Security Information

Note: This product has been discontinued. Technical Guidance ends July 15th 2018.

Pivotal is committed to providing products and solutions that allow you to assess the security of your information, secure your information infrastructure, protect your sensitive information, and manage security information and events to assure effectiveness and regulatory compliance. As part of this commitment, the following Pivotal Web Server-specific security information is provided to help you secure your environment:

External Interfaces, Ports, and Services

A Pivotal Web Server instance uses TCP/IP ports to receive incoming requests and send outgoing responses. Different protocols (such as HTTP or HTTPS) listen on different ports. You can change these port numbers when you create the Web Server instance using the newserver script, but these are the default values:

  • HTTP: 80
  • HTTPS: 443

If you have already created the Web Server instance, you can change its HTTP listen port by updating the Listen 90 http directive in the INSTANCE-DIR/conf/httpd.conf file, where INSTANCE-DIR refers to the directory in which the Web Server instance is located, such as /opt/pivotal/webserver/myserver. To update the HTTPS port, update the Listen 443 https directive in the INSTANCE-DIR/conf/extra/httpd-ssl.conf file.

Pivotal Web Server does not have any external interfaces or services that need to be enabled or opened.

Resources That Must Be Protected

The following Pivotal Web Server configuration files should be readable and writable only by the root (Unix) or Administrator (Windows) user:

  • conf/httpd.conf
  • conf/userfile
  • All files in the ssl directory (if you have enabled SSL for the instance)
  • extra/conf/httpd-ssl.conf (if you have enabled SSL for the instance)
  • Any other conf/httpd-XX.conf file that you have for which there is an uncommented Include in the main conf/httpd.conf configuration file.

These configuration files are specific to a Web Server instance and are stored in the INSTANCE-DIR directory, where INSTANCE-DIR refers to the directory in which the Web Server instance is located, such as /opt/pivotal/webserver/myserver.

Log File Locations

The most important log files for a Pivotal Web Server instance are as follows:

  • error_log: Contains errors and diagnostic information that occurred while the Web Server instance was serving requests.
  • access_log: Contains information about all Web Server requests.
  • ssl_request_log: Applies only if you enabled SSL. Contains information about requests that came over HTTPS.

These log files are specific to a Web Server instance and are stored by default in the INSTANCE-DIR/logs directory, where INSTANCE-DIR refers to the directory in which the Web Server instance is located, such as /opt/pivotal/webserver/myserver.

The preceding log files should be readable and writable only by the root (Unix) or Administrator (Windows) user.

The logs directory also contains other log files associated with BMX and the Pivotal License server.

User Accounts Created at Installation

If you install Pivotal Web Server on Red Hat Enterprise Linux (RHEL) using the RPM, a user with the following characteristics is automatically created:

  • ID: pwshttpd
  • Group: pwshttpd
  • Non-interactive, which means that you cannot directly log in to the RHEL computer as this user. Rather, you must log in as root or user with appropriate sudo privileges and su - pwshttpd.

When installing from RPM on RHEL, the installation directory will be owned by the root user, with group root.

When installing Web Server on Windows or Unix from a self-extracting *.zip file, a user account is not automatically created for you. Rather, you should install as root on Unix and Administrator on Windows.

Obtaining and Installing Security Updates

Pivotal Web Server an HTTPD server based on open-source Apache HTTPD. Pivotal Web Server includes a particular version of Apache HTTP Server, such as httpd- 2.4.10 . New versions of Pivotal Web Server typically include an updated version of Apache HTTPD, some of which might fix important security vulnerabilities. To install these security updates, you install the new version of Pivotal Web Server and then upgrade your existing instances.

To download the latest *.zip distributions of the Pivotal Web Server, go to the Pivotal Web Server product page, and click Downloads.

When using RPMs on RHEL, use the yum upgrade command to upgrade to the latest Pivotal Web Server version.

See Upgrading Pivotal Web Server for details.