Before opening an idea or a ticket @CA I'd like to ask the question in the community.
The REST API of the CA PM Data Aggregator (DA) is currently without any access control i.e. everybody knowing the REST commands can delete the whole device configuration of CA PM. The documentation of the CA DA is public available on the CA docops portal so it is more than easy to get the right REST calls to delete the configuration if somebody knows that there is a CA DA server in the network he can access.
Is it possible to protect the Rest API using a password?
You are unfortunately correct, there is no protection or access authorization code in place for DA REST functions.
This Idea request may be of interest. It requests the DB connection info in the DA be secured. The more up votes it gets the better.
IM DA security enhancement request
This Idea was implemented as of 2.8 and provides for control of the data passed between DA and DC.
secure Datacollector traffic to DA
I found out that coming in the r3.6 release we are adding support for the DA to be configured so it runs using https.
Unfortunately that won't come with username/password protection for rest yet.
It appears that REST security for the DA is on their minds, but it wouldn't hurt for a specific Idea to be submitted requesting it. Once more, the move votes (the squeaky wheel gets the grease) up it gets the more likely to be considered for inclusion in a future release.
thansk for investigation for now. So, I'll open a new idea for this.