Security Warning -HSTS missing for Wily Introscope 10.8.1.6 in Windows Sever 2019-This is SAP release specific issue
search cancel

Security Warning -HSTS missing for Wily Introscope 10.8.1.6 in Windows Sever 2019-This is SAP release specific issue

book

Article ID: 370726

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

SAP customer is facing a security warning whenever they run Introscope detail description as below

 

Security Warning Screenshot:

*************************************

The mentioned Port 8082 is APM Introscope WebView port . More details 

 Network Diagnosis showing HSTS missing from Response Header while accessing Introscope Screenshot:

******************************************************************************************

 

Expected response Header Sample Screenshot:

**************************************************

 



 

 

 

 

 

Environment

Introscope EM version 10.8.1.6 

Windows server 2019 Standard version 1809 with OS build 17763.5576.

Java Version:  11.0.16 (Java 1)

Resolution

Manual steps to rectify the issue:

*****************************************

Please add the new insterHandler tag(as below) to em-jetty-config.xml on Enterprise Manager after the 1st one and re-start the enterprise manager . Please take a back up of the em-jetty-config.xml  before the change .

<Call name="insertHandler">
    <Arg>
      <New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
		<Set name="rules">
		  <Array type="org.eclipse.jetty.rewrite.handler.Rule">
			 <Item>
				<New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
				   <Set name="pattern">/*</Set>
				   <Set name="name">Strict-Transport-Security</Set>
					<Set name="value">max-age=31536000;</Set>
				</New>
			 </Item>
		  </Array>
	   </Set>
	</New>
    </Arg>
  </Call>

 

Questions:

****************

1: Why SAP specific?

This is only specific to SAP. The normal agent version will pick from webview-jetty-config not the em-jetty-config.

2:Will this manual fix be overwritten in the future patch/upgrade?

Yes, currently it is manual.

3:Will this fix include in future version?

Yes, once it is confirmed it will be include in the next upcoming SAP release.

 

Additional Information