Adobe Connect Support Blog

How to Enable HTTP Strict Transport Security in Connect

Objective: Meet security requirements that prescribe on-premise Connect servers use HTTP Strict Transport Security (HSTS): https://https.cio.gov/hsts/

Environment: On-premise Connect servers

Steps: There are more than a few ways to implement HSTS:

1. The Connect 9.5 application server:

For the Connect application, uncomment and add the following
parameters to the httpHeaderSecurity filter in the Tomcat web.xml found in appserv/conf:

<filter>
<filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-c
lass>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>

Also, uncomment the following:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

2. SSL acceleration: There may be additional considerations for Connect servers deployed behind hardware-based load-balancing devices that also serve as SSL accelerators.

For example, see this iRule for F5 LTM: https://devcentral.f5.com/articles/implementing-http-strict-transport-security-in-irules

Examine articles related to the specific load-balancing device and SSL accelerator employed.

3. The Adobe Experience Manager (AEM) based Connect Events Module:

An additional means of  implementing HSTS for Connect AEM-based Events is through the use of the Dispatcher AEM proxy; version 5.5 for Connect 9.5 Events is available here: https://www.adobeaemcloud.com/content/companies/public/adobe/dispatcher/dispatcher.html

If a dispatcher is present you can use mod_headers to set the header. Strict-Transport-Security: max-age=31536000; includeSubDomains

 

Additional Information: HSTS forces HTTPS on the second and subsequent requests rather than merely redirecting clients from HTTP to HTTPS.

Administration, Application, Clustering, General, SSL, SSO

Join the discussion

  • By Mike Murtha - 3:01 AM on January 4, 2017  

    Frank, does this also work with Connect 8?
    Thanks!

    • By Frank DeRienzo - 10:16 PM on January 4, 2017  

      You can add filters like the HSTS filter to older Tomcat versions, however you have to create and add the required jar file yourself. https://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat

      The newer Tomcat versions (I think starting with version 8) include the required files and you just enable it as described in the article.