HTTP TRACE method running on an internal server is not a risk factor

Document ID : KB000048792
Last Modified Date : 31/07/2018
Show Technical Document Details
Introduction:

Description:

Customers have asked if there's a need to disable the HTTP TRACE method that's running on the provisioning connector server machine. This machine is supposed to be inside the network and not exposed to the DMZ or the internet and therefore leaving the HTTP TRACE method active should not be considered a security vulnerability.

Solution:

Within the context of an enterprise deployment perspective, the use of the HTTP capabilities of the CA IAM Connector Server are not utilized by an enterprise deployment. It only pertains for data center to data center traffic that gets routed from one CA IAM Connector Serve to another.

In a CA IdentityMinder 12.6 deployment (same as a 12.5 deployment), the Provisioning Server sends LDAP traffic over TCP/IP to the CA IAM Connector Server. There will be no traffic over HTTP to be traced. Port 20080 is the default port for the CA IAM Connector Server UI (non SSL) and 20443 the default port for SSL. The UI will only be used in an enterprise deployment if there is ever a need to hot-deploy connectors. Following the traditional path of taking Service Packs for latest Connector Server updates, would have no need to use the UI. Ports 22001 and 22002 are used by CloudMinder to route LDAP requests over HTTP and HTTPS, respectively between data centers. These ports are not used in an enterprise deployment as LDAP traffic is sent over TCP/IP. The CA IAM Connector Server uses Apache ServiceMix and specifically Camel (Jetty) for routing of HTTP/HTTPS traffic.

To disable http trace from Apache ServiceMix/Camel, there is a configuration option see:

http://camel.apache.org/jetty.html traceEnabled false Specifies whether to enable HTTP TRACE for this Jetty consumer. By default TRACE is turned off.

Instructions:
Please Update This Required Field