It's all about the answers!

Ask a question

Is the WAS DefaultApplication and the ivtApp used in a jazz productive environement?


Guido Schneider (3.4k1384112) | asked Jan 12 '13, 5:35 a.m.
retagged Jan 18 '13, 4:06 p.m. by Michael Afshar (7014)
Our Company internal security scan agent has complained about
"The web server is affected by multiple information disclosure vulnerabilities"
for our Clearquest server, because of the Websphere "DefaultApplication", installed per default on profile creation.

Because all of our Jazzservers have also this "DefaultApplication" installed, I think the same issue will also popup for Jazz.

See also http://www.nessus.org/plugins/index.php?view=single&id=62738 and Technote from IBM http://www-01.ibm.com/support/docview.wss?uid=swg21599361

Is there any issue if we remove the "DefaultApplication", except some trouble shooting, which can not be done?
Additional: For what is the "ivtApp"? Can we also remove this, or at least remove it out of the plugin-cfg.xml or change the context root for it, so the scanner is not finding it?

Maybe the technote could be enhanced to mention also Jazz based products and not only ClearQuest.

Accepted answer


permanent link
Frank Ning (50024117132) | answered Jan 12 '13, 9:05 a.m.
edited Jan 12 '13, 9:07 a.m.
You can safely remove the DefaultApplication and ivtApp applications installed from WAS profile creation. Jazz does not need them. They are helpful in the beginning of the Jazz server setup to verify your web server and app server (and reverse proxy server). It is highly recommended to remove them from your production server after the server is installed and configured to be used as a production server.

The ivt one is used by "firststeps" of the WAS product to do installation verification.

When you create the WAS profile, you had a choice not to install "Sample application". If you deselected that component, the apps won't be installed/
Guido Schneider selected this answer as the correct answer

Comments
Guido Schneider commented Jan 16 '13, 6:20 a.m.

additional question:

ther is also an application "query"? is this one used for anything or can I also remove them?

One other answer



permanent link
Frank Ning (50024117132) | answered Jan 16 '13, 9:01 a.m.
Yes, you can remove the "query" as well. Jazz does not dance with them at all. It is strongly recommended to remove them on production servers for security and performance etc reasons...

Your answer


Register or to post your answer.