Security Considerations for Service Interface Deployment

The ability to deploy a service interface to Enterprise Server poses security risks. An attacker with network access to an enterprise server instance could use service interface deployment to upload and execute arbitrary programs under Enterprise Server, replace an existing service with a malicious implementation, or retrieve information about existing services. To mitigate these risks you can disable or restrict deployment to an enterprise server instance.

Disabling deployment

A deployed service interface running on an enterprise server instance uses a communications listener. This listener typical uses the Web conversation type, which is named Web by default. When a new enterprise server instance is created, a Web listener is created for it.

You can completely disable deployment by setting the New Status of the Web listener to Disabled.

Note: If a listener is currently disabled, you can enable it by changing the status to Stopped or to Started if the server is running.

Restricting deployment to local clients

As an alternative to completely disabling deployment to an enterprise server instance, you can restrict the Web listener to accept deployment from local connections only. A local connection, also called a loopback or localhost connection, originates from the same host. The local connection prevents the acceptance of deployment from any remote connection.

Important: Beginning with Enterprise Server 4.0:
  • By default, all newly created enterprise server instances restrict deployment acceptance to local connections.
  • When using the Validate function, and when importing a server definition, the Enterprise Server Administration interface displays a warning if remote deployment is enabled.

To set the deployment acceptance behavior for a Web listener:

  1. From the Enterprise Server Administration Home page, click the Stop button in the Status column for the enterprise server region you are configuring.
  2. On the Stop Server Confirmation page, click OK.

    Wait for the server's status to change to stopped.

  3. In the Communications Process column, click Details.

    This takes you to the Listeners page.

  4. Click the Edit button that corresponds to Web listener.
  5. Edit the Web listener definition using one of the following options:
    • To restrict the listener to accept deployment from local systems only:
      1. In the Endpoint Address field, type localhost:*.
      2. Click OK.
    • To enable (or reinstate) remote deployment acceptance:
      1. In the Endpoint Address field, type *:*.
      2. Click OK.
  6. Click Home to return to the Enterprise Server Administration Home page.
  7. Click the Start button in the Status column for the enterprise server region you are configuring.

Requiring user authentication and authorization

Beginning with Enterprise Server 5.0, the Web service deployment listener can be configured to require user authentication, and optionally to restrict deployment to specific users. This feature requires an enterprise server instance with External Security enabled. See About Securing an Enterprise Server Installation for more information on Enterprise Server security.

User authentication prevents anonymous deployment of service interfaces. The deployment client must present user credentials identifying the user who is attempting to deploy the interface. There are three options for authenticating deployment users:

  • HTTP Basic Authentication: A username and password are supplied as part of the HTTP requests made by the deployment client. Users who deploy using the Eclipse IDE can supply these credentials when they deploy. With the imtkmake command-line utility, they can be supplied using the username and password parameters. For the web-deploy.html deployment web page, the browser will prompt for credentials if the listener is configured to require them.
  • Certificate Authentication: If the deployment listener is configured to use SSL/TLS, and to require or allow client certificates, the deployment client can send a client certificate to the server. The server can be configured to associate this certificate with a specific user. For the IDE and imtkmake, the client certificate can be configured in mf-client.dat. When deploying with a browser and web-deploy.html, the client certificate will have to be configured using the browser's certificate management interface. Client certificates can be associated with users using the cascertreg utility or by automatic registration (see Deployment listeners).

Recommendations

Micro Focus recommends you consider the following:

  • Do not enable deployment through the Web listener if you are using Enterprise Server for mainframe emulation only, including CICS Web Services.
  • If the Web listener is enabled, keep it restricted to local deployment if possible. This is sufficient for typical development use, where a developer builds and deploys on a local machine for testing.
  • When possible, avoid enabling remote deployment acceptance, particularly for production and staging systems used for Continuous Integration (CI) or QA testing. In cases where remote deployment acceptance is absolutely necessary, Micro Focus recommends that you consider taking any or all of these additional precautions:
    • Restrict access to the Web listener using a firewall.
    • Use the Enterprise Server conversation filtering feature. See Conversation Filtering for more information.
    • Enable TLS (SSL) with client certificate authentication.
  • For CI, QA testing, and production, copy CAR files to the target system using a mechanism such as file sharing or FTP, and install the interface by running the mfdepinst utility. See mfdepinst command for more information.