During penetration tests against the SOI environment, the security department found Basic Authentication requests over HTTP for these URLs:
The publicly available Tomcat documentation describes the services behind these URLs to allow managing Tomcat and its web services/ applications. However, reading the mentioned XML files it seems both services were kept somewhat disabled on purpose.
But still: when calling these URLs in the browser, the web server requests an authentication (Basic Auth) and users might enter their credentials, which is then transferred unencrypted in cleartext over the network. This is a security issue.
Can we safely disable these services?
Release : 4.x
Component : Service Operations Insight (SOI) Manager & User Interface Server
SOI doesn't use folders any more, so can safely remove these folders (backup is suggested) and restart both Manager UI services.
Note: Defect has raised with Engineering to remove these folders in future releases