Tomcat HSTS filter and Midtier ones

Version 5
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy AR System Server


    COMPONENT:

    AR System Mid Tier


    APPLIES TO:

    Midtier 9.0 , 9.1.01, 9.1.02



    PROBLEM:

    What are the differences in the HSTS filter provided by Tomcat and the one provide by the Remedy midtier?


    CAUSE:

    conflict with webserver , internal bug


    SOLUTION:



    The functionality is provided with 9.1.03 Patch 01 release of Midtier.
    Note:  Only one filter should be enabled - choose Tomcat or Midtier
    Even though HSTS filter from BMC adds more security,  Tomcat HSTS filter is needed for certain features
     

                                                                                                                                                                                                                                                  
    Tomcat HSTS filterMidtier filtersDescription
    hstsEnabledHSTSFilterWill an HTTP Strict Transport Security (HSTS) header (Strict-Transport-Security) be set on the response for secure requests. Any HSTS header already present will be replaced. See RFC 6797 for further details of HSTS. If not specified, the default value of true will be used.
    hstsMaxAgeSecondsHSTSFilterThe max age value that should be used in the HSTS header. Negative values will be treated as zero. If not specified, the default value of 0 will be used.
    hstsIncludeSubDomainsnot applicableShould the includeSubDomains parameter be included in the HSTS header. If not specified, the default value of false will be used.
    hstsPreloadnot applicableShould the preload parameter be included in the HSTS header. If not specified, the default value of false will be used. See https://hstspreload.org for important information about this parameter.
    antiClickJackingEnabledCLICKJACKINGFILTERShould the anti click-jacking header (X-Frame-Options) be set on the response. Any anti click-jacking header already present will be replaced. If not specified, the default value of true will be used.
    antiClickJackingOptionCLICKJACKINGFILTERWhat value should be used for the anticlick-jacking header? Must be one of DENYSAMEORIGINALLOW-FROM (case-insensitive). If not specified, the default value of DENY will be used.
    antiClickJackingUriHEADERVALIDFILTERIf ALLOW-FROM is used for antiClickJackingOption, what URI should be allowed? If not specified, the default value of an empty string will be used.
    blockContentTypeSniffingEnabledNot provided by BMCShould the header that blocks content type sniffing (X-Content-Type-Options) be set on every response. If already present, the header will be replaced. If not specified, the default value of true will be used.
    xssProtectionEnabledCLICKJACKINGFILTERShould the header that enables the browser's cross-site scripting filter protection (X-XSS-Protection: 1; mode=block) be set on every response. If already present, the header will be replaced. If not specified, the default value of true will be used.
      
    To enable the Tomcat HSTS filter,  
    a)  Edit the tomcat/conf/web.xml file. 
    b)  Uncomment the following couplets by removing the comment indicators (highlighted).   Note:  the init-param statements will have to be added to the couplet.  
      <!-- 
    <filter>   
    <filter-name>httpHeaderSecurity</filter-name>   
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>   
    <async-supported>true</async-supported>   
    <init-param>  
        <param-name>antiClickJackingOption</param-name>  
        <param-value>SAMEORIGIN</param-value>  
    </init-param>  
    </filter>   
      --> 
    and  
      <!-- 
        <filter-mapping>  
            <filter-name>httpHeaderSecurity</filter-name>  
            <url-pattern>/*</url-pattern>  
            <dispatcher>REQUEST</dispatcher>  
        </filter-mapping>  
      -->
    c)  Restart Tomcat 

    When using the IE browser, you may have to add the website to the Trusted Sites in Tools>Internet Options>Security>Trusted Sites>Sites 

    If antiClickJackingOption is not set, then the DENY option will be used, that will cause midtier to stop working on several dialogs as they will create new Iframes and that is not allowed with this setting 

    another option that needs to be reviewed is blockContentTypeSniffingEnabled as some plugins or images may contain incorrect headers eg: javascript file with content type : text/html 

      

     


    Article Number:

    000145282


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles