Hi All,
We have a device vuln called "HSTS Missing From HTTPS Server (RFC 6797)". Our application is running currently in HTTP. To resolve this issue, I referred the below site and implemented it. Can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if we put http. But application shows invalid URL. 
My question is, Do we want to enable SSL or TLS? Or how to resolve this issue? Please advise

------------------------------
Dhinakaran Lakshmanadoss
------------------------------

Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann


------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Hi Hermann,
Thanks for your response.

I need to fix this "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability. Referred below site and implemented that. After that, I can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if I put http. But application shows invalid URL. Application only run in HTTP.

How to resolve the issue? If I want to enable SSL/TLS, we can't. Because, to enable it, we need to upgrade Java JDK to 8. Since our application going to retire, users don't want to do any software upgrade/ code changes. So, without SSL/TLS, can't we resolve this?

https://www.ibm.com/docs/en/was-zos/8.5.5?topic=SS7K4U_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html


------------------------------
Dhinakaran Lakshmanadoss
------------------------------

Original Message:
Sent: Fri July 08, 2022 02:17 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann


------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Hi, this is a header that is added to tell the browser to communicate only with SSL/TLS.  The plugin to WAS does not need to communicate over SSL/TLS, but it means that part of the communications is using clear text.  

You may need to add *:443 to the virtual hosts and then regenerate and propagate the plugin.  This will allow the plugin to accept the request.  It would be helpful to get the actual message that is being shown, what is in the plugin log and app server logs.

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message:
Sent: Fri July 08, 2022 02:31 AM
From: Dhinakaran Lakshmanadoss
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Hi Hermann,
Thanks for your response.

I need to fix this "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability. Referred below site and implemented that. After that, I can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if I put http. But application shows invalid URL. Application only run in HTTP.

How to resolve the issue? If I want to enable SSL/TLS, we can't. Because, to enable it, we need to upgrade Java JDK to 8. Since our application going to retire, users don't want to do any software upgrade/ code changes. So, without SSL/TLS, can't we resolve this?

https://www.ibm.com/docs/en/was-zos/8.5.5?topic=SS7K4U_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html


------------------------------
Dhinakaran Lakshmanadoss
------------------------------


Original Message:
Sent: Fri July 08, 2022 02:17 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann


------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion

Hello Dhinakaran,
if you say "I want to enable SSL/TLS, we can't." - where aren't you able to enable SSL/TLS? On the HTTP server? The enablement of SSL on the HTTP server should not depend on the Java version. Hence I'm not sure why you say this is related to the Java version.

As Brian mentioned as well you might need to add a VirtualHost Entry on WAS to accept port 443 as well. Another thing which might be needed is to set the UseInsecure (https://www.ibm.com/docs/en/was-nd/8.5.5?topic=ins-web-server-plug-in-custom-properties#rwsv_plugin_customprop__UseInsecure) custom property on the Plugin so allow the plugin to forward requests it received on HTTPS via HTTP to WAS.
​

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Original Message:
Sent: Fri July 08, 2022 02:31 AM
From: Dhinakaran Lakshmanadoss
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Hi Hermann,
Thanks for your response.

I need to fix this "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability. Referred below site and implemented that. After that, I can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if I put http. But application shows invalid URL. Application only run in HTTP.

How to resolve the issue? If I want to enable SSL/TLS, we can't. Because, to enable it, we need to upgrade Java JDK to 8. Since our application going to retire, users don't want to do any software upgrade/ code changes. So, without SSL/TLS, can't we resolve this?

https://www.ibm.com/docs/en/was-zos/8.5.5?topic=SS7K4U_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html


------------------------------
Dhinakaran Lakshmanadoss
------------------------------


Original Message:
Sent: Fri July 08, 2022 02:17 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann


------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion

In our httpd.conf file following lines are present. What changes should I make to enable SSL in httpd.conf?
Listen {server_name}:8080​

<VirtualHost {server_name}:8080>
ServerName {server_name}
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>

------------------------------
Dhinakaran Lakshmanadoss
------------------------------

Original Message:
Sent: Fri July 08, 2022 06:35 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Hello Dhinakaran,
if you say "I want to enable SSL/TLS, we can't." - where aren't you able to enable SSL/TLS? On the HTTP server? The enablement of SSL on the HTTP server should not depend on the Java version. Hence I'm not sure why you say this is related to the Java version.

