Environment
Identity Server and Access Gateway of 3.2 SP1 installed on Windows 2008 R2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Support Pack 1 applied
Situation
Identity (IDP) Server and Access Gateway (AG) of 3.2 SP1 installed and configured on Windows 2008 R2 platform. All Web applications protected by the Access Gateway worked fine ie. users could single sign on to back end applications behind the AG after having successfully authenticated at the IDP server.
Before going live, a security scan of the system found the following vulnerability:
Web Server Discloses Software Type And Version [NOT FIXED]
Source Web Application Assessment
Level Of Severity Suggested Likelihood Of Threat High
Affected Components neologin-staging.novell.com (443/tcp)
Finding
The Team observed that the web servers on the affected hosts disclosed information about their software type and version within the HTTP ‘Server’ header field:
neologin-staging.novell.com:
Apache-Coyote/1.1
Recommendation
Recommend that the web server should be reconfigured to display the minimal amount of information, or to display false information.
Apache servers can be configured to give the minimum amount of information by adding the following directive to the Apache configuration file (usually ‘httpd.conf’ or ‘apache.conf’):
ServerTokens Prod
Alternatively, on Apache-based servers ‘mod_security’ can be used to change the server signature to any value. The following directive should be added to the configuration file:
SecServerSignature "New_Server_Signature
Before going live, a security scan of the system found the following vulnerability:
Web Server Discloses Software Type And Version [NOT FIXED]
Source Web Application Assessment
Level Of Severity Suggested Likelihood Of Threat High
Affected Components neologin-staging.novell.com (443/tcp)
Finding
The Team observed that the web servers on the affected hosts disclosed information about their software type and version within the HTTP ‘Server’ header field:
neologin-staging.novell.com:
Apache-Coyote/1.1
Recommendation
Recommend that the web server should be reconfigured to display the minimal amount of information, or to display false information.
Apache servers can be configured to give the minimum amount of information by adding the following directive to the Apache configuration file (usually ‘httpd.conf’ or ‘apache.conf’):
ServerTokens Prod
Alternatively, on Apache-based servers ‘mod_security’ can be used to change the server signature to any value. The following directive should be added to the configuration file:
SecServerSignature "New_Server_Signature
Resolution
Modify the IDP connector information in the server.xml to add a 'Server=' string.
In the setup above, the Apache-Coyote/1.1 HTTP header was returned by the IDP server. By modifying the C:\Program Files (x86)\Novell\Tomcat\conf\server.xml with the following information:
<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="0" address="21.207.236.84" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Novell\devman\jcc/certs/idp/connector.keystore" keystorePass="cAOr9312zor2X28" maxThreads="600" minSpareThreads=" 5 " port="8443" scheme="https" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" sslProtocol="tls" useBodyEncodingURI="false" server="Confidential"/>
.... and restarting tomcat using the following
net stop tomcat7
net start tomcat7
The Server HTTP header is displayed as "Confidential".
In the setup above, the Apache-Coyote/1.1 HTTP header was returned by the IDP server. By modifying the C:\Program Files (x86)\Novell\Tomcat\conf\server.xml with the following information:
<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="0" address="21.207.236.84" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Novell\devman\jcc/certs/idp/connector.keystore" keystorePass="cAOr9312zor2X28" maxThreads="600" minSpareThreads=" 5 " port="8443" scheme="https" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" sslProtocol="tls" useBodyEncodingURI="false" server="Confidential"/>
.... and restarting tomcat using the following
net stop tomcat7
net start tomcat7
The Server HTTP header is displayed as "Confidential".