Our security team reported certain findings which need to be turned off asap. These services looks like default gateway services. Please suggest how to turn them off.
Release : 9.4
Component : API GATEWAY
The default services are defined in the listening ports from policy manager they can be disabled or enabled on each port defined
You can disable the ping service by following the below steps:
- Log into Policy Manager with admin
- Tasks > Transports > Manage Listen Ports
- Select the port you're going over (8443 for example) > Properties
- Under enabled features, expand 'Built-in services'
- Uncheck Service you which to disable
Information background on APIM development of WSDL service:
The de facto standard for WSDL discovery is to make a GET request to the ?wsdl query string. Gateway does not support this in favor of using the /ssg/wsdl discovery service. The default configure is for localhost and require authentication (note this can be changed a opened up as Disney has done)
Question: Is it possible to only disable https://<FQDN>/ssg/wsdl which returns all the WSDL information but still allow individuals?
Answer: The only way is to close the internal service for listening portal, then apply “WSDL Query Handle servicer” that allows access by WSDL documents
To use the WSDL Query Handler Service, perform the following steps to disable the built-in WSDL download service:
If you need to access by URI this is also possible by adding the following fragment to the message-received global policy
WSDL Query Handler - Query Redirection. This policy directs WSDL queries (HTTP requests to a published service ending in "?wsdl") to the WSDL Query Handler Service.
Example: myurl is the URL defined in WSDL service the query parameter ?wsdl triggers the policy then sends to the WSDL Query Handler /wsdlQueryHandler