As Brian mentioned as well you might need to add a VirtualHost Entry on WAS to accept port 443 as well. Another thing which might be needed is to set the UseInsecure (https://www.ibm.com/docs/en/was-nd/8.5.5?topic=ins-web-server-plug-in-custom-properties#rwsv_plugin_customprop__UseInsecure) custom property on the Plugin so allow the plugin to forward requests it received on HTTPS via HTTP to WAS.
​

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------


Original Message:
Sent: Fri July 08, 2022 02:31 AM
From: Dhinakaran Lakshmanadoss
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Hi Hermann,
Thanks for your response.

I need to fix this "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability. Referred below site and implemented that. After that, I can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if I put http. But application shows invalid URL. Application only run in HTTP.

How to resolve the issue? If I want to enable SSL/TLS, we can't. Because, to enable it, we need to upgrade Java JDK to 8. Since our application going to retire, users don't want to do any software upgrade/ code changes. So, without SSL/TLS, can't we resolve this?

https://www.ibm.com/docs/en/was-zos/8.5.5?topic=SS7K4U_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html


------------------------------
Dhinakaran Lakshmanadoss


Original Message:
Sent: Fri July 08, 2022 02:17 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann


------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion

There is a guide here: https://www.ibm.com/support/pages/guide-properly-setting-ssl-within-ibm-http-server

Brian

------------------------------
Brian S Paskin
Sr. Cloud Engineer
IBM Cloud Engineering
------------------------------

Original Message:
Sent: Fri July 08, 2022 09:37 AM
From: Dhinakaran Lakshmanadoss
Subject: HSTS Missing From HTTPS Server (RFC 6797)

In our httpd.conf file following lines are present. What changes should I make to enable SSL in httpd.conf?
Listen {server_name}:8080​

<VirtualHost {server_name}:8080>
ServerName {server_name}
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</VirtualHost>

------------------------------
Dhinakaran Lakshmanadoss
------------------------------


Original Message:
Sent: Fri July 08, 2022 06:35 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Hello Dhinakaran,
if you say "I want to enable SSL/TLS, we can't." - where aren't you able to enable SSL/TLS? On the HTTP server? The enablement of SSL on the HTTP server should not depend on the Java version. Hence I'm not sure why you say this is related to the Java version.

As Brian mentioned as well you might need to add a VirtualHost Entry on WAS to accept port 443 as well. Another thing which might be needed is to set the UseInsecure (https://www.ibm.com/docs/en/was-nd/8.5.5?topic=ins-web-server-plug-in-custom-properties#rwsv_plugin_customprop__UseInsecure) custom property on the Plugin so allow the plugin to forward requests it received on HTTPS via HTTP to WAS.
​

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion


Original Message:
Sent: Fri July 08, 2022 02:31 AM
From: Dhinakaran Lakshmanadoss
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Hi Hermann,
Thanks for your response.

I need to fix this "HSTS Missing From HTTPS Server (RFC 6797)" vulnerability. Referred below site and implemented that. After that, I can start IHS (IBM HTTP Server) web server and site redirect to https automatically, even if I put http. But application shows invalid URL. Application only run in HTTP.

How to resolve the issue? If I want to enable SSL/TLS, we can't. Because, to enable it, we need to upgrade Java JDK to 8. Since our application going to retire, users don't want to do any software upgrade/ code changes. So, without SSL/TLS, can't we resolve this?

https://www.ibm.com/docs/en/was-zos/8.5.5?topic=SS7K4U_8.5.5/com.ibm.websphere.ihs.doc/ihs/tihs_hsts.html


------------------------------
Dhinakaran Lakshmanadoss


Original Message:
Sent: Fri July 08, 2022 02:17 AM
From: Hermann Huebler
Subject: HSTS Missing From HTTPS Server (RFC 6797)

Good morning Dhinakaran,
to which page are you referring to? Looks like the link got lost.

If your question is whether you have to enable SSL on the HTTP server the answer is YES. I.e. you need to enable SSL on the IHS so that it can serve requests via https.

If that does not answer your question please provide a bit more information.

Thanks, Hermann


------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion