Securing the ActivID AS Services

General Considerations

ActivID AS is a Java-based application that exposes HTTPS for communicating with the web browsers that the operators and users are using to access the ActivID AS portals.

The HTTPS engine also provides a web services interface for some of the ActivID AS APIs and exposes these APIs via SOAP or RESTful endpoints.

Avoid Service Discovery

To avoid the service discovery and fingerprinting is recommended that you restrict the access to WSDL by filtering the following URL patterns at the reverse proxy level:

Copy

/4TRESS/.?.[Ww][Ss][Dd][Ll]
/4TRESS/.*\.xsd
/ac-4tress-jmxwrap/.?.[Ww][Ss][Dd][Ll]
/ ac-4tress-jmxwrap/.*\.xsd
/ac-iasp-backend-jaxws/.?.[Ww][Ss][Dd][Ll]
/ac-iasp-backend-jaxws/.*\.xsd

Legacy Service Support

Warning! All services SHOULD be configured to use the strongest security possible. If legacy compatibility is required then the security vulnerabilities should be understood before enabling.

Legacy SOAP Web Services

Previous versions have an RPC SOAP Web Service which is now replaced by a Web Service Basic Profile compliant service. This legacy RPC service uses the Axis 1.4 framework which is no longer maintained and has known security vulnerabilities. Only enable this if support of the legacy RPC Web Service is mandated.

Legacy Applet

The ActivID Self-Service Portal contained a Web-based Soft Token (ActivID Token for Web) to generate an OTP for user authentication.

For security reasons, ActivID Tokens for Web are no longer supported. Any affected users should be migrated to alternative authentication methods such as a mobile application.

If you want to continue using web soft tokens (not recommended), contact HID Global Professional Services.