Symantec Access Management

  • 1.  Implementing HSTS on Federation SPS

    Posted Dec 13, 2016 12:51 PM

    I am trying to enable HTTP Strict Transport Security on a federation proxy server. I have enabled the headers module to the Apache HTTP Server and added set the response headers in the <VirtualHost> block in proxy-engine/conf/server.conf. The response headers are not being populated though. Any ideas? Should I be setting the headers through Tomcat instead?



  • 2.  Re: Implementing HSTS on Federation SPS

    Broadcom Employee
    Posted Dec 13, 2016 03:29 PM

    The response headers being referred, is it part of UserAgent from server.conf?

    Or this is regular SSO web agent HTTP response?

    If you have enabled the headers module to the Apache HTTP Server, have you verified the module is actively loaded?

    . ./ca_sps_env.sh

    ./apachectl -t -D DUMP_MODULES

    SPS Default output (no ):

    Loaded Modules:
    core_module (static)
    so_module (static)
    http_module (static)
    mpm_worker_module (static)
    env_module (shared)
    log_config_module (shared)
    setenvif_module (shared)
    mime_module (shared)
    negotiation_module (shared)
    dir_module (shared)
    jk_module (shared)
    cgi_module (shared)
    alias_module (shared)
    authz_host_module (shared)
    authn_core_module (shared)
    authz_core_module (shared)
    unixd_module (shared)
    slotmem_shm_module (shared)

     

    And IfModule section is located under apache, not in Tomcat server.conf.

    #<IfModule headers_module>
    #RequestHeader unset DNT env=bad_DNT
    #</IfModule>

     

    I have not come across any SPS run book or tech note regarding this integration between HTTP Strict Transport Security and SPS, if it is not documented, there is no guarantee it will work.

     

    Additional related info: CA SSO : SPS Hardening Security : Supress Server Headers 

     

    Hongxu 



  • 3.  Re: Implementing HSTS on Federation SPS
    Best Answer

    Posted Dec 16, 2016 04:20 AM

    Hi,

     

    Apart from loading the module, please add this into SPS_HOME/extra/httpd-ssl.conf file in the <VirtualHost _default_:443> block:

     

    <VirtualHost _default_:443>

     Header always set Strict-Transport-Security "max-age=63072000"

    ....

    </VirtualHost>

     

    Then restart the SiteMinder Secure Proxy and SiteMinder Proxy Engine services.

     

    Thank you,

    Alex



  • 4.  Re: Implementing HSTS on Federation SPS

    Posted Dec 16, 2016 09:01 AM

    I like what is suggested by Alex, Test it and suggest if it works.

     

    Additionally we need to take care of the following aspects.

    • Make sure CA Access Gateway Agent Configuration Object has the following parameters are set. We don't want to be in a contradicting situation wherein CA Access Gateway enforces HSTS, however the Cookies that are set by WebAgent Code is unsecure and nonhttp.
      • UseHttpOnlyCookies.
      • UseSecureCookies.
    • Also when we do this configuration to CA Access Gateway, pay attention to SSO in an Enterprise. We don't want to be in a situation where we are trying to achieve SSO from another WebAgent in an Enterprise, but those other WebAgents do not set Secure Cookies, thus SSO potentially breaks OR encounters issues.


  • 5.  Re: Implementing HSTS on Federation SPS

    Posted Dec 28, 2016 01:20 PM

    This worked. Thank you!



  • 6.  Re: Implementing HSTS on Federation SPS

    Broadcom Employee
    Posted Jul 27, 2018 02:38 AM

    More than a few times I have found the Apache httpd at the front of sps to be pretty useful for doing exactly this sort of tinkering with the headers - Cheers  Mark



  • 7.  RE: Re: Implementing HSTS on Federation SPS

    Posted Aug 09, 2019 10:31 AM
    Edited by Lord Gane Aug 13, 2019 12:50 AM


  • 8.  RE: Re: Implementing HSTS on Federation SPS

    Posted Aug 09, 2019 10:31 AM
    Edited by Lord Gane Aug 13, 2019 12:50 AM


  • 9.  RE: Re: Implementing HSTS on Federation SPS

    Posted Feb 07, 2020 11:49 AM
    Hello All, 

    Can someone in the thread please provide steps to enable HSTS on SAG servers? I am following this thread and have some understanding about what needs to be done. I just don't want to miss any piece and cause downtime. 

    Thanks in advance!