12.8 adminui HTTP Security Header not detected or exist out of box
search cancel

12.8 adminui HTTP Security Header not detected or exist out of box

book

Article ID: 203486

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Customer's security team reported 12.8 adminui security exception.

As a web server, multiple HTTP Security Headers are not detected with out of box admin ui installation.

X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 8443.
Strict-Transport-Security HTTP Header missing on port 8443
X-XSS-Protection HTTP Header missing on port 8443.

When someone accesses  https://adminui.example.com:8443, using developer tools, and by viewing response headers, you will see what is available:

Environment

Release : 12.8

Component : SITEMINDER WAM UI

Cause

3rd party software WildFly does not have these settings enabled out of box, depending upon the version used.

Resolution

Engineering provided work around steps for admin ui configuration.

Please ensure you have back up before change starts.

Widlfy headers can be configured in <WAMUI_INSTALL_LOCATION>\SiteMinder\adminui\standalone\configuration\standalone-full.xml.

Below is the example snippet, customer can add response headers, by editing filter-ref and filters tag. After configuring change like below, needs to restart AdminUI. 

<server name="default-server">
                <http-listener name="default" socket-binding="http"/>
                <https-listener enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" security-realm="SSLRealm" socket-binding="https"/>
                <host alias="localhost" name="default-host">
                    <location handler="welcome-content" name="/"/>
                     <filter-ref name="server-header"/>
                     <!--filter-ref name="x-powered-by-header"/-->
                     <filter-ref name="x-frame-options"/>
                     <filter-ref name="x-xss-protection"/>
                     <filter-ref name="strict-transport-security"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>

            <filters>
                <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
                <!--response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/-->
             <response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
             <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
             <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
           </filters>

Additional Information

https://knowledge.broadcom.com/external/article/187914/http-security-header-not-detected.html