Locking out the non SSL port for TOMCAT (Service Desk, BOXI, USS) page

Document ID : KB000014147
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

There is a concern that the non-SSL port of 8080 is continuing to be leveraged by Service Desk despite implementing SSL.  How to ensure that the installation is hardened against using the given port.

Environment:
Service Desk Manager 12.9 and aboveUnified Self Service 14.1BOXI 4.1 SP3 SP5
Answer:

Once TOMCAT is configured to use SSL, in order to ensure the redirection or the exclusive use of the secure port, you must complete one of the actions bellow:

1. If you do not require to have enabled the port 8080, comment the lines bellow in the server.xml file for Service Desk (..\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\conf), for BOXI (..\CA\SC\CommonReporting4\tomcat\conf), Unified Self Service (..\CA\Self Service\OSOP\tomcat-7.0.40\conf) and restart the TOMCAT server.

<!--

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/>

-->

This will ensure that the non secure port will fail if it is attempted.

2. If what you need is to redirect the port 8080 to the secure port, you need to add to the web.xml file of the web application for Service Desk (..\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF), for BOXI (BOE/web-inf/web.xml), for USS (..\CA\Self Service\OSOP\tomcat-7.0.40\webapps\ROOT\WEB-INF) the following lines at the end of the file but before the tag </web-app>:

<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- auth-constraint goes here if you require authentication -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Once the file is modified save it and restart the TOMCAT server, if a user access the portal using a non SSL port it will be redirected immediately and therefore when the user types the username/password, it will be not transmitted in plain text.