How to turn off default services to expose through internet (Compliance findings)

book

Article ID: 208828

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Our security team reported certain findings which need to be turned off asap. These services looks like default gateway services. Please suggest how to turn them off. 

/ssg/policy/disco
/ssg/wsdl
/ssg/backup
/ssg/webadmin

Environment

Release : 9.4

Component : API GATEWAY

Resolution

The default services are defined in the listening ports from policy manager they can be disabled or enabled on each port defined 

You can disable the ping service by following the below steps:

 - Log into Policy Manager with admin

- Tasks > Transports  > Manage Listen Ports

- Select the port you're going over (8443 for example) > Properties

- Under enabled features, expand 'Built-in services'

- Uncheck Service you which to disable 

 WSDL 

Information background on APIM development of WSDL service:

The de facto standard for WSDL discovery is to make a GET request to the ?wsdl query string.   Gateway does not support this in favor of using the /ssg/wsdl discovery service.  The default configure is for localhost and require authentication (note this can be changed a opened up as Disney has done) 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/services-and-policies/tasks-manage-menu-publish-services-and-apis/wsdl-query-handler-service.html

Question: Is it possible to only disable https://<FQDN>/ssg/wsdl which returns all the WSDL information but still allow individuals? 

Answer:   The only way is to close the internal service for listening portal, then apply  “WSDL Query Handle servicer”   that allows access by WSDL documents 

To use the WSDL Query Handler Service, perform the following steps to disable the built-in WSDL download service:

  1. Set the service.wsdlQueryEnabled cluster property to false. This disables the existing directing of WSDL requests to the WSDL download service.
  2. Disable the WSDL download service on the HTTP(S) Listen Port Properties.

If you need to access by URI this is also possible by adding the following fragment to the message-received global policy

WSDL Query Handler - Query Redirection.   This policy directs WSDL queries (HTTP requests to a published service ending in "?wsdl") to the WSDL Query Handler Service.

Example:   myurl is the URL defined in WSDL service the query parameter ?wsdl triggers the policy then sends to the WSDL Query Handler /wsdlQueryHandler

https://sm611841-gw94-2.lvn.broadcom.net:8443/myurl?wsdl