Lose access to Spectrum OneClick admin page after applying STIG V-222928
search cancel

Lose access to Spectrum OneClick admin page after applying STIG V-222928

book

Article ID: 272330

calendar_today

Updated On:

Products

DX NetOps CA Spectrum

Issue/Introduction

After implementing the following fix for STIG V-222928.

 

Uncomment the existing httpHeaderSecurity filter section or create the filter section using the following code:

NOTE: includeSubDomains param-value and url-pattern values may change and can vary according to local deployment requirements. 
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
 <param-name>hstsEnabled</param-name>
 <param-value>true</param-value>
</init-param>
<init-param>
 <param-name>hstsMaxAgeSeconds</param-name>
 <param-value>31536000</param-value>
 </init-param>
 <init-param>
 <param-name>hstsIncludeSubDomains</param-name>
 <param-value>true</param-value>
 </init-param>
<async-supported>true</async-supported>
</filter>

Create or uncomment the httpHeaderSecurity filter mapping:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

 

The customer is unable to open the Spectrum Administration pages. They see the following errors. 

 

Environment

Release : 22.2

Cause

The HSTS configuration is missing one more required init-parameter:

            <init-param>

                                                <param-name>antiClickJackingOption</param-name>

                                                <param-value>SAMEORIGIN</param-value>

                                </init-param>

Resolution

This below configuration should be used for httpHeaderSecurityFilter:

                <filter>

<filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

<init-param>

<param-name>hstsEnabled</param-name>

<param-value>true</param-value>

</init-param>

<init-param>

               <param-name>hstsMaxAgeSeconds</param-name>

<param-value>31536000</param-value>

</init-param>

<init-param>

               <param-name>hstsIncludeSubDomains</param-name>

               <param-value>true</param-value>

</init-param>

<init-param>

  <param-name>antiClickJackingOption</param-name>

     <param-value>SAMEORIGIN</param-value>

  </init-param>

<async-supported>true</async-supported>

</filter>

Powered by Wolken Software