New Features and Enhancements

Security enhancements

The 9.2.4.6 release of ActiveVOS includes security enhancements to enforce tighter security for ActiveVOS. By default, all UI related HTTP requests will be automatically redirected to the equivalent HTTPS URLs. Redirection happens both on the server side and on the browser side (because ActiveVOS now uses the HTTP Strict Transport Security header).

Note: The server side HTTPS redirect is enabled for port 443 by default. If you use a custom HTTPS port, you must configure it by using the ae.web.filter.https.port JVM property. If the configured port is incorrect, you might encounter issues with the UI.

For Tomcat, JBoss, and WebLogic, by default, the application enables the HTTPOnly flag and Secure flag for the JSESSIONID cookie. This means that by default, the session cookies are set to HTTPOnly to prevent cross-site scripting attacks and the cookies are restricted to HTTPS sessions.

For WebSphere, the HTTPOnly flag and Secure flag are not enabled by default for the JSESSIONID cookie because by default WebSphere does not allow an application to change any attribute of the JSESSIONID cookie. You must manually configure the flags in the WebSphere Admin Console.

Perform the following steps to enable the HTTPOnly flag and Secure flag for WebSphere:

1. 1. Open the WebSphere Admin Console.
2. 2. Click Application servers > servername > Session management > Cookies.
3. 3. Enter the cookie name as JSESSIONID.
4. 4. To add the HTTPOnly flag to the JSESSIONID cookie, select the Set session cookies to HTTPOnly to help prevent cross-site scripting attacks option.
5. 5. To add the Secure flag to the JSESSIONID cookie, select the Restrict cookies to HTTPS sessions option.

For more information about the flags, see the WebSphere documentation.

JMS Messaging Service enhancements

When you configure a JMS Messaging Service, you can define the following properties:

• - Maximum Reconnect Attempts. Specifies the maximum number of reconnection attempts that the JMS Manager must make when it tries to connect to the JMS provider.
• - Reconnect Interval (ms). Specifies the number of milliseconds to wait between each connection retry attempt.

When you configure a queue listener or a topic listener, you can define the following property:

• - Rollback On Error. Select this option if you want to decline messages that encounter an exception, or failed messages, and move to the next message. If you select this option, you must configure how the message server must handle failed messages. For example, you can configure the message server to redeliver failed messages for a specified number of times or move failed messages to a dead letter queue.