Technical guidance to prevent a possible HSTS and clickjacking attack in Identity Apps 4.5.6 and 4.6 running on Tomcat

  • 7018848
  • 28-Apr-2017
  • 25-Jul-2017

Environment

NetIQ Identity Manager 4.5.6
NetIQ Identity Manager Roles Based Provisioning Module 4.5.6
NetIQ Identity Manager 4.6
NetIQ Identity Manager Roles Based Provisioning Module 4.6

Situation

Under certain circumstances, your Identity Manager – Roles Based Provisioning Module can be susceptible to a HTTP Strict Transport Security (HSTS) and clickjacking attack.
 
HTTP Strict Transport Security (HSTS): The HSTS policy forces all responses to pass through HTTPS connections instead of plain text HTTP. This ensures that the entire channel is encrypted before any data is sent, making it impossible for attackers to read or modify the data in transit.

Clickjacking: Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Resolution

Follow this procedure on each of the machines running Identity Manager – Roles Based Provisioning Module:

a.    If User Application and OSP are installed on separate servers.

OSP Server Configuration:
•    Stop tomcat.
•    Edit the <tomcat-install-directory>/conf/web.xml (or <tomcat-install-directory>\conf\web.xml) file.
•    Add the following filter in web.xml file.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
             <param-name>antiClickJackingOption</param-name>
           <param-value>ALLOW-FROM</param-value>
   </init-param>
   <init-param>
                   <param-name>antiClickJackingUri</param-name>
                   <param-value>User Application URI</param-value>
   </init-param>
  <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
  </filter>

 <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

•    Save and start tomcat i.e. /etc/init.d/idmapps_tomcat_init start.

  Example: User Application URI  –   https://ua.microfocus.com:8643/

User Application Server Configuration:
•    Stop tomcat.
•    Edit the <tomcat-install-directory>/conf/web.xml (or <tomcat-install-directory>\conf\web.xml) file.
•    Add the following filter in web.xml file.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
             <param-name>antiClickJackingOption</param-name>
             <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
  </filter>

 <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

•    Save and start tomcat i.e. /etc/init.d/idmapps_tomcat_init start.

b.    If User Application and OSP are installed on the same server.

•    Stop tomcat.
•    Edit the <tomcat-install-directory>/conf/web.xml (or <tomcat-install-directory>\conf\web.xml) file.
•    Add the following filter in web.xml file.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
             <param-name>antiClickJackingOption</param-name>
             <param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
            <param-name>hstsMaxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>
        <init-param>
            <param-name>hstsIncludeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
  </filter>

 <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

•    Save and start tomcat i.e. /etc/init.d/idmapps_tomcat_init start.

Additional Information

As per https://tools.ietf.org/html/rfc7034, ALLOW-FROM doesn't support multiple domains.
If OSP, User Application, SSPR and Reporting on different boxes, ALLOW-FROM won’t work. Because, ALLOW-FROM supports only for a single domain.