Tomcat 7 hardening in Windows IDP server shows access to the /manager/html link

  • 7012003
  • 22-Mar-2013
  • 22-Mar-2013

Environment


NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Admin Console on Windows 2008 Server

Situation

Windows Admin Console installer on Windows is using a silent installer of tomcat, which installs
tomcat manager. Unlike the Linux IDP server or Access Gateway, tomcat is not hardened and
some of the services that should not be there are indeed there.

Resolution

These files from the /manager folders can be manually deleted without impacting NAM functionality.
Modifying web.xml is also an option to prevent access, but deleting the files is the recommended approach.