SOI Vulnerability - HSTS Missing from HTTPS Server
search cancel

SOI Vulnerability - HSTS Missing from HTTPS Server

book

Article ID: 203955

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

Please provide steps / procedure to remediate Nessus scan has detected "HSTS Missing from HTTPS Server" vulnerability on the following SOI components:

a. SOI Manager - Port 7493
b. SOI UI - Port 7403
c. HelpDesk connector - Port 8443

Environment

Release : 4.2

Component : Service Operations Insight (SOI) Manager

Cause

Improper SSL configuration resolved by using the correct steps.

Resolution

Please apply latest 4.2 Monthly Update KIT found here:

https://support.broadcom.com/external/content/release-announcements/CA-Service-Operations-Insight-Solutions--Patches/6500

Please find below correct steps/ procedure to configure SSL:

Please ensure that SSL is configured as mentioned below:
Please make the below changes for SOI Manager and SOI UI components and reboot the server:
  • C:\Program Files (x86)\CA\SOI\tomcat\conf\web.xml
  • C:\Program Files (x86)\CA\SOI\SamUI\conf\web.xml
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
            <param-name>hstsEnabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>false</param-value>
        </init-param>
    </filter>
 
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
 
 
If you are seeing just the hostname under SOI UI -> Administration -> CA Service Operations Insight Manager Configuration. Please login to https://hostname:port/sam and export the security certificate from the URL and import the security certificate into the browser.
 

Please note below limitations:

  • antiClickJackingEnabled is set to false
  • certificates need to be imported into the browsers

 

Powered by Wolken Software