HSTS in PM Jetty

search cancel

HSTS in PM Jetty

book

Article ID: 238552

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

I am currently running 21.2.2 and plan to upgrade to 21.2.9 next week. I need to know how to configure jetty to support HSTS.

Plugin Output:
The remote HTTPS server does not send the HTTP
""Strict-Transport-Security"" header.

Environment

Dx NetOps Performance Management 21.2.9

Resolution

This can be done in custom headers

In 21.2.9 out of the box we use:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; base-uri 'self'; frame-ancestors 'self'; font-src 'self'; frame-src 'self'|X-Frame-Options: SAMEORIGIN|X-Content-Type-Options: nosniff|X-XSS-Protection: 1; mode=block|Referrer-Policy: strict-origin|Feature-Policy: 'none'|Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Specifically:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

You can use SsoConfig to set Remote Value (so DA gets the same changes) to the OOTB 21.2.9 value and adjust the headers to be whatever you want

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/22-2/securing/update-performance-center-website-settings/configure-the-basic-security-settings-using-ssoconfig.html

Possibly consider changing max-age. Maybe make it shorter. It should come into play with relation to how long to trust the https cert.

The out of the box value is 730 days, aka 2 yrs. You might reduce it in 1/2 to 1 year, 31536000 which is what most certs are good for now.

Feedback

thumb_up Yes

thumb_down No