12.3 Restoring Previous Security Settings for Access Gateway

12.3.1 Restoring the Previous Protocol Settings between Browsers and Access Gateway

  1. In the nambkup folder, open the NovellAGSettings.conf file from the mag <time stamp of upgrade>/conf folder.

  2. Search for SSL Protocol and copy the value associated with it.

  3. Click Devices > Access Gateways > Edit > Advanced Options and replace the following configuration with the value copied in NovellAGSettings.conf in step 2:

    SSLProtocol TLSv1.1 +TLSv1.2

12.3.2 Restoring the Previous Ciphers Settings between Browsers and Access Gateway

  1. In the nambkup folder, open the NovellAGSettings.conf file from the mag <time stamp of upgrade>/conf folder.

  2. Search for SSL and copy the value

  3. Click Devices > Access Gateways > Edit > Advanced Options and replace the following configuration with the value copied in NovellAGSettings.conf in step 2:

    SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:ALL:!EDH

    If NovellAGSettings.conf does not contain this line, delete this line in Access Gateway Advanced Options.

12.3.3 Removing the Clickjacking Filter

  1. In the /opt/novell/nesp/lib/webapp/WEB-INF/web.xml file, comment out the following tomcat filter configuration:

    <filter>
        <filter-name>TomcatSameOriginFilter</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <init-param>
            <param-name>antiClickJackingOption</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>TomcatSameOriginFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
  2. Restart ESP by running the following command:

    Linux: /etc/init.d/novell-mag restart OR rcnovell-mag restart

    Windows: net stop Tomcat8

    net start Tocmat8

    NOTE:You can also restart ESP through Administration Console. Select the cluster node > Action > Service Provider > Restart Service Provider.

12.3.4 Removing HTTP Strict Transport Security

You need to perform the following two actions to disable the HTTP Strict Transport Security setting:

  • Set the SetStrictTransportSecurity option to off.

  • Disable the httpHeaderSecurity filter definition in ESP web.xml.

Setting SetStrictTransportSecurity to off

  1. Click Devices > Access Gateways > Edit > Advanced Options.

  2. Set the following option:

    SetStrictTransportSecurity off

  3. Restart Apache.

    Linux: /etc/init.d/novell-apache2 restart OR rcnovell-apache2 restart

    Windows: net stop apache2.2

    net start apache2.2

Disabling httpHeaderSecurity in ESP web.xml

  1. Change to the Tomcat configuration directory:

    Linux: /opt/novell/nam/mag/webapps/nesp/WEB-INF/web.xml

    Windows Server: \Program Files\Novell\Tomcat\webapps\nesp\WEB-INF\WEB-INF\web.xml

  2. Open the web.xml file and comment out the httpHeaderSecurity filter definition.

    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
    </filter>
  3. Comment out the hstsMaxAgeSeconds parameter:

    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31536000</param-value>
    </init-param>
  4. Comment out the filter mapping.

    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>