Symantec Access Management

Expand all | Collapse all

Implementing HSTS on Federation SPS

Jump to Best Answer
  • 1.  Implementing HSTS on Federation SPS

    Posted 12-13-2016 12:51 PM

    I am trying to enable HTTP Strict Transport Security on a federation proxy server. I have enabled the headers module to the Apache HTTP Server and added set the response headers in the <VirtualHost> block in proxy-engine/conf/server.conf. The response headers are not being populated though. Any ideas? Should I be setting the headers through Tomcat instead?



  • 2.  Re: Implementing HSTS on Federation SPS

    Posted 12-13-2016 03:29 PM

    The response headers being referred, is it part of UserAgent from server.conf?

    Or this is regular SSO web agent HTTP response?

    If you have enabled the headers module to the Apache HTTP Server, have you verified the module is actively loaded?

    . ./ca_sps_env.sh

    ./apachectl -t -D DUMP_MODULES

    SPS Default output (no ):

    Loaded Modules:
    core_module (static)
    so_module (static)
    http_module (static)
    mpm_worker_module (static)
    env_module (shared)
    log_config_module (shared)
    setenvif_module (shared)
    mime_module (shared)
    negotiation_module (shared)
    dir_module (shared)
    jk_module (shared)
    cgi_module (shared)
    alias_module (shared)
    authz_host_module (shared)
    authn_core_module (shared)
    authz_core_module (shared)
    unixd_module (shared)
    slotmem_shm_module (shared)

     

    And IfModule section is located under apache, not in Tomcat server.conf.

    #<IfModule headers_module>
    #RequestHeader unset DNT env=bad_DNT
    #</IfModule>

     

    I have not come across any SPS run book or tech note regarding this integration between HTTP Strict Transport Security and SPS, if it is not documented, there is no guarantee it will work.

     

    Additional related info: CA SSO : SPS Hardening Security : Supress Server Headers 

     

    Hongxu 



  • 3.  Re: Implementing HSTS on Federation SPS
    Best Answer

    Posted 12-16-2016 04:20 AM

    Hi,

     

    Apart from loading the module, please add this into SPS_HOME/extra/httpd-ssl.conf file in the <VirtualHost _default_:443> block:

     

    <VirtualHost _default_:443>

     Header always set Strict-Transport-Security "max-age=63072000"

    ....

    </VirtualHost>

     

    Then restart the SiteMinder Secure Proxy and SiteMinder Proxy Engine services.

     

    Thank you,

    Alex



  • 4.  Re: Implementing HSTS on Federation SPS

    Posted 12-16-2016 09:01 AM

    I like what is suggested by Alex, Test it and suggest if it works.

     

    Additionally we need to take care of the following aspects.

    • Make sure CA Access Gateway Agent Configuration Object has the following parameters are set. We don't want to be in a contradicting situation wherein CA Access Gateway enforces HSTS, however the Cookies that are set by WebAgent Code is unsecure and nonhttp.
      • UseHttpOnlyCookies.
      • UseSecureCookies.
    • Also when we do this configuration to CA Access Gateway, pay attention to SSO in an Enterprise. We don't want to be in a situation where we are trying to achieve SSO from another WebAgent in an Enterprise, but those other WebAgents do not set Secure Cookies, thus SSO potentially breaks OR encounters issues.


  • 5.  Re: Implementing HSTS on Federation SPS

    Posted 12-28-2016 01:20 PM

    This worked. Thank you!



  • 6.  Re: Implementing HSTS on Federation SPS

    Posted 07-27-2018 02:38 AM

    More than a few times I have found the Apache httpd at the front of sps to be pretty useful for doing exactly this sort of tinkering with the headers - Cheers  Mark



  • 7.  RE: Re: Implementing HSTS on Federation SPS

    Posted 08-09-2019 10:31 AM
    Edited by Lord Gane 08-13-2019 12:50 AM


  • 8.  RE: Re: Implementing HSTS on Federation SPS

    Posted 08-09-2019 10:31 AM
    Edited by Lord Gane 08-13-2019 12:50 AM