Endevor Webhook Server Configuration Protection

book

Article ID: 197052

calendar_today

Updated On:

Products

CA Endevor Software Change Manager (SCM) CA Endevor Software Change Manager - ECLIPSE Plugin (SCM)

Issue/Introduction

How to protect the Endevor Webhook Server Configuration from unauthorized changes via the URL or limiting this access to specific users?

Environment

Release : 18.0

Component : CA Endevor Software Change Manager

WebHook Server

Resolution

One way to limit access to the UI part of webhook server is to use the tomcat setup (if Tomcat instance is used for Webhook Server only). That would include definition of the role and user associated with that role and then set constraints for the location of the web hook server. 

In detail:

Location: <tomcat dir>\conf\tomcat-users.xml


In the tomcat-user.xml navigate to the bottom of the file where are located “roles”.
Uncomment and delete the example ones and set your own like bellow “whadmin” role. Then define user name and password that would be associated with that role. 


<tomcat-users 
….
  <role rolename="whadmin"/>
  <user username="admin" password="<admin password>" roles="whadmin"/>

</tomcat-users>

Find the web.xml file in the WEB-INF for the webhook server usually in webapps directory under webhookserver
Update the section as follows …. Especially add <auth-constraint> and then<login-config> in the<web-resource-collection> make sure to have the <url-pattern>/*</url-pattern> specified. 

  <security-constraint> 
    <display-name>Secured</display-name>
    <web-resource-collection>
      <web-resource-name>Secured area</web-resource-name>
      <!-- <url-pattern>/rest/configurations/*</url-pattern>
      <url-pattern>/rest/archived/*</url-pattern>
      <url-pattern>/rest/errors/*</url-pattern>
      <url-pattern>/rest/settings/*</url-pattern>
      <url-pattern>/rest/arclogs/*</url-pattern>
      <url-pattern>/rest/ReadLog/*</url-pattern>
      <url-pattern>/rest/applications/*</url-pattern>-->
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!--<user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>-->
    <auth-constraint>
    <role-name>WHAdmin</role-name>  
    </auth-constraint>
  </security-constraint>
  
  <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Basic Authentication Area</realm-name>
  </login-config>


Restart the tomcat server and then try to access the

http://<host>:<port>/mfwebhookserver/#!/webhooks

Specifying the set username and password should allow specific user to access the UI for webhook server.