How to configure HSTS for Autosys Webserver running on port 9443?
Release : 11.3.6 and higher
Component : CA Workload Automation AE (AutoSys)
It has been flagged by the infrastructure security team stating "The remote HTTPS server does not send the HTTP Strict-Transport-Security header"
HSTS can be enabled for Autosys WebServer.
(It is the most common procedure for any tomcat hosted web application)
1) Take a backup of the file $AUTOUSER/webserver/conf/web.xml
2) Find the snippet -
<!--
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
-->
3) Append the following right above/after (Do not uncomment the original) -
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsPreload</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>true</param-value>
</init-param>
</filter>
4) Find and uncomment the snippet -
<!-- <filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
-->
(Remove the comments(<!-- and -->) around the snippet)
5) Save the file
6) Restart service waae_webserver.$AUTOSERV
No configuration changes required for WebUI a.k.a WCC as this is enabled by default.