How to disable check username API

book

Article ID: 6497

calendar_today

Updated On:

Products

CA API Developer Portal CA API Gateway

Issue/Introduction

How to disable check username API

http://<portal hostname>/register/check/username?username=admin

Cause

If an API call(get) is done for http://<portal hostname>/register/check/username?username=admin

without any credentials, it gives out a message saying

"The name  admin is already in use, please choose something else"

This helps an attacker to know that this user exists and can exploit this situation.

Environment

Release: L7APIP99000-3.5-API Developer Portal-Perpetual
Component:

Resolution

Disable this API using the following procedure

1. In a browser use http://<portal>/admin (login using admin account)

2. click on workspace --> Content items --> System --> conf 

3. Choose the edit button next to properties.xml 

4. Change <Property name="disableCheckUsername" value="no" /> 

To 

<Property name="disableCheckUsername" value="yes" /> 

5. Choose Save 

6. To publish this file, click on the green arrow next to properties.xml 

7. restart portal (service apiportal restart) 

 

Now check http://<portal>/register/check/username?username=admin 

This will now throw a page cannot be displayed error.