Enabling HSTS Header on Service Catalog

book

Article ID: 74958

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

The HSTS or HTTP Strict Transport Security (RFC6797) spec says:

An HTTP host declares itself an HSTS Host by issuing to UAs (User Agents) an HSTS Policy, which is represented by and conveyed via the 
Strict-Transport-Security HTTP response header field over secure transport (e.g. TLS).

 
Example:
system.webserver file: 

<system.webServer> 
<httpProtocol> 
<customHeaders> 
<add name="Strict-Transport-Security" value="max-age=31536000"/> 
</customHeaders> 
</httpProtocol> 
</system.webServer> 


Use case:
 
We are trying to remediate a security finding where no HSTS header is set when the web agent redirects the user to a Login page for Authentication. 

 

We are trying to remediate a security finding where no HSTS header is set when the webagent redirects the user to a Login page for Authentication. 

This is the flow : 
1. User hits a protected page 
2. Siteminder is configured for Forms Authn and redirects the user to a Login.asp page. 

Now on the 302 to the login page there is no HSTS header but on 200 when the page is rendered there is a HSTS header. Finding is that there is NO HSTS header on 302 and they are expecting to see the header. 

Is this is the expected behavior or we can do something about the HSTS headers on the redirect?

Environment

CA Service Catalog

Resolution

Perform the following steps on all CA Service Catalog Tomcat Web Servers:

  1. Ensure that SSL is enabled for CA Service Catalog. For more information see, Enable SSL Authentication for CA SM 17.2.
  2. Ensure that the following information should be added in the web.xml file located where you have installed CA Service Catalog/Tomcat Web Server:

    For example: C:\Program Files\CA\Service Catalog\view\webapps\usm\WEB-INF\web.xml

  3. Add configuration under the <!-- Add filter here --> statement:


 Filter

<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>


<async-supported>true</async-supported>
</filter>

4. Add following configuration under the <!-- Add filter-mapping here --> statement:


 Filter-Mapping


5.  Close the web.xml file.

6. Restart CA Service Catalog Services.



Verification HSTS Header

===========================

Additional Information

For further details on HSTS and the above explanation, see IIS vendor documentation (https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/hsts ), CA Platform Support Matrix and docops.ca.com product documentation.