To secure the user information that is stored in the digital certificates of PKI authenticator and other authentication methods supported by Device Service, you can control and process the HTTPS requests from a preferred domain. With this approach, you can grant the access to secured resources only for the requests from the Advanced Authentication server and deny access for any requests from an unidentified domain. With the security settings, you can also avoid the cross-origin HTTPS request and click-jacking vulnerabilities.
To configure the security settings for the Device Service, perform the following steps:
Open the configuration file based on the operating system:
/Library/Application\ Support/NetIQ/DeviceService.app/Contents/Resources/config.properties. For prior versions, open /Library/LaunchDaemons/NetIQ/Device Service/config.properties.: For 6.3 Service Pack 1 and newer versions, open
Specify the following parameters:
Where, <origin> is secured domain. Default value is asterisk symbol (*). With the default value, the HTTPS request from any origin can access the secured resource. This may be vulnerable and cause issues to the secured resource.
For example, set the parameter as host.accessControlOrigin=https://myexample.company.com then the HTTPS requests from specified origin can only access the digital certificates list.
host.xFrameOptions=allow-from <domain URL>.
X-Frame-Options header that you can set using host.xFrameoptions parameter are not supported on the browsers, Google Chrome and Safari.
Where, <origin> is secured domain.
For example, host.xFrameOptions=allow-from https://sample.company.com. This allows the PKI related pages to be loaded in a frame only on the specified origin or domain.
To prevent embedding a page using <frame> or <iframe>, you can set the frame-ancestor to none (empty). This parameter prevents Cross Site Scripting (XSS) vulnerabilities.
Save the changes.
Restart the Device Service.