As a WebSphere administrator, you might be familiar with the following error page. This error page is generated when hostname/IP doesn’t match in virtual host configuration.

was-virtual-error-page

Have you seen this error?

It exposes the server information and port number which is considered as information leakage security vulnerability.

There are three possible ways to fix this.

Handle custom error through web server – if you are using a web server in front of WebSphere then you can handle 404 error through a web server and show some custom error page.

By showing custom error page you hide the server information and maintain the brand across the application.

Handle error page within application – let developer handle the error page within WebSphere application code and trigger the custom error page whenever 404 return code triggered.

Override the error by WAS configuration – this is the quickest way to mask the server information but has some limitation. This allows you to show the message in text format and doesn’t allow the HTML tag.

If branding is not the concern then you may consider this. Let’s go through the configuration. This configuration is on JVM so if your application is having multiple JVM’s then you got to do in all.

  • Login to WebSphere Administrative Console
  • Go to the Servers >> Server Types >> WebSphere application servers
  • Click the JVM where you want to override the error
  • Expand “Web Container Settings” and click “Web container”
  • Click Custom properties

was-web-container-new

  • Click New and Enter the Name as
com.ibm.ws.webcontainer.webgroupvhostnotfound
  • and Value the error message you want to show. For ex:
“Sorry, requested page not found.”
  • Click OK

was-hide-error

  • Review and save the configuration
  • Restart the JVM

Now, let’s try to access some page which doesn’t exist.

was-error-mask

Much better, isn’t it?

If you are working in PCI DSS compliant or highly transactional environment then mostly you will be asked by security auditing team to mitigate this.

I hope this small configuration help you in hiding WebSphere server information from the error page.