APIM API and APIM Gateway include internal APIs that are enabled by default. These internal APIs permit the retrieval of monitoring and technical information pertaining to Gravitee components (more information here).
APIM API and APIM Gateway include internal APIs which are enabled by default. If you do not intend to use them, we recommend you disable them.
Perform the following steps on both the APIM API component and the APIM Gateway component:
-
Open your
gravitee.ymlfile. -
In the
services:section, set thehttp:enabledvalue tofalse:services: core: http: enabled: false port: 18083 host: localhost authentication: # authentication type to be used for the core services # - none: to disable authentication # - basic: to use basic authentication # default is "basic" type: basic users: admin: adminadmin
If you plan to keep the internal API enabled, please consider enforcing the security by following the next steps.
-
Ensure basic authentication:
services: core: http: ... authentication: type: basic users: admin: adminadmin
-
Remove the default admin user and password.
-
Replace these with a username/password of your choosing, as shown in the example below. A good practice is to:
-
Create a random username that is less obvious than a simple "admin" user.
-
Define a strong password that follows security best practices. Ideally, you should use a password generator.
services: core: http: ... authentication: type: basic users: kJCe9nxhNV: "k5/ya\S6*9dm2kT`dbnhr{jzyD)<u.<9"
-
-
It is highly recommended that you bind the internal API to make it accessible from localhost only:
services: core: http: enabled: true port: 18083 host: localhost
{% hint style="info" %} To learn more about internal APIs, see: