7018848: Technical guidance to prevent a possible HSTS attack in Identity Apps 4.6 running on Tomcat

This document (7018848) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Identity Manager 4.6

NetIQ Identity Manager Roles Based Provisioning Module 4.6

Situation

Under certain circumstances, your Identity Manager can be susceptible to a HTTP Strict Transport Security (HSTS) attack.

The HSTS policy forces all responses to pass through HTTPS connections instead of plain text HTTP. This ensures that the entire channel is encrypted before any data is sent, making it impossible for attackers to read or modify the data in transit.

Resolution

Follow this procedure on each of the machines running Identity Manager – Roles Based Provisioning Module:

1) Stop tomcat.

2) Edit the <tomcat-install-directory>/conf/web.xml (or <tomcat-install-directory>confweb.xml) file

2) Add the following filter in web.xml file.

<filter>

<filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

<async-supported>true</async-supported>

<init-param>

<param-name>antiClickJackingEnabled</param-name>

<param-value>false</param-value>

</init-param>

<init-param>

<param-name>hstsMaxAgeSeconds</param-name>

<param-value>31536000</param-value>

</init-param>

<init-param>

<param-name>hstsIncludeSubDomains</param-name>

<param-value>true</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>httpHeaderSecurity</filter-name>

<url-pattern>/*</url-pattern>

<dispatcher>REQUEST</dispatcher>

</filter-mapping>

3) Save and start tomcat ie. /etc/init.d/idmapps_tomcat_init start.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply