Enabling virtual hosts for the server1 service

Edit online

The Cloud APM server server1 process is susceptible to the External service interaction (DNS) vulnerability. An artificially modified HTTP HOST header value might cause the Cloud APM server to perform a DNS lookup of another host if the HTTP HOST header does not specify the host name of the Cloud APM server. You can mitigate this vulnerability by creating a virtual host definition for the server1 process.

Procedure

Complete these steps to add a virtual host definition for the server1 process to the user-exit.xml file:

  1. Upgrade one of your OS agents to the version in the Cloud APM V8.1.4.0.7 or later agent refresh release.
    See Agent and data collector version in Cloud APM, Private releases in the APM Developer Center for more details on the OS agent versions included in the V8.1.4.0 agent refreshes. The OS agent upgrade updates the OS agent application support on the Cloud APM server and provides a fix that is required for using the OS agent log file monitoring configuration UI when a virtual host is defined for the server1 process.
  2. Apply Cloud APM V8.1.4.0 server interim fix 8 or later.
    Interim fixes for the Cloud APM server V8.1.4.0 are available from IBM Fix Central.
  3. Open the install_dir/wlp/usr/servers/server1/user-exit.xml file in a text editor.
  4. Add the following virtual <hostAlias> definitions: 
    <virtualHost id="default_host" >
   <hostAlias>${hostname.long.apmui}:8090</hostAlias>
   <hostAlias>${hostname.long.apmui}:8091</hostAlias>
   <hostAlias>${hostname.short.apmui}:8090</hostAlias>
   <hostAlias>${hostname.short.apmui}:8091</hostAlias>
   <hostAlias>${hostname.ip.apmui}:8090</hostAlias>
   <hostAlias>${hostname.ip.apmui}:8091</hostAlias>
   <hostAlias>localhost:8090</hostAlias>
   <hostAlias>localhost:8091</hostAlias>
   <hostAlias>127.0.0.1:8090</hostAlias>
   <hostAlias>127.0.0.1:8091</hostAlias>   
</virtualHost>
    The host aliases define the specific HTTP HOST headers that can be used in HTTP requests to the server1 process, for example, in Threshold Manager API requests. If one of these aliases is not specified in a HTTP HOST header, an HTTP 404 response code is returned and no DNS lookup is performed.
    Note: Cloud APM V8.1.4.0 server interim fix 8 or later automatically creates virtual host aliases for the apmui, oidc, and uviews services. If you want to protect the Cloud APM server min process from a similar vulnerability, perform the steps in Enabling virtual hosts for agent traffic.