Linux/Unix :
===============
First, verify that the ITM WAS and IHS have been upgraded to 08.55.18.00 at least:
CH=/opt/IBM/ITM
$CH/bin/cinfo -t | grep -E '^iw|^iu'
The result should look similar to the following:
iu IBM HTTP Server lx8266 08.55.18.01 d6276a 20201014 1832
iw IBM Tivoli Enterprise Portal Server Extensions lx8266 08.55.18.01 d6276a 20201014 1830
Second, verify that the TEPS is running, or start the TEPS.
Verify the TEPS is running:
CH=/opt/IBM/ITM
$CH/bin/cinfo -r | grep ' cq '
The result should look similar to the following, ending with the string ...running:
system1 cq 16974072 root 13:09:17 None ...running
If the TEPS is not running, start the TEPS:
CH=/opt/IBM/ITM
$CH/bin/itmcmd agent start cq
Third, add the addStrictTransportSecurityHeader property to the ITMServer/server.xml
You can add the property by using the WAS wsadmin utility or the TEPS/e (WAS Admin) console.
Add the HSTS setting through the WAS wsadmin tool.
# Set CH to FQN of CANDLEHOME directory
CH=/opt/IBM/ITM
# Set WAS directories
IWDIR=`ls -d $CH/*/iw 2> /dev/null`
SERVDIR='profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/servers/ITMServer'
# Create addStrictTransportSecurityHeader.jacl
echo 'set server [$AdminConfig getid /Server:ITMServer/]
set webcontainer [$AdminConfig list WebContainer $server]
$AdminConfig create Property $webcontainer {{name com.ibm.ws.webcontainer.addStrictTransportSecurityHeader} {value "max-age=31536000; includeSubDomains"}} properties
$AdminConfig show $webcontainer
$AdminConfig save
exit 0
' > $IWDIR/scripts/addStrictTransportSecurityHeader.jacl
# Run wsadmin to add addStrictTransportSecurityHeader to server.xml
$IWDIR/profiles/ITMProfile/bin/wsadmin.sh -f $IWDIR/scripts/addStrictTransportSecurityHeader.jacl
# Verify that the addStrictTransportSecurityHeader was added.
grep addStrictTransportSecurityHeader $IWDIR/$SERVDIR/server.xml
If you would rather use the TEPS/e console,
Add the HSTS setting through the TEPS/e (WAS Admin) console:
On the TEPS server system, enable ISCLite:
CH=/opt/IBM/ITM
IWDIR=`ls -d $CH/*/iw 2> /dev/null`
$IWDIR/scripts/enableISCLite.sh true
If you do not know the wsadmin password, you can reset it on the TEPS server system with commands like the following, where the last parameter is the password value to set.
CH=/opt/IBM/ITM
IWDIR=`ls -d $CH/*/iw 2> /dev/null`
$IWDIR/scripts/updateTEPSEPass.sh wasadmin wasadmin
On a system with a browser installed, that can connect to the TEPS server system, start the TEPS/e console by entering a URL like the following. Replace TEPS.system.FQN with the fully qualified name of the TEPS server system.
https://TEPS.system.FQN:15206/ibm/console
Once you have logged in to the TEPS/e console;
Select Servers
Select Server Types
Select Websphere application servers
Select ITMserver
Under the Configuration tab
Select Web Container Settings
Select Web container
Select Custom properties
Select New
Enter these values for the following fields:
Name - com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
Values - max-age=31536000; includeSubDomains
Description - HSTS
Select Apply
Select Save
Select Logout
On the TEPS server system (Linux or AIX) , recycle the TEPS
# Set CH to FQN of CANDLEHOME directory
CH=/opt/IBM/ITM
# Set WAS directories
IWDIR=`ls -d $CH/*/iw 2> /dev/null`
SERVDIR='profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/servers/ITMServer'
# Create addStrictTransportSecurityHeader.jacl
echo 'set server [$AdminConfig getid /Server:ITMServer/]
set webcontainer [$AdminConfig list WebContainer $server]
$AdminConfig create Property $webcontainer {{name com.ibm.ws.webcontainer.addStrictTransportSecurityHeader} {value "max-age=31536000; includeSubDomains"}} properties
$AdminConfig show $webcontainer
$AdminConfig save
exit 0
' > $IWDIR/scripts/addStrictTransportSecurityHeader.jacl
# Run wsadmin to add addStrictTransportSecurityHeader to server.xml
$IWDIR/profiles/ITMProfile/bin/wsadmin.sh -f $IWDIR/scripts/addStrictTransportSecurityHeader.jacl
# Verify that the addStrictTransportSecurityHeader was added.
grep addStrictTransportSecurityHeader $IWDIR/$SERVDIR/server.xml
=============
WINDOWS:
========
The TEPS/E console process can be used on Windows or Linux/Unix.
Here is that process customized for Windows terminology.
You can add the HSTS setting through the TEPS/e (WAS Admin) console:
On the TEPS server system, enable ISCLite:
Follow the 4-step procedure described in the following IBM KnowledgeCenter document to enable the TEPS/e Administration Console: https://www.ibm.com/support/knowledgecenter/de/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/userauthenticate_tepse_consolestart.htm
Connect to the TEPS server system, start the TEPS/e console by entering a URL like the following. Replace TEPS.system.FQN with the fully qualified name of the TEPS server system.
https://TEPS.system.FQN:15206/ibm/console
Once you have logged in to the TEPS/e console;
Select Servers
Select Server Types
Select Websphere application servers
Select ITMserver
Under the Configuration tab
Select Web Container Settings
Select Web container
Select Custom properties
Select New
Enter these values for the following fields:
Name - com.ibm.ws.webcontainer.addStrictTransportSecurityHeader
Values - max-age=31536000; includeSubDomains
Description - HSTS
Select Apply
Select Save
Select Logout
=================
#Support#SupportMigration#Tivoli