Symantec Identity Manager - Strict transport security not enforced: HTTP Strict Transport security header is missing or has an insecure value
search cancel

Symantec Identity Manager - Strict transport security not enforced: HTTP Strict Transport security header is missing or has an insecure value

book

Article ID: 232215

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

- How can I enable HTTP Strict Transport Security (HSTS) in EAP 7
- HSTS Missing From HTTPS Server in JBoss EAP 7.3

Affected URL: https://Hostname/iam/im/identityEnv

HTTP Strict Transport Security header is missing or has an insecure value.

Environment

Identity Manager 14.x (Virtual Appliance or On-premise versions)

Resolution

The below knowledge document from RedHat explains how to enable strict transport security in JBoss. It also applies to Wildfly. Make the changes in your standalone-full-ha.xml, or on vAPP use the CLI commands.

https://access.redhat.com/solutions/3432951 (requires RedHat account to login)

Add the appropriate response-header filter to the Undertow subsystem, and enable that filter for the host:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">    <server name="default-server">        <host name="default-host" alias="localhost">            <filter-ref name="hsts-header"/>        </host>    </server>    <filters>        <response-header name="hsts-header" header-name="Strict-Transport-Security" header-value="max-age=31536000;"/>    </filters></subsystem>

If you have Virtual Appliance you need to use JBoss-CLI to accomplish the goal.

 

Diagnostic Steps
The curl command can be used to verify the response header is returned correctly, to test port 8444 just change the port in the command.


$ curl -i https://mydomain.com:8443/
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Strict-Transport-Security: max-age=31536000;
Location: https://mydomain.com:8443/
Content-Length: 0
Date: Mon, 30 Apr 2018 19:23:04 GMT

 

 

How to resolve this issue for VAPP:

Note: the user "Jbossmgr" below is just an example, you can use any name for the user.

Run: sudo /opt/CA/wildfly-idm/bin/add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): a

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username: Jbossmgr
Password recommendations are listed below. To modify these restrictions edit the add-user.properties configuration file.
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
 - The password should be different from the username
Password :
JBAS015266: Password must have at least 1 digit.
Are you sure you want to use the password entered yes/no? yes
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma-separated list, or leave blank for none)[  ]:
About to add user 'mark' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'Jbossmgr' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties'
Added user 'Jbossmgr' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties'
Added user 'Jbossmgr' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-groups.properties'
Added user 'Jbossmgr' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no

Now you have the user associated with the Management Realm.

Navigate to /opt/CA/wildfly-idm/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials (Jbossmgr)


Command 1:
/subsystem=undertow/configuration=filter/response-header=hsts-header:add(header-name="Strict-Transport-Security",header-value="max-age=31536000;")
Command2:
/subsystem=undertow/server=default-server/host=default-host/filter-ref=hsts-header:add

Restart the Identity Manager service to load the new configuration.

 

Notes:

- For port 8443, run the steps above in the Virtual Appliance machine where the Identity Manager was deployed

- For port 8444, run the steps above in the Virtual Appliance machine where the Identity Portal was deployed

Additional Information

For remediation against the connector servers, please follow the below KB:
Symantec Identity Manager - HSTS Missing From HTTPS Server (RFC 6797) - Connector Servers