On 20/04/2021 10.24, Jake Reynolds via FreeIPA-users wrote:
Thanks for the response.
I appreciate the inter-dependency, and a firewall probably is the workaround that I'm
going to use - but it still seems a lazy approach? To just hide/restrict a security
problem rather than fixing the root cause. I was hoping there would be a better approach,
and I expected other users to have had these alerts flagged by vulnerability scanners if
I'm honest.
We cannot bind the ports of PKI Dogtag's Tomcat instance to
localhost-only. FreeIPA uses HTTPS with client cert authentication to
talk to Dogtag. HTTPS verifies that the hostname matches the hostname in
the certificate. Although only local process talk to local Tomcat
instances, it is not possible to do that over localhost. The FQDN
typically only resolves to public interfaces. We also don't want to
create certificates with "localhost" SAN.
If you don't like to add firewall rules, then you can also use systemd
to block external access to Dogtag's Tomcat service with a service override:
# systemctl edit pki-tomcatd(a)pki-tomcat.service
[Service]
IPAddressAllow="127.0.0.1 ::1"
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill