How To
Summary
An IT security scan might report that an HTTPS port related to your ADMIN Server deployment is "missing HSTS" or "missing HTTP Strict Transport Security" headers.
Environment
IBM i OS
Steps
Before you begin
Carefully review the Strict Transport Security header and protocol (HSTS)
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
Determine whether your HSTS policy applies to only the domain or includes subdomains.
Determine how long the client can cache the information that indicates that the domain is an HSTS host.
Restriction: The server does not add the HSTS headers to HTTP 304 (not modified) responses. These responses are used to validate cache freshness. A client will not see the HSTS headers until it accesses at least one uncached (or stale) resource on the server.
Procedure
1. You can access the IBM Web Administration for i directly using this URL: http://hostname:2001/HTTPAdmin
2. You will be prompted for a userid and password. This will authenticate you with the server.
3. From Manage->HTTP Servers, select ADMIN server, Server area location is /QIBM/UserData/HTTPA/admin/conf/admin-cust.conf
4. It is recommended to enable 2010 port and disable 2001 port. Click "Configure SSL for ADMIN" on the left toolbar. Then next.
5. Select "Yes, disable port 2001 while configuring SSL for port 2010 (recommended)",Continue next until finish.
6. Add the Header directive for Strict-Transport-Security. Click "Edit Configuration File" on the left toolbar. Add below directives in the <VirtualHost *:2010> ... </VirtualHost> section. Click apply. Click OK.
Note: Customers can configure parameters according to their own needs.
Header always set Strict-Transport-Security "max-age=7776000;includeSubDomains"
Example:
<VirtualHost *:2010>
RewriteRule ^(.*):2010/dcm/(.*)$ https://$1:2007/dcm/$2 [R,L]
RewriteRule ^/Navigator/?$ %{HTTP_HOST} [C]
RewriteRule ^(.*):2010$ https://$1:2003/Navigator/ [R,L]
RewriteRule ^/Navigator/(.*)$ %{HTTP_HOST}/Navigator/$1 [C]
RewriteRule ^(.*):2010/Navigator/(.*)$ https://$1:2003/Navigator/$2 [R,L]
Header always set Strict-Transport-Security "max-age=7776000;includeSubDomains"
</VirtualHost>
7. End the ADMIN server, ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN), and then start it, STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN).
8. The above configuration will only apply to applications accessed via the ADMIN HTTP Server listening on port 2010 (original DCM, Web Administration, Cryptographic Coprocessor, IPP server). For more information on "Securing Liberty by using HTTP Strict Transport Security (HSTS)" with the IBM i Liberty application servers ADMIN2, ADMIN3, and ADMIN5, please refer to the URL:https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_hsts.html. This process will implement HSTS on ports 2005 (ADMIN2), 2007 (ADMIN3), and 2012 (ADMIN5).
NOTE: All applications hosted by ADMIN4 are accessed via the ADMIN HTTP Server. As a result, you would follow the previous steps 1-7 to resolve HSTS issues with the IBM Web Administration for i GUI (https://server:2010/HTTPAdmin).
NOTE: All applications hosted by ADMIN4 are accessed via the ADMIN HTTP Server. As a result, you would follow the previous steps 1-7 to resolve HSTS issues with the IBM Web Administration for i GUI (https://server:2010/HTTPAdmin).
You will need to do the following to resolve this for any ADMINx application server instance.
a) Enable the ADMINx application server for TLS communications.
NOTE: Follow the same procedure, but select "ADMINx" instead of "ADMIN2"
b) After the ADMINx application server is enabled for TLS, you will need to modify the "webContainer" element in the server configuration.
STRQSH
cp /qibm/userdata/os/admininst/adminX/wlp/usr/servers/adminX/resources/security/admin-cust.xml /qibm/userdata/os/admininst/adminX/wlp/usr/servers/adminX/resources/security/admin-cust.xml.bak
F12
WRKLNK '/qibm/userdata/os/admininst/adminX/wlp/usr/servers/adminX/resources/security/admin-cust.xml'
Option 2 to edit.
Add the following <webContainer> XML element to the file between the <server> and </server> tags. Of course, you can adjust the max-age to whatever value you wish.
<webContainer deferServletLoad="false" setContentLengthOnClose="false" extractHostHeaderPort="true" trustHostHeaderPort="true" addstricttransportsecurityheader="max-age=31536000;includeSubDomains"/>
Example:
<?xml version="1.0" encoding="UTF-8"?><server> <featureManager> <feature>ssl-1.0</feature> </featureManager> <webContainer deferServletLoad="false" setContentLengthOnClose="false" extractHostHeaderPort="true" trustHostHeaderPort="true" addstricttransportsecurityheader="max-age=31536000;includeSubDomains"/> ... </server>
After completing your edits, press F3 twice to save and exit.
Restart the ADMINx application server.
ENDTCPSVR *IAS INSTANCE(ADMINx)
STRTCPSVR *IAS INSTANCE(ADMINx)
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]
Was this topic helpful?
Document Information
Modified date:
21 April 2021
UID
ibm16361739