Fixes are available
9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
Provide option to add STS response header for HTTPs request
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server v9.0 and Liberty users. * **************************************************************** * PROBLEM DESCRIPTION: Ability to set HTTP Strict Transport * * Security (HSTS)response header. * **************************************************************** * RECOMMENDATION: * **************************************************************** For an HTTPs request the HSTS header is not sent with the response, as a result the browser client will not know to send subsequent communications over HTTPs only.
Problem conclusion
The Webcontainer code has been updated to provide an option to add the HSTS response header for a HTTPs request. To enable this function the user will need to set a web application context-paramater or a server level webcontainer custom property. Use the following param-name to add a context parameter in the web.xml for the application, the param-value provided here is an example <context-param> <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param -name> <param-value>max-age=31536000; includeSubDomains; preload</param-value> </context-param> or Alternatively add the server level custom property by using the following property name , the value provided is an example com.ibm.ws.webcontainer.addStrictTransportSecurityHeader="max-ag e=31536000; includeSubDomains" For Liberty users, the server level custom property needs to be added in server.xml , and the property full or short name can be used, i.e. "com.ibm.ws.webcontainer.addStrictTransportSecurityHeader" or "addstricttransportsecurityheader" the value provided below is an example <webContainer addstricttransportsecurityheader="max-age=31536000; includeSubDomains" /> Note: If both the web application context-param and the server level custom property are provided, the context-param value will take precedence over the server level value for that web application. If the server level custom property is set but the user needs to remove or unset the property for a web application , then add the following param-value to the context-param. <context-param> <param-name>com.ibm.ws.webcontainer.ADD_STS_HEADER_WEBAPP</param -name> <param-value>max-age=-1</param-value> </context-param> The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.18, 9.0.0.2 and Liberty 16.0.0.4 Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI67099
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-08
Closed date
2016-10-04
Last modified date
2020-05-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R900 PSY
UP
Document Information
Modified date:
04 May 2022