Locking out the non SSL port for TOMCAT (Service Desk, BOXI, USS) page
search cancel

Locking out the non SSL port for TOMCAT (Service Desk, BOXI, USS) page

book

Article ID: 14147

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service CA Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction



There is a concern that the non-SSL port of 8080 is continuing to be leveraged by Service Desk despite implementing SSL.  How to ensure that the installation is hardened against using the given port.

Environment

CA Service Desk Manager 17.X.

Resolution

Once TOMCAT is configured to use SSL, in order to ensure the redirection or the exclusive use of the secure port, you must complete one of the actions bellow:

1. If you do not require to have enabled the port 8080, comment the lines bellow in the server.xml file for Service Desk (..\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\conf), for BOXI (..\CA\SC\CommonReporting4\tomcat\conf), Unified Self Service (..\CA\Self Service\OSOP\tomcat-7.0.40\conf) and restart the TOMCAT server.

<!--

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/>

-->

This will ensure that the non secure port will fail if it is attempted.

2. If what you need is to redirect the port 8080 to the secure port, you need to add to the web.xml file of the web application for Service Desk (..\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF), for BOXI (BOE/web-inf/web.xml), for USS (..\CA\Self Service\OSOP\tomcat-7.0.40\webapps\ROOT\WEB-INF) the following lines at the end of the file but before the tag </web-app>:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Once the file is modified save it and restart the TOMCAT server, if a user access the portal using a non SSL port it will be redirected immediately and therefore when the user types the username/password, it will be not transmitted in plain text.

Powered by Wolken Software