Disable the internal web server (port 3661) in your ITM environment

Body

We are getting regular requests from customers that have concerns about the vulnerabilities related to port 3661 of the internal web server of the ITM components, and that want to disable the internal web server..

The easiest solution is to configure each agent locally, and specify to disable the HTTP server during the agent configuration.

But what if you have many hundreds or thousands of agents, and you want to do this on a massive scale? Doing this locally would then mean a lot of work, while there is a way to change the configuration from a central point.

How to do this?

First of all, you should minimally be at ITM 6.3 FP4 in order to have the tacmd enhancements of APAR IV63269.

The most practical way should be by using this command:
tacmd setAgentConnection -n MANAGED-OS -p DISABLE_HTTP=YES -a
 
The '-a' option will make the change for all agents installed in the same $CANDLEHOME on one system. You need to have an OS agent installed in order to make this change.
 
For example:
$CANDLEHOME/bin/tacmd setagentconnection -n Primary:target:NT -p DISABLE_HTTP=YES -a
$CANDLEHOME/bin/tacmd setagentconnection -n target:LZ -p DISABLE_HTTP=YES -a
$CANDLEHOME/bin/tacmd setagentconnection -n target:KUX -p DISABLE_HTTP=YES -a
 
You could also specify these options for bulk deployment:
{-g|--deploygroup DEPLOY_GROUP_NAME}
{-b|--bundlegroup BUNDLE_GROUP_NAME}
 
For example:
1° $CANDLEHOME/bin/tacmd creategroup -g NOHTTP -t DEPLOY -p KDY.DISABLE_HTTP=YES
=> this will create a deploy group called NOHTTP

2° $CANDLEHOME/bin/tacmd creategroup -g NOHTTPSERVER -t BUNDLE -p KDY.DISABLE_HTTP=YES
=> this will create a bundle group called NOHTTPSERVER

3° $CANDLEHOME/bin/tacmd addgroupmember -g NOHTTP -t DEPLOY -m target
=> this will add targets to the deploy group NOHTTP. You can perform this command for all the targets on which you want to change the parameter. Each target will need to be added individually with a separate command, using its hostname or IP address. When checking with 'tacmd getdeploystatus -g <ID>', you could get this error, even though the IP address is valid:
KDY0012E:  The target x.x.x.x is incorrect or is offline. The command did not complete because the value for the target is incorrect or the target is offline.

In that case, you should remove the reported IP address using '$CANDLEHOME/bin/tacmd deletegroupmember -g NOHTTP -t DEPLOY -m x.x.x.x', and add the corresponding fully-qualified domain name using '$CANDLEHOME/bin/tacmd addgroupmember -g NOHTTP -t DEPLOY -m target.domain.com'

4° $CANDLEHOME/bin/tacmd setagentconnection -g NOHTTP -b NOHTTPSERVER -a
=> this will launch the setagentconnection command on all the targets
that have been added to NOHTTP
 
For more info about the 'tacmd setagentconnection' command:
https://www.ibm.com/support/knowledgecenter/en/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/cmdref/setagentconnection.htm#setagentconnection

Important remarks:
- in order to minimize problems, it is recommended to run these commands on the TEMS server
- please do not specify the TEMS and the TEPS as targets, as this will break some functionalities of the TEMS and TEPS

Hope this helps.