Security Warning -HSTS missing for Wily Introscope 10.8.1.6 in Windows Sever 2019-This is SAP release specific issue
Article ID: 370726
Updated On:
Products
Issue/Introduction
SAP customer is facing a security warning whenever they run Introscope detail description as below
Security Warning Screenshot:
*************************************
The mentioned Port 8082 is APM Introscope WebView port . More details
Network Diagnosis showing HSTS missing from Response Header while accessing Introscope Screenshot:
******************************************************************************************
Expected response Header Sample Screenshot:
**************************************************
Environment
Introscope EM version 10.8.1.6
Windows server 2019 Standard version 1809 with OS build 17763.5576.
Java Version: 11.0.16 (Java 1)
Resolution
Manual steps to rectify the issue:
*****************************************
Please add the new insterHandler tag(as below) to em-jetty-config.xml on Enterprise Manager after the 1st one and re-start the enterprise manager . Please take a back up of the em-jetty-config.xml before the change .
<Call name="insertHandler">
<Arg>
<New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="rules">
<Array type="org.eclipse.jetty.rewrite.handler.Rule">
<Item>
<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">/*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=31536000;</Set>
</New>
</Item>
</Array>
</Set>
</New>
</Arg>
</Call>
Questions:
****************
1: Why SAP specific?
This is only specific to SAP. The normal agent version will pick from webview-jetty-config not the em-jetty-config.
2:Will this manual fix be overwritten in the future patch/upgrade?
Yes, currently it is manual.
3:Will this fix include in future version?
Yes, once it is confirmed it will be include in the next upcoming SAP release.
Feedback
