The ability to deploy a service interface to
Enterprise Server poses security risks. An attacker with network access to an
enterprise server instance could use service interface deployment to upload and execute arbitrary programs under
Enterprise Server, replace an existing service with a malicious implementation, or retrieve information about existing services. To mitigate
these risks you can disable or restrict deployment to an
enterprise server instance.
Disabling deployment
A deployed service interface running on an
enterprise server instance uses a communications listener. This listener typical uses the
Web conversation type, which is named
Web by default. When a new
enterprise server instance is created, a
Web listener is created for it.
You can completely disable deployment by setting the
New Status of the
Web listener to
Disabled.
Note: If a listener is currently disabled, you can enable it by changing the status to
Stopped or to
Started if the server is running.
Restricting deployment
As an alternative to completely disabling deployment to an
enterprise server instance, you can restrict the
Web listener to accept deployment from local connections only. A local connection, also called a loopback or localhost connection,
originates from the same host. The local connection prevents the acceptance of deployment from any remote connection.
Important: Beginning with
Enterprise Server 4.0:
- By default, all newly created
enterprise server instances restrict deployment acceptance to local connections.
- When using the
Validate function, and when importing a server definition, the
Enterprise Server Administration interface displays a warning if remote deployment is enabled.
To set the deployment acceptance behavior for a
Web listener:
- From the Enterprise Server Administration Home page, click the
Stop button in the
Status column for the
enterprise server region you are configuring.
- On the
Stop Server Confirmation page, click
OK.
Wait for the server's status to change to stopped.
- In the
Communications Process column, click
Details.
This takes you to the Listeners page.
- Click the
Edit button that corresponds to
Web listener.
- Edit the
Web listener definition using one of the following options:
- To restrict the listener to accept deployment from local systems only:
- In the
Endpoint Address field, type
localhost:*.
- Click
OK.
- To enable (or reinstate) remote deployment acceptance:
- In the
Endpoint Address field, type
*:*.
- Click
OK.
- Click
Home to return to the Enterprise Server Administration Home page.
- Click the
Start button in the
Status column for the
enterprise server region you are configuring.
Recommendations
Micro Focus recommends you consider the following:
- Do not enable deployment through the
Web listener if you are using
Enterprise Server for mainframe emulation only, including CICS Web Services.
- If the
Web listener is enabled, keep it restricted to local deployment if possible. This is sufficient for typical development use,
where a developer builds and deploys on a local machine for testing.
- When possible, avoid enabling remote deployment acceptance, particularly for production and staging systems used for Continuous
Integration (CI) or QA testing. In cases where remote deployment acceptance is absolutely necessary,
Micro Focus recommends that you consider taking any or all of these additional precautions:
- Restrict access to the
Web listener using a firewall.
- Use the
Enterprise Server conversation filtering feature. See
Conversation Filtering for more information.
- Enable TLS (SSL) with client certificate authentication.
- For CI, QA testing, and production, copy CAR files to the target system using a mechanism such as file sharing or FTP, and
install the interface by running the
mfdepinst utility. See
mfdepinst command for more information.