Environment
Novell Access Management 3 Linux Novell Identity Server
Situation
With a freshly installed Identity Server from the shipping code, the /admin and
/manager contexts are enabled by default e.g. Navigate to http://:8080/admin
and http://:8080/manager. When these paths are hit on the Identity server,
a request to authenticate is sent to the browser. There are no tomcat users configured
so authentication to these servlets is not possible. However, these links should be
disabled and not allowed.
Resolution
Although the servlet is not functional it is enabled and will flag security scanners
with a possible vulnerability. To prevent these links from doing anything, the admin
will need to manually remove the following 2 files:
/var/opt/novell/tomcat4/webapps/admin.xml
/var/opt/novell/tomcat4/webapps/manager.xml
This will be done automatically in Access Manager 3 SP1.