Symantec Identity Manager - Strict transport security not enforced: HTTP Strict Transport security header is missing or has an insecure value
search cancel

Symantec Identity Manager - Strict transport security not enforced: HTTP Strict Transport security header is missing or has an insecure value


Article ID: 232215


Updated On:


CA Identity Suite CA Identity Manager


Affected URL:*

HTTP Strict Transport Security header is missing or has an insecure value.


Identity Manager 14.x (Virtual Appliance or On-premise versions)


The below knowledge document from RedHat explains how to enable strict transport security in JBoss. It also applies to Wildfly. Make the changes in your standalone-full-ha.xml, or on vAPP use the CLI commands. (requires RedHat account to login)


- How can I enable HTTP Strict Transport Security (HSTS) in EAP 7
- HSTS Missing From HTTPS Server in JBoss EAP 7.3


Add the appropriate response-header filter to the Undertow subsystem, and enable that filter for the host:

<subsystem xmlns="urn:jboss:domain:undertow:3.1">    <server name="default-server">        <host name="default-host" alias="localhost">            <filter-ref name="hsts-header"/>        </host>    </server>    <filters>        <response-header name="hsts-header" header-name="Strict-Transport-Security" header-value="max-age=31536000;"/>    </filters></subsystem>

If you have Virtual Appliance you need to use JBoss-CLI to accomplish the goal.


Diagnostic Steps
The curl command can be used to verify the response header is returned correctly, to test port 8444 just change the port in the command.

$ curl -i
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Strict-Transport-Security: max-age=31536000;
Content-Length: 0
Date: Mon, 30 Apr 2018 19:23:04 GMT



How to resolve this issue for VAPP:

Note: the user "Jbossmgr" below is just an example, you can use any name for the user.

Run: sudo /opt/CA/wildfly-idm/bin/

What type of user do you wish to add?
 a) Management User (
 b) Application User (
(a): a

Enter the details of the new user to add.
Using realm 'ManagementRealm' as discovered from the existing property files.
Username: Jbossmgr
Password recommendations are listed below. To modify these restrictions edit the configuration file.
 - The password should not be one of the following restricted values {root, admin, administrator}
 - The password should contain at least 8 characters, 1 alphabetic character(s), 1 digit(s), 1 non-alphanumeric symbol(s)
 - The password should be different from the username
Password :
JBAS015266: Password must have at least 1 digit.
Are you sure you want to use the password entered yes/no? yes
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma-separated list, or leave blank for none)[  ]:
About to add user 'mark' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user 'Jbossmgr' to file '/opt/CA/wildfly-idm/standalone/configuration/'
Added user 'Jbossmgr' to file '/opt/CA/wildfly-idm/domain/configuration/'
Added user 'Jbossmgr' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/'
Added user 'Jbossmgr' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no

Now you have the user associated with the Management Realm.

Navigate to /opt/CA/wildfly-idm/bin/
execute ./
type: connect
Enter credentials (Jbossmgr)

Command 1:

Restart the Identity Manager service to load the new configuration.