HTTP TRACE method running on an internal server is not a risk factor

book

Article ID: 48792

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

During some penetration tests, the HTTP TRACE method is identified as a vulnerability running on the provisioning connector machine.   How can this be addressed?

 

Cause

This is a non-issue.  

Environment

Release: 12.x 14.x


Component:

Identity Manager 

Identity Suite

Resolution

The pen (penetration) tests reported are false positives (further details are provided below), however even if they were not reporting falsly the CA Identity Manager (Symantec IGA) Provisiong Server machine is supposed to be located inside the secure network and not exposed to the DMZ or the internet and therefore leaving the HTTP TRACE method active would not be considered a security vulnerability.

Within the context of an enterprise deployment perspective, the use of the HTTP capabilities of the CA IM Connector Server is not utilized by an enterprise deployment. It only relates to data center to data center traffic that is routed from one CA IAM Connector Server to another.

In a CA IdentityMinder 12.x\14.x deployment, the Provisioning Server sends LDAP traffic over TCP/IP to the CA IAM Connector Server. There will be no traffic over HTTP to be traced. Port 20080 is the default port for the CA IAM Connector Server UI (non SSL) and 20443 the default port for SSL. The UI will only be used in an enterprise deployment if there is ever a need to hot-deploy connectors. Following the traditional path of taking Service Packs for the latest Connector Server updates, would have no need to use the UI. Ports 22001 and 22002 are used by CloudMinder to route LDAP requests over HTTP and HTTPS, respectively between data centers. These ports are not used in an enterprise deployment as LDAP traffic is sent over TCP/IP.

Returning to the earlier point that this is a false positive, you can review this in your own environment, using Google Chrome and the development tools.

 

Open Google Chrome > Press F12 or go to developer tools > Click on Application Tab > Load the URL for your connector server in the browser header > Click on cookies on the left panel > Select your cookie > Confirm that HTTP Only is not enabled.  If it doesn't show up that means it is disabled.

 

In the screenshot above you will see that HTTP Only does not have a checkbox which means it is turned off.

Additional Information

The CA IAM Connector Server uses Apache ServiceMix and specifically Camel (Jetty) for routing of HTTP/HTTPS traffic, which is turned off by default (this is the implementation that is used with CA IM)

For more information please refer to the general discussion on disabling http trace from Apache ServiceMix/Camel in the link below (traceEnabled false Specifies whether to enable HTTP TRACE for this Jetty consumer. ): 

http://camel.apache.org/jetty.html