

true

Prevents unauthorized users from invoking a scheduler service by checking whether a user has the Execute ACL for the service.

X-XSS-Protection

watt.server​.http.X-XSS-Protection

none

Poses an XSS attack threat to the client application, which in turn makes Integration Server susceptible to malicious requests.

1; mode=block

Prevents XSS attacks on client applications, which in turn protects Integration Server from malicious requests.

SameSite

watt.server.​http.header.sameSite

none

Poses a CSRF attack threat to Integration Server.

Lax

Prevents CSRF attacks on Integration Server.

Strict-Transport-Security

watt.server.​http.Strict-Transport-​Security

none

Makes Integration Server susceptible to protocol downgrade attacks.

max-age=300 ; includeSubDomains

Forces the client site and its sub domains to use only HTTPS in all requests to Integration Server for the first 5 minutes after the initial response from the server.

X-Content-Type-Options

watt.server.​http.X-Content-Type-Options

none

Makes Integration Server susceptible to different types of cross-site scripting attacks by allowing MIME sniffing in client applications.

nosniff

Prevents MIME sniffing in client applications protecting Integration Server from malicious requests.

HTTP Content-Security-Policy

watt.server.http.​Content-Security-Policy

none

Makes Integration Server susceptible to malicious requests by allowing client applications to load scripts from unknown sources.

script-src 'self'

Prevents loading scripts from unknown sources in client applications protecting Integration Server from malicious requests.

X-Permitted-​Cross-Domain-Policies

watt.server.http.​X-Permitted-​Cross-Domain-​Policies

none

Prevents client applications from using any cross-domain policies to access resources hosted on Integration Server.

none

Prevents client applications from using any cross-domain policies to access resources hosted on Integration Server.

Service exception details

watt.server.http.​returnException

verbose

Returns all the fields of a service exception including stack trace, potentially compromising sensitive technical details.

message

Returns all the fields of a service exception except the stack trace.

Declared service output

watt.server.serviceResults.​returnDeclaredOutputOnly

false

Integration Server returns a response that includes all of the pipeline contents at the time service execution completed. This could result in sensitive data being returned to the client.

true

Integration Server limits the response to output parameters declared in the service signature.

Service results cache

watt.server.serviceResults.​cache.strict

false

Disables strict service results caching. For a service execution, Integration Server saves and returns the entire output pipeline. The pipeline includes the output fields explicitly defined in the cached service, as well as any output fields produced by earlier services in the flow. Caching the entire output pipeline may consume large amounts of memory and disk space. Additionally, returning the cached output pipeline may result in overwriting the values of fields that are not declared in the service output signature.

true

Enables strict service results caching. For a service execution, Integration Server saves and returns values for fields defined in the service output signature only.

HTTP ports

watt.server.http.enable

true

Enables all HTTP ports, potentially allowing clients to make insecure HTTP requests to Integration Server.

false

Disables all HTTP ports, allowing clients to access Integration Server only through an HTTPS port.

Specific directives for specific ports

watt.server.​allowDirective

<blank>

Allows all incoming connections from client applications to Integration Server.

invoke,5555,​7777,web,​6666,7777,​soap,7777

Restricts the use of :

For more information, see Overriding Security Profile Settings

Requests from cross-origin hosts

watt.server.cors.enabled

false

Allows Integration Server to accept cross-origin requests, which is a risk factor.

true

Prevents Integration Server from accepting cross-origin requests.

FIPS

watt.security.​fips.mode

false

Allows Integration Server to use non-FIPS compliant cryptographic algorithms in its services, potentially allowing the use of weak algorithms.

true

Ensures that Integration Server uses only FIPS-compliant cryptographic algorithms, preventing the use of weak algorithms.

Certificate verification

watt.security.cert.​wmChainVerifier.​enforceExtensionsChecks

false

Integration Server does not validate the certificates presented by other servers or clients.

true

Forces Integration Server to not only check the validity of the certifications but also the propriety of their extensions to prevent certificate-based attacks.

Certificate verification

watt.security.cert.​wmChainVerifier.​trustByDefault

true

By default, Integration Server trusts all the certificates presented by other servers or clients.

false

Forces Integration Server to check certificates presented by other servers or clients to prevent certificate-based attacks.

Cipher suite list for client

watt.net.jsse.client.​enabledCipherSuiteList

default

Allows Integration Server to present any cipher suite enabled by the JVM for securing outgoing connections. However, the cipher suite chosen by Integration Server can be weak or outdated posing a security risk to the client.

Forces the client to use only the following cipher suites to secure communications with the Integration Server.

Cipher suite list for server

watt.net.jsse.server.​enabledCipherSuiteList

default

Allows Integration Server to accept any cipher suite presented by the client for securing incoming connections. However, the cipher suite chosen by the client can be weak or outdated posing a risk to Integration Server.

Integration Server uses only the following cipher suites to secure communications with the client.