Access Manager security concerns with active default tomcat servlets

  • 3549647
  • 02-Jan-2007
  • 26-Apr-2012


Novell Access Management 3 Linux Novell Identity Server


With a freshly installed Identity Server from the shipping code, the /admin and
/manager contexts are enabled by default e.g. Navigate to http://:8080/admin
and http://:8080/manager. When these paths are hit on the Identity server,
a request to authenticate is sent to the browser. There are no tomcat users configured
so authentication to these servlets is not possible. However, these links should be
disabled and not allowed.


Although the servlet is not functional it is enabled and will flag security scanners
with a possible vulnerability. To prevent these links from doing anything, the admin
will need to manually remove the following 2 files:


This will be done automatically in Access Manager 3 SP1.