Software AG Products 10.11 | Administering Integration Server | Controlling Access to Resources | Adding Services to a Blacklist
 
Adding Services to a Blacklist
 
Using a File for the Service Blacklist
Integration Server provides the ability to block the invocation of services through use of a service blacklist. An attempt to invoke a blacklisted service results in an Access Denied error. This occurs whether the blacklisted service is a top-level service directly invoked by a client or trigger, a service invoked within another service, or a service invoked from Java code using Service.doInvoke( ). When using Designer to debug a service that calls a blacklisted service, attempts to invoke the blacklisted result in an Access Denied error as well.
The service blacklist is different from using ACLs to control which users can view, edit, or execute services. The service blacklist can be used for all services, including those installed with Integration Server such as WmPublic and WmRoot services. Additionally, the service blacklist blocks execution only and blocks it for all users. The service blacklist does not hide the specified services from select users nor does it limit execution to users in a specific group. When viewing the services in a package, a blacklisted service still appears in Designer or in Integration Server Administrator.
When a blacklisted service is invoked, Integration Server writes the following to the server.log:
[ISS.0053.0002C] Access denied for user username on port portNumber -> directive/serviceName from ipAddress
Note:Integration Server writes the above server and error log message whenever a user is denied access, including situations where the user provides incorrect credentials or is invoking blacklisted services.
When the Integration Server facility 0007 Authorization is set to the Debug level, Integration Server writes the following message to the server log after an attempt to invoke a blacklisted service:
[ISS.0007.0007D] ACLManager: service execution blocked; serviceName has been blacklisted via "watt.server.service.blacklist property"
Integration Server provides the server configuration parameter watt.server.service.blacklist for creating the blacklist. You can use a comma-separated list or a file to specify the services on the blacklist and/or the interfaces whose services or on the blacklist.
For example, to place the pub.client:ftp service on the service blacklist, specify the following:
watt.server.service.blacklist=pub.client:ftp
To place all the services in the pub.client.ftp interface (folder) on the service blacklist, specify the following:
watt.server.service.blacklist=pub.client.ftp
To place the pub.client.ftp interface on the service blacklist, specify the following:
watt.server.service.blacklist=pub.client.ftp,pub.client:ftp
Specifying a folder (interface) puts only the services in that folder on the service blacklist. Services that reside within a subfolder of the folder are not placed on the blacklist. For example, specifying watt.server.service.blacklist =pub.client places only the services in pub.client, such as pub.client:ftp, pub.client:http, pub.client:restClient, pub.client:smtp, pub.client:soapClient, and pub.client:websocket on the blacklist; it does not place services in pub.client.ftp, pub.client.ldap, pub.client:oauth, or pub.client.sftp on the service blacklist.
When processing the service blacklist, Integration Server does not validate whether or not a service or interface actually exists on Integration Server However, Integration Server does ensure that service name does not contain illegal characters. If the service or interface name contains illegal characters, Integration Server logs the error:
[ISS.0007.0010W] ACLManager: ignored blacklist entry entryName as it is not a valid service or interface name.
Wildcards cannot be used in the values for watt.server.service.blacklist or in the file that contains the service blacklist.
Note:
Do not blacklist a service critical to the functioning of Integration Server.