Enable HTTP Strict Transport Security Response Header

Updated March 9, 2021. Written for LMS Version 6.2.

Overview

As of LMS version 6.0.1, the HTTP Strict Transport Security (HSTS) response header is not enabled by default. If this feature is required by a security audit or vulnerability assessment, it can be enabled manually.

This article is only applicable to LMS version 5.5.x and 6.0.x.

Instructions

To enable HSTS, you will need root access to your Control Center. SSH to the UCC as emsadmin and become root.

Configure HTTPS Certificates

Before proceeding, ensure you have already added HTTPS certificates by following this guide: HTTPS Certificates

Enabling HSTS without an HTTPS certificate will prevent you from bypassing the security warnings in modern browsers. Only enable this setting if you have an HTTPS certificate installed.

Modify embassy.overrides

Use vi to edit /etc/sysconfig/embassy.overrides and add the following line. Do not modify any other lines.

HSTS_ENABLE=true

The final result may look like this:

[root@uplogix-control-center ~]# cat /etc/sysconfig/embassy.overrides 
RAM=8
DISKS=6
HSTS_ENABLE=true

Reorder entries in web.xml

Use vi to edit /usr/tomcat/webapps/ROOT/WEB-INF/web.xml.

Find the section that looks like this and references Security Filter and HttpHeaderSecurityFilter:

<!-- *** This needs to be the first filter-mapping *** -->
  <filter-mapping>
    <filter-name>Security Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>HttpHeaderSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Swap the order of these two filter-mapping entries so it looks like this:

<!-- *** This needs to be the first filter-mapping *** -->
  <filter-mapping>
    <filter-name>HttpHeaderSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>Security Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Restart Tomcat

Use the service tomcat restart command to restart tomcat service.

[root@uplogix-control-center ~]# service tomcat restart
Updating settings in /usr/tomcat/webapps/ROOT/WEB-INF/classes/database.xml
Updating settings in /uplogix/envoy/config/oracleDatabase.xml
Updating settings in /uplogix/envoy/../matchmaker/config/database.xml
Updating ehcache file
Starting Lantronix Control Center: ter:                      [  OK  ]
[root@uplogix-control-center ~]#

Retest

Run your vulnerability assessment again and ensure HSTS is present or no longer flagged.

For assistance, please contact Lantronix Support.

Control Center User Guide

Installation and Configuration

Introduction

Virtual Control Center Deployment

VMware Control Center Deployment

Microsoft Azure Control Center Deployment

Site Requirements

Unpacking and Installation

Provisioning

Access and Security Setup

Network Services

Working with the Web Interface

Logging In

Navigating the Web Interface

Searching the Control Center

Managing the Control Center

Heartbeat Certificates

Managing the Deployment

Deployment Overview

Viewing the Inventory

Inventory Groups

The Dashboard

Upgrading Local Managers

Managing Local Managers

Configuring a Local Manager

Replacing a Local Manager

Virtual Ports

Default Port Settings

Scheduled Tasks

Rules and Monitors

Labels

Operating System Policies

Remote Access Server

Accounts and Security

AAA Settings

User and Group Accounts

Privileges

Using Third-Party AAA to Manage Privileges

Importing Users, Groups, and Privileges

Using LDAP for AAA

Applet

Getting Started with the SSH Applet

Uplogix Terminal App

SSH Key Authentication

Failover to Managed Device

SSH Port Forwarding

Serial Port Forwarding

Serial Port Mirroring

Maintenance and Troubleshooting

Shutting Down the Control Center

Sending Logs to Uplogix Support

Upgrading a Control Center

Monitoring Disk Space with SNMP

Anonymous Usage Statistics

Advanced Features

Enable Serial Redirect

IBM Tivoli SNMP Integration

Rate-limiting File Downloads

SMS-initiated PPP

Deploying a Virtual Control Center to ESXi 7

Deploying a Virtual Control Center to ESXi 6.7 or Earlier

Enable HTTP Strict Transport Security Response Header

Using Let's Encrypt

Not finding what you're looking for?

The LEVEL Technical Services team is standing by 24/7/365 to answer any questions you may have about the installation, configuration, and usage of our products.