If Identity Manager is deployed in a distributed setup and User Application and OSP are installed on separate servers, your Identity Manager environment can be susceptible to clickjacking attacks. For more information, see HTTP Strict Transport Security and Clickjacking.
HSTS forces all responses to pass through HTTPS connections instead of plain text HTTP. This ensures that the entire channel is encrypted before any data is sent on the channel and eliminates any chances for the attackers to read or modify the data in transit. To prevent clickjacking attacks, perform the following actions:
Stop Tomcat. For example, systemctl stop netiq-tomcat
Navigate to <tomcat-install-directory>/conf/web.xml or <tomcat-install-directory>\conf\ directory.
Add the following filter to the web.xml file:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>ALLOW-FROM</param-value> </init-param> <init-param> <param-name>antiClickJackingUri</param-name> <param-value>User Application URI</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Save the file.
Start Tomcat. For example, systemctl start netiq-tomcat
For example, User Application URI: https://ua.microfocus.com:8643/, this is where User Application is running.
Stop Tomcat. For example, systemctl stop netiq-tomcat
Navigate to <tomcat-install-directory>/conf/web.xml or <tomcat-install-directory>\conf\ directory.
Add the following filter to the web.xml file:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
Save the file.
Start Tomcat. For example, systemctl start netiq-tomcat.service
NOTE:As per RFC 7034, the ALLOW-FROM parameter supports only a single domain. It does not support multiple domains. For example, if OSP, User Application, SSPR, and Identity Reporting are installed on different computers, this parameter does not work.