Skip to main content

Penetration testing has come up with the recommendation to remove the internal hostname of the Commserve node from the meta data of the Command Centre web site. Viewing the source of the page there is the cvApp={} definition (~5000 characters) and within that, the definition:

"CommcellConsoleUrl":"http://node01.domain:81/console" 

Where node01.domain is the internal FQDN of the active CS server. Is there a way of suppressing this string? There is no similar reference when using the WebConsole.

We have a separate proxy server sat in DMZ that external users connect to (MSP environment) that hosts the web console with the web server on the Commserve.

Hey @Mike London UK , good question.  Let me confirm where that is fed from and if it is something that can be changed.


The url you are seeing points to a defined link that opens the CommCell Console.  Removing this information would potentially break other portions of the console.

In and of itself, the information doesn’t help without login credentials.

Let me know if that explains why it is showing up and if you have any further questions.


Thanks Mile, that’s enough to go back to the auditors with.


Hi Mike

Just to follow up here, the item referenced, CommcellConsoleUrl, is actually configurable via an additional setting. So if you prefer to replace the internal FQDN with the public facing FQDN that may also help with your security audit concern.

https://documentation.commvault.com/commvault/v11_sp20/article?p=4361.htm

I’m guessing http:81 won’t be permitted through a firewall, but console is also addressable via Tomcat Web Console service on https://webconsole_fqdn/console so these resources will be presented on a consistent URL.

If any of your internal users access the Java console using the internal web URL, you will need to ensure the public FQDN is resolvable internally.

Thanks,

Stuart

 


Thanks Mile, that’s enough to go back to the auditors with.

Great!  @Stuart Painter has some extra info that might assuage their concerns a bit more as well (and I made that the Best Answer as well for posterity).


Reply