Endevor Web Services Security Access

book

Article ID: 223888

calendar_today

Updated On:

Products

CA Endevor Software Change Manager (SCM)

Issue/Introduction

Question about setting up the security access for Endevor Web Services.  Ok to set the Tomcat_User the same as the WSEWSSTC started task user ? Or is it recommended to make the Tomcat_User a different user ? 

 

Environment

Release : 18.1

Component : CA Endevor Software Change Manager

Resolution

If there are other unrelated web applications running on the same Tomcat server, separating the Tomcat user from the Endevor STC user is highly recommanded.  

If the Tomcat server is dedicated only to the Endevor Web Service, using separate user IDs is more proper, based on the principle of giving each service account the least amount of authority necessary. Although there is no specific security issue if the same user is set for both Tomcat_User and Endevor STC user, but if any major new vulnerability in Tomcat, Endevor WS, or one of their open-source components is discovered, then using the same user id might possibly give the attacker some extra options.