By default, the web service interface of Identity Server (/nidp/services/IDSISCredentialProfile?wsdl) is accessible by everyone. Identity Servers and Access Gateways use this interface for updating credential profile information. An attacker can use this information to bring Identity Server down.
You can prevent such issues by configuring the WSInterfaceFilter filter in /opt/novell/nids/lib/webapp/WEB-INF/web.xml. You can modify filter’s values depending on the requirement.
The following table lists parameters associated with the WSInterfaceFilter filter:
|
Parameter |
Description |
|---|---|
|
activateWSFFirewall |
This activates the WSFFirewall filter. Specify True to activate the filter. |
|
shieldAllServices |
This specifies whether to shield all web services at /nidp/services or only selected services by using values True and False respectively. |
|
wsfAcceptedDevicesIPList |
This is a comma separated list of IP addresses that can access the /nidp/services interface. No white space is allowed. |
|
wsURIList |
This is a comma separated list of web services who can access to the web service when shieldAllServices is set to False. No whitespaces are allowed. For example, to filter requests for the <host>/nidp/services/IDSISAuthenticationProfile service, specify IDSISAuthenticationProfile as param-value for wsURIList. Both WSDL and the actual service will be placed behind the firewall. |
NOTE:For certain web services, an administrator can also specify a policy from Administration Console. If a policy is defined for a service that is in the wsURIList list, the policy is executed after passing this filter.