The ability to deploy a service interface to
Enterprise Server poses security risks. An attacker with network access to an
enterprise server instance could use service interface deployment to upload and execute arbitrary programs under
Enterprise Server, replace an existing service with a malicious implementation, or retrieve information about existing services. To mitigate
these risks you can disable or restrict deployment to an
enterprise server instance.
Disabling deployment
A deployed service interface running on an
enterprise server instance uses a communications listener. This listener typical uses the
Web conversation type, which is named
Web by default. When a new
enterprise server instance is created, a
Web listener is created for it.
You can completely disable deployment by setting the
New Status of the
Web listener to
Disabled.
Note: If a listener is currently disabled, you can enable it by changing the status to
Stopped or to
Started if the server is running.
Restricting deployment to local clients
As an alternative to completely disabling deployment to an
enterprise server instance, you can restrict the
Web listener to accept deployment from local connections only. A local connection, also called a loopback or localhost connection,
originates from the same host. The local connection prevents the acceptance of deployment from any remote connection.
Important: Beginning with
Enterprise Server 4.0:
- By default, all newly created
enterprise server instances restrict deployment acceptance to local connections.
- When using the
Validate function, and when importing a server definition, the
Enterprise Server Administration interface displays a warning if remote deployment is enabled.
To set the deployment acceptance behavior for a
Web listener:
- From the Enterprise Server Administration Home page, click the
Stop button in the
Status column for the
enterprise server region you are configuring.
- On the
Stop Server Confirmation page, click
OK.
Wait for the server's status to change to stopped.
- In the
Communications Process column, click
Details.
This takes you to the Listeners page.
- Click the
Edit button that corresponds to
Web listener.
- Edit the
Web listener definition using one of the following options:
- To restrict the listener to accept deployment from local systems only:
- In the
Endpoint Address field, type
localhost:*.
- Click
OK.
- To enable (or reinstate) remote deployment acceptance:
- In the
Endpoint Address field, type
*:*.
- Click
OK.
- Click
Home to return to the Enterprise Server Administration Home page.
- Click the
Start button in the
Status column for the
enterprise server region you are configuring.
Requiring user authentication and authorization
Beginning with
Enterprise Server 5.0, the
Web service deployment listener can be configured to require user authentication, and optionally to restrict deployment to specific
users. This feature requires an
enterprise server instance with External Security enabled. See
About Securing an Enterprise Server Installation for more information on
Enterprise Server security.
User authentication prevents anonymous deployment of service interfaces. The deployment client must present user credentials
identifying the user who is attempting to deploy the interface. There are three options for authenticating deployment users:
- HTTP Basic Authentication: A username and password are supplied as part of the HTTP requests made by the deployment client.
Users who deploy using the
Eclipse IDE can supply these credentials when they deploy. With the
imtkmake command-line utility, they can be supplied using the
username and
password parameters. For the
web-deploy.html deployment web page, the browser will prompt for credentials if the listener is configured to require them.
- Certificate Authentication: If the deployment listener is configured to use SSL/TLS, and to require or allow client certificates,
the deployment client can send a client certificate to the server. The server can be configured to associate this certificate
with a specific user. For the IDE and
imtkmake, the client certificate can be configured in
mf-client.dat. When deploying with a browser and
web-deploy.html, the client certificate will have to be configured using the browser's certificate management interface. Client certificates
can be associated with users using the
cascertreg utility or by
automatic registration.
Recommendations
Micro Focus recommends you consider the following:
- Do not enable deployment through the
Web listener if you are using
Enterprise Server for mainframe emulation only, including CICS Web Services.
- If the
Web listener is enabled, keep it restricted to local deployment if possible. This is sufficient for typical development use,
where a developer builds and deploys on a local machine for testing.
- When possible, avoid enabling remote deployment acceptance, particularly for production and staging systems used for Continuous
Integration (CI) or QA testing. In cases where remote deployment acceptance is absolutely necessary,
Micro Focus recommends that you consider taking any or all of these additional precautions:
- Restrict access to the
Web listener using a firewall.
- Use the
Enterprise Server conversation filtering feature. See
Conversation Filtering for more information.
- Enable TLS (SSL) with client certificate authentication.
- For CI, QA testing, and production, copy CAR files to the target system using a mechanism such as file sharing or FTP, and
install the interface by running the
mfdepinst utility. See
mfdepinst command for more information.