APAR status
Closed as program error.
Error description
"Strict Transport Security (HSTS)" policy settings response header not being offered when domino server is running Using Web Configuration View . If the server is running with internet sites enabled the Strict Transport Security (HSTS)" response header shows the values being set up correctly Customer needs to get in their test servers A Security Raining For this purpose they wants to test that their servers are offering the "StrictTransport Security (HSTS)" response header, and apparently is not offered. Customer is followed the instructions recommendations identified in the following documentation HTTP Strict Transport Security (HSTS) http://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS Domino 9.0.1 FP4 IF2 Security Update http://blog.nashcom.de/nashcomblog.nsf/dx/domino-9.0.1-fp4-if2-s ecurity- update.htm Level 2 verification test run shows the following results Domino Server Version 901FP4IF2/ 901FP4HF417_W64.exe - The server is not having internet sites enabled Load Internet Configurations from Server\Internet Sites Documents =Disabled - Server has been enabled for SSL/TLS by creating SHA-2 self signed internet certificate with openssl and kyrool, Internet certificate requested to match the FQDN of the server. - In the Server Document> Ports> internet Ports> TCP/IP port status is set to = Redirect to SSL and the SSL port 433 is also Enabled. - Added into the server notes.ini bellow parameters: - Added into the notes.ini directly the following parameters as per customer's example: HTTP_HSTS_MAX_AGE=17280000 HTTP_HSTS_INCLUDE_SUBDOMAINS=1 SSL_DISABLE_TLS_10=0 DISABLE_SSLV3=1 SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C01300 With avobe settings when accessing the domino server with the browser (Iexplore or Mozilla)the user is redirected with the browser to https but does not show the Strict-Transport-Security response header values set by the policy Instead only shows the with the ) value : Strict-Transport-Security: max-age=0 Repeating the test with internet sites enabled in the same server901FP4IF2/ 901FP4HF417 shows the Strict-Transport-Security response heather with the following values Strict-Transport-Security: max-age=17280000, IncludeSubdomains Scree shot of verification test performed by Level 2 Support are available in Ecurep Therefore cusotmer needs confirmation that HSTS runs also when server does not have internet sites enabled
Local fix
Having internet sites enabled
Problem summary
HTTP Strict Transport Security (HSTS) Not Working When Server Running Using Web Configuration View
Problem conclusion
HTTP Strict Transport Security (HSTS) Not Working When Server Running Using Web Configuration View
Temporary fix
Comments
This APAR is associated with SPR# BBSZA2UJPA. HTTP Strict Transport Security (HSTS) Not Working When Server Running Using Web Configuration View
APAR Information
APAR number
LO86563
Reported component name
DOMINO SERVER
Reported component ID
5724E6200
Reported release
901
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-09-30
Closed date
2015-11-22
Last modified date
2015-11-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DOMINO SERVER
Fixed component ID
5724E6200
Applicable component levels
R901 PSN
UP
[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
22 November 2015