Problem

If mutual authentication with API Manager is configured the API Portal's private key is not well protected and it is accessible through WEB if one knows the full path to it.

The issue exists in API Portal versions 2020 July - 2020 November. This will be fixed in version 2021-Jan, but until then a modification in .htaccess file is needed to prevent private keys being accessed through WEB.

Resolution

You should modify the following line in your .htaccess file (the one that is in your API Portal root folder -/opt/axway/apiportal/htdoc by deafult) :

<FilesMatch "\.(htaccess|htpasswd|sql|txt|xml|log|zip)$">

And change it to this :

<FilesMatch "\.(htaccess|htpasswd|sql|txt|xml|log|zip|key|pk|ppk|opk|ospk|p12|pfx)$">

If by some reason this line is missing from your .htaccess file just add the following code snippet at the bottom of the file :

<FilesMatch "\.(htaccess|htpasswd|sql|txt|xml|log|zip|key|pk|ppk|opk|ospk|p12|pfx)$">

Order Allow,Deny

Deny from all

</FilesMatch>

We recommend that you create a new private key and replace the old one right after applying this change in the .htaccess file. Use the Administration UI of API Portal to upload the new private key.

Restart of Apache after the change is not needed.