Security Considerations for Service Interface Deployment

Restriction: This topic applies only when the Enterprise Server feature is enabled.

The ability to deploy a service interface to Enterprise Server poses security risks. An attacker with network access to an enterprise server instance could use service interface deployment to upload and execute arbitrary programs under Enterprise Server, replace an existing service with a malicious implementation, or retrieve information about existing services. To mitigate these risks you can disable or restrict deployment to an enterprise server instance.

Disabling deployment

A deployed service interface running on an enterprise server instance uses a communications listener. This listener typical uses the Web conversation type, which is named Web by default. When a new enterprise server instance is created, a Web listener is created for it.

You can completely disable deployment by setting the New Status of the Web listener to Disabled.

Note: If a listener is currently disabled, you can enable it by changing the status to Stopped or to Started if the server is running.

Restricting deployment

As an alternative to completely disabling deployment to an enterprise server instance, you can restrict the Web listener to accept deployment from local connections only. A local connection, also called a loopback or localhost connection, originates from the same host. The local connection prevents the acceptance of deployment from any remote connection.

Important: Beginning with Enterprise Server 4.0:
  • By default, all newly created enterprise server instances restrict deployment acceptance to local connections.
  • When using the Validate function, and when importing a server definition, the Enterprise Server Administration interface displays a warning if remote deployment is enabled.

To set the deployment acceptance behavior for a Web listener:

  1. From the Enterprise Server Administration Home page, click the Stop button in the Status column for the enterprise server region you are configuring.
  2. On the Stop Server Confirmation page, click OK.

    Wait for the server's status to change to stopped.

  3. In the Communications Process column, click Details.

    This takes you to the Listeners page.

  4. Click the Edit button that corresponds to Web listener.
  5. Edit the Web listener definition using one of the following options:
    • To restrict the listener to accept deployment from local systems only:
      1. In the Endpoint Address field, type localhost:*.
      2. Click OK.
    • To enable (or reinstate) remote deployment acceptance:
      1. In the Endpoint Address field, type *:*.
      2. Click OK.
  6. Click Home to return to the Enterprise Server Administration Home page.
  7. Click the Start button in the Status column for the enterprise server region you are configuring.

Recommendations

Micro Focus recommends you consider the following:

  • If the Web listener is enabled, keep it restricted to local deployment if possible. This is sufficient for typical development use, where a developer builds and deploys on a local machine for testing.
  • When possible, avoid enabling remote deployment acceptance, particularly for production and staging systems used for Continuous Integration (CI) or QA testing. In cases where remote deployment acceptance is absolutely necessary, Micro Focus recommends that you consider taking any or all of these additional precautions:
    • Restrict access to the Web listener using a firewall.
    • Use the Enterprise Server conversation filtering feature. See Conversation Filtering for more information.
    • Enable TLS (SSL) with client certificate authentication.
  • For CI, QA testing, and production, copy CAR files to the target system using a mechanism such as file sharing or FTP, and install the interface by running the mfdepinst utility. See mfdepinst command for more information.