PH55370: ADD SUPPORT FOR HTTP STRICT-TRANSPORT-SECURITY

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• This APAR adds support for CICS to automatically add the
  Strict-Transport-Security header to HTTP responses that use
  secure connections.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All CICS users                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: Provide support for HTTP Strict         *
  *                      Transport Security                      *
  ****************************************************************
  When CICS is acting as an HTTP server within a secure domain
  there is no way to configure CICS to automatically return an
  HTTP Strict-Transport-Security header in its responses.
  

Problem conclusion

• CICS has been updated to add support for including the HTTP
  Strict-Transport-Security header automatically in secure
  responses.
  
  The capability applies to all HTTP based TCPIPSERVICEs and the
  CMCI JVM server. It is configured by setting the following
  feature toggles:
  
  com.ibm.cics.web.hsts.max-age=seconds
  
  This toggle activates HSTS for the entire region and sets the
  max-age time in seconds (0-99999999). One year is 31536000
  seconds.
  
  com.ibm.cics.web.hsts.includesubdomains=true|false
  
  This toggle only takes effect if the previous toggle has also
  been specified. It indicates if the includeSubDomains option
  should be added to the HSTS header.
  
  com.ibm.cics.web.hsts.max-age.TCPIPS=seconds|-1
  
  This toggle allows for an individual TCPIPSERVICE named in the
  toggle (TCPIPS in this case) to have a different max-age value
  in its HSTS header. -1 can also be used to disable HSTS for that
  TCPIPSERVICE.
  
  com.ibm.cics.web.hsts.includesubdomains.TCPIPS=true|false
  
  This toggle only takes effect if the previous toggle has also
  been specified. It indicates if the includeSubDomains option
  should be added to the HSTS header for this specific
  TCPIPSERVICE.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PH55369

• APAR is sysrouted TO one or more of the following:

  UI96042

Modules/Macros

• DFHAPJVM DFHAXIS2 DFHCDJNI DFHEIPSE DFHEIQSO DFHEISO  DFHIEIE
  DFHISCO  DFHISEM  DFHISIC  DFHISRR  DFHISST  DFHLEPTS DFHMNAD
  DFHMNXM  DFHPITH  DFHPITS  DFHPIWT  DFHRZDM  DFHRZIX  DFHRZLN
  DFHRZNR2 DFHRZRG2 DFHRZRM  DFHRZRS1 DFHRZSO  DFHRZSO1 DFHRZTA
  DFHRZTCX DFHRZTR1 DFHRZTRI DFHRZXM  DFHSJBD  DFHSJDM  DFHSJDS
  DFHSJDUF DFHSJIN  DFHSJIS  DFHSJIX  DFHSJJS  DFHSJL   DFHSJNA
  DFHSJNR  DFHSJNT  DFHSJPE  DFHSJRE  DFHSJRL  DFHSJRM  DFHSJRT
  DFHSJSC  DFHSJSM  DFHSJST  DFHSJT8  DFHSJTH  DFHSJTRI DFHSJXM
  DFHSOAD  DFHSOCK  DFHSODM  DFHSODS  DFHSODUF DFHSOGH@ DFHSOHN
  DFHSOIS  DFHSOIST DFHSOL   DFHSOLI  DFHSOLS  DFHSOLX  DFHSOLX6
  DFHSOM01 DFHSOM02 DFHSOM03 DFHSONT  DFHSOPL  DFHSORD  DFHSORL
  DFHSORM  DFHSOS00 DFHSOS01 DFHSOS02 DFHSOS03 DFHSOS04 DFHSOS05
  DFHSOS06 DFHSOS07 DFHSOS08 DFHSOS09 DFHSOS10 DFHSOS11 DFHSOS12
  DFHSOS13 DFHSOS14 DFHSOS15 DFHSOS16 DFHSOS17 DFHSOS18 DFHSOS19
  DFHSOS20 DFHSOS21 DFHSOS22 DFHSOS23 DFHSOSE  DFHSOSES DFHSOSK
  DFHSOSM  DFHSOST  DFHSOTB  DFHSOTI  DFHSOTRI DFHSOUE  DFHSOXM
  DFHSTP   DFHTFIQ  DFHWBA   DFHWBA1  DFHWBAP  DFHWBAPF DFHWBBLI
  DFHWBBMS DFHWBCL  DFHWBDM  DFHWBDUF DFHWBENV DFHWBPA  DFHWBPW
  DFHWBRP  DFHWBSC  DFHWBSO  DFHWBSR  DFHWBST  DFHWBSV  DFHWBTRI
  DFHWBTTA DFHWBUR  DFHWBXM  DFHWBXN  DFJ@H360 DFJ@H427 DFJ@H467
  DFJ@H571 DFJ@H609 DFJDTCOE DFJOUTRE DFJWLPBP DFJWLPPL
  

Fix information

• Fixed component name

  CICS TS Z/OS V6

• Fixed component ID

  5655YA100

Applicable component levels

• R400 PSY UI96042

     UP24/03/16 P F403  

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.