security scan issue on author server | Community
Skip to main content
vishalp01051978
vishalp01051978
May 24, 2016

security scan issue on author server

  • May 24, 2016
  • 2 replies
  • 1785 views

We have AEM setup first time in our system. Our security team scans the VM before it can go live. They found following issue on it. Anyone knows how to correct it?

Vuln 45242 Remote Management Service Accepting Unencrypted Credentials Detected
dcmipvmacc008.edc.nam.com port: 8080
Service Name: HTTP on TCP port 8080.
HTTP Service Excepting Basic Auth Credentials Detected
dcwipvmacc008.edc.nam.com port: 8080
Service Name: HTTP on TCP port 8080.
HTTP Service Excepting Basic Auth Credentials Detected
Vuln 86763 Web Server Uses Plain Text Basic Authentication
dcmipvmacc008.edc.nam.com port: 8080
dcwipvmacc008.edc.nam.com port: 8080
The login page at port 8080 needs to use encryption or be disabled.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

2 replies

kautuk_sahni
Community Manager
kautuk_sahniCommunity Manager
Community Manager
May 25, 2016

Hi 

Can you please confirm with the security team which tool is generating these messages?

It would be wiser to look at the documentation of that tool to better understand these messages.

 

Thanks and Regards

Kautuk Sahni

Kautuk Sahni
smacdonald2008
smacdonald2008
May 25, 2016

Those messages are not AEM messages - you need to consult with the tool's docs that generated those. For AEM and security best practices, see . https://docs.adobe.com/docs/en/aem/6-2/administer/security/security-checklist.html

vishalp01051978
vishalp01051978Author
May 25, 2016

Yes. They are not AEM messages. The messages are from Qualys scan which ran on the VM where author is installed and listening on port 8080. Searching on google I think it complains about author server login page (listening on 8080) using plain text basic authentication. 

Any idea how to correct it on author side?

smacdonald2008
smacdonald2008
May 25, 2016

If you are concerned that the default AEM authentication uses a text based password (which seems to be the cause of the message: The login page at port 8080 needs to use encryption or be disabled.) -- then write a custom authentication handler: 

http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html

Or instead of writing a custom authen handler - another choice that you have is to setup 2 factor authentication: 

https://helpx.adobe.com/experience-manager/using/twofactor.html

Terms & ConditionsAccessibility statement

Loading footer...