SAP customer is facing a security warning whenever they run Introscope detail description as below
Security Warning Screenshot:
*************************************
The mentioned Port 8082 is APM Introscope WebView port . More details
Network Diagnosis showing HSTS missing from Response Header while accessing Introscope Screenshot:
******************************************************************************************
Expected response Header Sample Screenshot:
**************************************************
Introscope EM version 10.8.1.6
Windows server 2019 Standard version 1809 with OS build 17763.5576.
Java Version: 11.0.16 (Java 1)
Manual steps to rectify the issue:
*****************************************
Please add the new insterHandler tag(as below) to em-jetty-config.xml on Enterprise Manager after the 1st one and re-start the enterprise manager . Please take a back up of the em-jetty-config.xml before the change .
<Call name="insertHandler"> <Arg> <New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler"> <Set name="rules"> <Array type="org.eclipse.jetty.rewrite.handler.Rule"> <Item> <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> <Set name="pattern">/*</Set> <Set name="name">Strict-Transport-Security</Set> <Set name="value">max-age=31536000;</Set> </New> </Item> </Array> </Set> </New> </Arg> </Call>
Questions:
****************
1: Why SAP specific?
This is only specific to SAP. The normal agent version will pick from webview-jetty-config not the em-jetty-config.
2:Will this manual fix be overwritten in the future patch/upgrade?
Yes, currently it is manual.
3:Will this fix include in future version?
Yes, once it is confirmed it will be include in the next upcoming SAP release.
For Normal user HSTS details are as below
************************************************
https://knowledge.broadcom.com/external/article/105898/apm-107-hotfixes.html