HSTS Configuration for Autosys Webserver
search cancel

HSTS Configuration for Autosys Webserver

book

Article ID: 216470

calendar_today

Updated On:

Products

CA Workload Automation AE - Scheduler (AutoSys)

Issue/Introduction

How to configure HSTS for Autosys Webserver running on port 9443?

 

Environment

Release : 11.3.6 and higher

Component : CA Workload Automation AE (AutoSys)

Cause

It has been flagged by the infrastructure security team stating "The remote HTTPS server does not send the HTTP Strict-Transport-Security header"

Resolution

HSTS can be enabled for Autosys WebServer.
(It is the most common procedure for any tomcat hosted web application)

1) Take a backup of the file $AUTOUSER/webserver/conf/web.xml

2) Find the snippet - 

<!--

    <filter>

        <filter-name>httpHeaderSecurity</filter-name>

        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

        <async-supported>true</async-supported>

    </filter>

-->

3) Append the following right above/after (Do not uncomment the original) - 

<filter>

  <filter-name>httpHeaderSecurity</filter-name>

  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

  <async-supported>true</async-supported>

  <init-param>

    <param-name>antiClickJackingEnabled</param-name>

    <param-value>true</param-value>

  </init-param>

  <init-param>

    <param-name>hstsEnabled</param-name>

    <param-value>true</param-value>

  </init-param>

  <init-param>

    <param-name>hstsMaxAgeSeconds</param-name>

    <param-value>31536000</param-value>

  </init-param>

  <init-param>

    <param-name>hstsIncludeSubDomains</param-name>

    <param-value>true</param-value>

  </init-param>

  <init-param>

    <param-name>hstsPreload</param-name>

    <param-value>true</param-value>

    </init-param>

  <init-param>

    <param-name>xssProtectionEnabled</param-name>

    <param-value>true</param-value>

  </init-param>

  <init-param>

    <param-name>blockContentTypeSniffingEnabled</param-name>

    <param-value>true</param-value>

  </init-param>

</filter>

4) Find and uncomment the snippet - 

<!-- <filter-mapping>

        <filter-name>httpHeaderSecurity</filter-name>

        <url-pattern>/*</url-pattern>

        <dispatcher>REQUEST</dispatcher>

    </filter-mapping>

-->

(Remove the comments(<!-- and -->)  around the snippet)

5) Save the file

6) Restart service waae_webserver.$AUTOSERV

Additional Information

No configuration changes required for WebUI a.k.a WCC as this is enabled by default.