IBM Support

PH20269: HSTS (HTTP STRICT TRANSPORT SECURITY) NOT IMPLEMENTED IN OPENPAGES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Description:
    HSTS is not implemented in OpenPages application as recommended
    by some security advisors.
    
    Workaround:
    Configure an IBM HTTP Server (IHS) or any other web server that
    supports HSTS in front of OpenPages.
    https://www.ibm.com/support/knowledgecenter/SSEQTJ_9.0.5/com.ibm
    .websphere.ihs.doc/ihs/tihs_hsts.html
    
    Prerequisites:
    A)	OpenPages installed without any web server or balancer in
    front
    
    Steps to Reproduce:
    1.	Start the Developer Tools in your browser
    a.	Using Chrome, Customize and control Google Chrome (three dots
    at top-right side) > More Tools > Developer tools
    2.	Load OpenPages URL and log in using any user
    3.	From Developer tools tabs click on Network tab
    4.	Click on any of the listed requests and then click on Headers
    5.	Under Headers, look for the strict-transport-security header
    and you will see is not set
    
    Expected Results:
    OpenPages application should use strict-transport-security
    header as recommended by security teams.
    
    Actual Results:
    OpenPages application does not set strict-transport-security
    header.
    
    Error Message:
    NA
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * OpenPages Users                                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    *  HSTS (HTTP STRICT TRANSPORT SECURITY) NOT IMPLEMENTED IN    *
    * OPENPAGES                                                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Customers should download OpenPages 8.2 from Passport        *
    * Advantage. See the following document for details on         *
    * obtaining OpenPages 8.2:                                     *
    * https://www.ibm.com/support/pages/downloading-ibm-openpages- *
    * watson-version-82-passport-advantage                         *
    ****************************************************************
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PH20269

  • Reported component name

    OPENPAGES GRC

  • Reported component ID

    5725D5100

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-12-12

  • Closed date

    2020-06-18

  • Last modified date

    2020-06-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    OPENPAGES GRC

  • Fixed component ID

    5725D5100

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFUEU","label":"IBM OpenPages with Watson"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
19 June 2020