DX Application Performance Management

  • Private Community

  • 1.  Disable Rest API -> disable "data/query?" access to MOM

    Posted Feb 28, 2018 05:28 PM

    Business Requirement:

    Unrestricted access to APM public REST API is flagged as a vulnerability by Enterprise Security penetration test.

     

    Attempting to disable access to public REST API by setting introscope.public.restapi.enabled=false in IntroscopeEnterpriseManager.properties.

     

     

    Expected:

     

    HTTP error response to metric data query (Example http://momhost:8081/data/query?agentRegex=(.*)&metricRegex=.*:Responses+Per+Interval&relativeTime=last1min&period=120&format=xml)

     

     

    Instead:
    The metric data values matching the input query is returned.



  • 2.  Re: Disable Rest API

    Broadcom Employee
    Posted Feb 28, 2018 06:04 PM

    Hi Richard,

    The introscope.public.restapi.enabled=false setting should disable the public REST API access.

    I think with that test you are accessing the older SOAP Introscope Web Services API, rather that the new REST API

    APM REST API - CA Application Performance Management - 10.5 - CA Technologies Documentation 

     

    Regards,

     

    Lynn



  • 3.  Re: Disable Rest API

    Posted Mar 01, 2018 09:17 AM

    Thank you for the response Lynn,

     

    Can you tell me what it is about the test case indicates it is the older SOAP API? is it the "/data/query?"

    All I do is enter that URL in the browser with correct host and port values and the response comes back in the browser.

     

    In any case that was the URL that triggered the vulnerability failure in the penetration test so that is the service I need to disable. Any ideas how to disable it?



  • 4.  Re: Disable Rest API

    Broadcom Employee
    Posted Mar 01, 2018 04:41 PM

    Hi Richard,

    The use of agentRegex and metricRegex proeprties indicates that the Introscope SOAP Web Service API is being called e.g. Metrics Data Web Service WSDL Definition - CA Application Performance Management - 10.5 - CA Technologies Documentation 

    Normally to access the wsdl the prefix "introscope-web-services/services" is required but I believe the "/data/query?" you used is also valid.

    I will check into whether it is possible to disable the Introscope SOAP Web Services API.

     

    Regards,

     

    Lynn



  • 5.  Re: Disable Rest API
    Best Answer

    Broadcom Employee
    Posted Mar 01, 2018 06:00 PM

    Hi Richard,

    I was incorrect about the Introscope SOAP Web Services API being accessible using "/data/query?" because it fails for me.

    I have now realised that "/data/query?" is only useable when you have the add-on Easy Integration Kit installed which is available here:easyintegrationtoolkit.zip  Also this related Queries.zip 

    "Easy Integration Toolkit is a web application that plugs into the Introscope Enterprise Manager and serves up data in response to HTTP queries."

    So you need to undeploy that application (data.war) to disallow the queries.

    (I will also rename the title of this question so the correct subject is more visible for the future)

     

    Hope that helps

     

    Regards,

     

    Lynn



  • 6.  Re: Disable Rest API

    Posted Mar 06, 2018 07:52 AM

    Thank you Lynn.

    This is exactly what I needed!