How to minimize risk of exposing/abusing of the Health Check/Failover Servlet ?

Document ID : KB000018519
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Having deployed the HealthServlet/FailoverServlet we need to minimize the risk of someone executing Failover inadvertently as both Servlets are on the same Tomcat instance. Securing access and minimizing exposure is the best way to prevent abuse of the same. This document describes a few ways in which this risk can be mitigated.

Solution:

Having deployed HealthServlet/FailoverServlet we need to minimize the risk of someone executing Failover inadvertently as both Servlets are on the same Tomcat instance. Securing access and minimizing exposure is the best way to prevent abuse of the same. This document describes a few ways in which this risk can be mitigated.

  1. First step is to ensure that HealthServlet is deployed properly per the instructions in the SDM 12.9 Implementation Guide. Then identify the Health Servlet Tomcat Install directory first (Tomcat_Install_Dir). This is NOT the CA SDM Tomcat, but the Tomcat where HealthServlet would be deployed to.

  2. Restrict access by specific IP addresses or hostnames that should have access to the application:

    1. Backup <Tomcat_Install_Dir>\conf\context.xml file

  3. Edit the same file go to the end of file, and add below entries BEFORE the last line in the file </context>
    <Valve className="org.apache.catalina.valves.RemoteIpValve" />
    <Valve className="org.apache.catalina.valves.RemoteAddrValve" deny="{IP_address}" allow="{IP_address}" />

  4. Make sure the allow list contains hosts or IP addresses. A handful of machines, a load balancer host are valid entries here

  • If there's an explicit deny list you want to, then you could use the deny= option above


  • A basic way to add an authentication scheme is to enable Basic Authentication via tomcat-users / tomcat security constraint. Below gives step by step instructions on the same. Backup below files now:

    1. <Tomcat_Install_Dir>\conf\web.xml

  • <Tomcat_Install_Dir>\conf\server.xml

  • <Tomcat_Install_Dir>\conf\tomcat-users.xml

  • Edit <Tomcat_Install_Dir>\conf\web.xml go to the end of file, and add below entries BEFORE the last line in the file </web-app>
    <security-constraint>  <web-resource-collection> <web-resource-name>HealthServlet</web-resource-name> <url-pattern>/*</url-pattern></web-resource-collection><auth-constraint> <role-name>HealthServletAdmins</role-name></auth-constraint></security-constraint><login-config>  <auth-method>BASIC</auth-method> <realm-name>HealthServlet</realm-name></login-config><!-- Following section was missing --><security-role><role-name>HealthServletAdmins</role-name></security-role>

    Save the file

  • Edit <Tomcat_Install_Dir>\conf\tomcat-users.xml, go to the end of file and add below entries BEFORE the last line in the file </tomcat-users>
     <role rolename="HealthServletAdmins"/> <user username="HSAdmin" password="HSAdmin" roles="HealthServletAdmins"/>
    NOTE: HSAdmin would be the username and HSAdmin would be the password per the above entry
    Save the file

  • Restart Health Servlet Tomcat
  • Try to access the HealthServlet or FailoverServlet URLs now
  • You'd be prompted for credentials, wherein once you provide HSAdmin/HSAdmin as credentials, it would let you in.

  • If Basic Authentication is not enough (auditing or security requirements) one could try other mechanisms as documented on http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

    1. Digest Authentication
    2. JNDI (for LDAP bind)
      The above two are couple of options. There maybe other Single Sign-On solutions might help too.


  • To prevent exposure of passwords floating in clear text, secure the HealthServlet Tomcat with an SSL Certificate. Steps similar to the ones documented in SDM Implementation Guide to secure SDM Tomcat with SSL would apply to the HealthServlet Tomcat as well