Data Protection Software

 View Only
Expand all | Collapse all

How to enable HSTS in ITM ?

  • 1.  How to enable HSTS in ITM ?

    Posted Wed March 24, 2021 04:07 AM

    How to enable HTTP Strict Transport Security protocol in ITM TEPS server ?



    #Support
    #SupportMigration
    #Tivoli


  • 2.  RE: How to enable HSTS in ITM ?

    Posted Wed March 24, 2021 04:09 AM

    Linux/Unix :

    ===============

    First, verify that the ITM WAS and IHS have been upgraded to 08.55.18.00 at least:

    CH=/opt/IBM/ITM

    $CH/bin/cinfo -t | grep -E '^iw|^iu'

    The result should look similar to the following:

    iu IBM HTTP Server lx8266 08.55.18.01 d6276a 20201014 1832

    iw IBM Tivoli Enterprise Portal Server Extensions lx8266 08.55.18.01 d6276a 20201014 1830

    Second, verify that the TEPS is running, or start the TEPS.

    Verify the TEPS is running:

    CH=/opt/IBM/ITM

    $CH/bin/cinfo -r | grep ' cq '

    The result should look similar to the following, ending with the string ...running:

    system1 cq 16974072 root 13:09:17 None ...running

    If the TEPS is not running, start the TEPS:

    CH=/opt/IBM/ITM

    $CH/bin/itmcmd agent start cq

    Third, add the addStrictTransportSecurityHeader property to the ITMServer/server.xml

    You can add the property by using the WAS wsadmin utility or the TEPS/e (WAS Admin) console.

    Add the HSTS setting through the WAS wsadmin tool.

    # Set CH to FQN of CANDLEHOME directory

    CH=/opt/IBM/ITM

    # Set WAS directories

    IWDIR=`ls -d $CH/*/iw 2> /dev/null`

    SERVDIR='profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/servers/ITMServer'

    # Create addStrictTransportSecurityHeader.jacl

    echo 'set server [$AdminConfig getid /Server:ITMServer/]

    set webcontainer [$AdminConfig list WebContainer $server]

    $AdminConfig create Property $webcontainer {{name com.ibm.ws.webcontainer.addStrictTransportSecurityHeader} {value "max-age=31536000; includeSubDomains"}} properties

    $AdminConfig show $webcontainer

    $AdminConfig save

    exit 0

    ' > $IWDIR/scripts/addStrictTransportSecurityHeader.jacl

    # Run wsadmin to add addStrictTransportSecurityHeader to server.xml

    $IWDIR/profiles/ITMProfile/bin/wsadmin.sh -f $IWDIR/scripts/addStrictTransportSecurityHeader.jacl

    # Verify that the addStrictTransportSecurityHeader was added.

    grep addStrictTransportSecurityHeader $IWDIR/$SERVDIR/server.xml

    If you would rather use the TEPS/e console,

    Add the HSTS setting through the TEPS/e (WAS Admin) console:

    On the TEPS server system, enable ISCLite:

    CH=/opt/IBM/ITM

    IWDIR=`ls -d $CH/*/iw 2> /dev/null`

    $IWDIR/scripts/enableISCLite.sh true

    If you do not know the wsadmin password, you can reset it on the TEPS server system with commands like the following, where the last parameter is the password value to set.

    CH=/opt/IBM/ITM

    IWDIR=`ls -d $CH/*/iw 2> /dev/null`

    $IWDIR/scripts/updateTEPSEPass.sh wasadmin wasadmin

    On a system with a browser installed, that can connect to the TEPS server system, start the TEPS/e console by entering a URL like the following. Replace TEPS.system.FQN with the fully qualified name of the TEPS server system.

    https://TEPS.system.FQN:15206/ibm/console

    Once you have logged in to the TEPS/e console;

    Select Servers

    Select Server Types

    Select Websphere application servers

    Select ITMserver

    Under the Configuration tab

    Select Web Container Settings

    Select Web container

    Select Custom properties

    Select New

    Enter these values for the following fields:

    Name - com.ibm.ws.webcontainer.addStrictTransportSecurityHeader

    Values - max-age=31536000; includeSubDomains

    Description - HSTS

    Select Apply

    Select Save

    Select Logout

    On the TEPS server system (Linux or AIX) , recycle the TEPS

    # Set CH to FQN of CANDLEHOME directory

    CH=/opt/IBM/ITM

    # Set WAS directories

    IWDIR=`ls -d $CH/*/iw 2> /dev/null`

    SERVDIR='profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/servers/ITMServer'

    # Create addStrictTransportSecurityHeader.jacl

    echo 'set server [$AdminConfig getid /Server:ITMServer/]

    set webcontainer [$AdminConfig list WebContainer $server]

    $AdminConfig create Property $webcontainer {{name com.ibm.ws.webcontainer.addStrictTransportSecurityHeader} {value "max-age=31536000; includeSubDomains"}} properties

    $AdminConfig show $webcontainer

    $AdminConfig save

    exit 0

    ' > $IWDIR/scripts/addStrictTransportSecurityHeader.jacl

    # Run wsadmin to add addStrictTransportSecurityHeader to server.xml

    $IWDIR/profiles/ITMProfile/bin/wsadmin.sh -f $IWDIR/scripts/addStrictTransportSecurityHeader.jacl

    # Verify that the addStrictTransportSecurityHeader was added.

    grep addStrictTransportSecurityHeader $IWDIR/$SERVDIR/server.xml

    =============

    WINDOWS:

    ========

    The TEPS/E console process can be used on Windows or Linux/Unix.

    Here is that process customized for Windows terminology.

    You can add the HSTS setting through the TEPS/e (WAS Admin) console:

    On the TEPS server system, enable ISCLite:

    Follow the 4-step procedure described in the following IBM KnowledgeCenter document to enable the TEPS/e Administration Console: https://www.ibm.com/support/knowledgecenter/de/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/userauthenticate_tepse_consolestart.htm

    Connect to the TEPS server system, start the TEPS/e console by entering a URL like the following. Replace TEPS.system.FQN with the fully qualified name of the TEPS server system.

    https://TEPS.system.FQN:15206/ibm/console

    Once you have logged in to the TEPS/e console;

    Select Servers

    Select Server Types

    Select Websphere application servers

    Select ITMserver

    Under the Configuration tab

    Select Web Container Settings

    Select Web container

    Select Custom properties

    Select New

    Enter these values for the following fields:

    Name - com.ibm.ws.webcontainer.addStrictTransportSecurityHeader

    Values - max-age=31536000; includeSubDomains

    Description - HSTS

    Select Apply

    Select Save

    Select Logout

    =================



    #Support
    #SupportMigration
    #Tivoli