IBM Support

Resolving "missing HSTS" or "missing HTTP Strict Transport Security" with Integrated Application Server (IAS) and Integrated Web Services (IWS) on IBM i OS

How To


Summary

An IT security scan might report that an HTTPS port related to your IAS or IWS server is "missing HSTS" or "missing HTTP Strict Transport Security" headers.

Environment

IBM i OS
Integrated Application Server (IAS) v8.5
Integrated Web Services (IWS) v2.6

Steps

Before you begin

Carefully review the Strict Transport Security header and protocol (HSTS)
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html 

Determine whether your HSTS policy applies to only the domain or includes subdomains.
Determine how long the client can cache the information that indicates that the domain is an HSTS host.
 
Restriction: The server does not add the HSTS headers to HTTP 304 (not modified) responses. These responses are used to validate cache freshness. A client will not see the HSTS headers until it accesses at least one uncached (or stale) resource on the server.
 
Procedure
1. You can access the IBM Web Administration for i directly using this URL: http://hostname:2001/HTTPAdmin
2. You will be prompted for an IBM i userID and password. *ALLOBJ and *IOSYSCFG special authorities are required.
3. From Manage->HTTP Servers, select your IAS/IWS HTTP server.

image 8692
 
4. If you have not configured the IAS/IWS HTTP Server for TLS configuration, you will need to do so using the instructions in the document, "How To Enable an IBM Integrated Web Services (IWS) Server for Secure Socket Layer (SSL) / Transport Layer Security (TLS)".
5. Once the IAS/IWS HTTP Server has been configured for TLS communications, add the Header directive for Strict-Transport-Security.
a. Click "Edit Configuration File" on the left toolbar.
b. Add the required "Strict-Transport-Security" directive in the <VirtualHost *:443> ... </VirtualHost>  server area section.
Note: IBM recommends clients configure the Strict-Transport-Security parameters according to their own needs.
Header always set Strict-Transport-Security "max-age=7776000;includeSubDomains"

c. Click Apply.
d. Click OK.
Example:

<VirtualHost *:443>
SSLEngine On
SSLProtocolDisable SSLv2 SSLv3 TLSv1 TLSv1.1
SSLAppName QIBM_HTTP_SERVER_WSERVICE
SetEnv HTTPS_PORT 443

Header always set Strict-Transport-Security "max-age=7776000;includeSubDomains"
</VirtualHost>
7. Restart the IAS/IWS server instance. i.e The ENDTCPSVR *HTTP HTTPSVR(<server>) & STRTCPSVR *HTTP HTTPSVR(<server>) CL commands.
8. The above configuration will only apply to applications accessed via the IAS/IWS HTTP Server port. For more information on "Securing Liberty by using HTTP Strict Transport Security (HSTS)" when your IAS/IWS application server is accessed directly and no HTTP Server instance is used/created , please refer to the URL:https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_hsts.html.

NOTE:  You only need to follow the steps below if you are NOT accessing your IAS/IWS applications via an HTTP/HTTPS port.  These steps implement HSTS directly in the IAS/IWS application server configuration for when users access the application server HTTP/HTTPS transport directly in the URL.

 
You will need to do the following to resolve this for any IAS/IWS application server instance.
a) Enable the IAS/IWS application server for TLS communications.
NOTE:  Follow the same procedure, but select your IAS/IWS application server instead of "ADMIN2"
b) After the IAS/IWS application server is enabled for TLS, you will need to modify the "webContainer" element in the server configuration.
STRQSH
cp /www/<server>/wlp/usr/servers/<server>/server.xml /www<server>/wlp/usr/servers/<server>/server.xml.bak
F12
WRKLNK '/www/<server>/wlp/usr/servers/<server>/server.xml'
Option 2 to edit.
Change the <webContainer> XML element to the following.  Of course, IBM encourages clients customize the Strict-Transport-Security parameters and their values to the desired values.
<webContainer allowIncludeSendError="true" asyncMaxSizeTaskPool="5000" asyncPurgeInterval="30000" asyncTimeoutDefault="30000" asyncTimerThreads="2" channelWiteType="async" copyAttributesKeySet="false" decodeUrlAsUtf8="true" decodeUrlPusSign="false" defaultHeadRequestBehavior="false" defaultTraceRequestBehavior="false" deferServletLoad="true" directoryBrowsingEnabled="false" disableXPoweredBy="false" disallowAllFileServing="false" enableDefaultIsElIgnoredInTag="false" enableErrorExceptionTypeFirst="false" enableJspMappingOverride="false" enableMultiReadOfPostData="false" exposeWebInfOnDispatch="true" extractHostHeaderPort="true" fileServingEnabled="true" httpsIndicatorHeader="" ignoreSessiononStaticFileRequest="false" invokeFilterInitAtStartup="true" logServletContainerInitializerClassLoadingErrors="true" metaInfResourcesCacheSize="20" parseUtf8PostData="false" serveServletsByClassnameEnabled="false" setContentLengthOnClose="false" skipMetaInfResourcesProcessing="false" suppressHtmlRecursiveErrorOutput="false" symbolicLinksCacheSize="1000" tolerateSymbolicLinks="true" trustHostHeaderPort="true" trusted="true" xPoweredBy="IBM i" addstricttransportsecurityheader="max-age=31536000;includeSubDomains"/>

 
You are adding the addstricttransportsecurityheader="max-age=31536000;includeSubDomains" property to the webContainer element.
Press F3 twice to save and exit.
Restart the IAS/IWS application server instance.
ENDTCPSVR *IAS INSTANCE(<server>)
STRTCPSVR *IAS INSTANCE(<server>)

Document Location

Worldwide

[{"Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CIhAAM","label":"IBM i HTTP Server->Security Vulnerability"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Version(s)"}]

Document Information

Modified date:
19 March 2021

UID

ibm16428195