Harden server default configuration in Open Liberty operator

[jtmulvey]

Ensure the default Liberty configuration has the set of recommended best practices for security hardened enabled. The guide for these updates comes from our published Liberty for production hardening guide located here: https://ibm.box.com/s/blluvgl8pl8hmaiapk68byalavew64ip
Here's a list of some of these:

1. make sure the Liberty server's identity does NOT own the server's configuration and instead only has READ access to it - use the WLP_OUTPUT_DIR environment variable to point to the logs -the server ID only owns the directory/file this points to
2. make sure any sensitive info in the server.xml is AES encrypted
3. ensure the featureManager list only includes the web container (servlet feature)
4. disable all non-SSL ports : httpPort=”-1" in the httpEndpoint stanza
5. use feature transportSecurity-1.0 instead of ssl-1.0
6. add webAppSecurity ssoRequiresSSL=’true’ to server.xml
7. add webAppSecurity httpOnlyCookies=’true’ to server.xml
8. add httpSession cookieHttpOnly=’true’ to server.xml
9. disable dynamic updates : the dropins folder : applicationMonitor updateTrigger="mbean" dropinsEnabled="false" and config dyn. updates config updateTrigger="mbean" in server.xml
10. disable default welcome page : httpDispatcher enableWelcomePage="false" in server.xml
11. set httpOptions removeServerHeader="true" in server.xml
12. set webContainer disableXPoweredBy="true" in server.xml
13. if using the IBM Java SE 8 JDK, set jvm.options-Dcom.ibm.jsse2.sp800-131=strict-Djdk.tls.client.protocols=TLSv1.2-Dhttps.protocols=TLSv1.2
14. disable HTTP session overflow: httpSession allowOverflow="false" maxInMemorySessionCount="1000" alwaysEncodeUrl="true" cookieSecure="true" cookieHttpOnly=true