Authentication Manager, AM 8.3 and earlier, and their Web Tiers

HTTP Strict-Transport-Security (HSTS) is missing from Error responses, e.g. 404 in AM version 8.3 and earlier.
If you scan https://<AM_server_name>:7004 instead of a valid URL, like https://<AM_server_name>:7004/console-ims

The AM server returns a 404 page not found, but this Error page does not have HSTS enabled. 

1. The resolution is to update to later versions of AM which have fixed all HSTS vulnerabilities
2. This KB is available for historical purposes for manual fixes to very old and out-dated versions of AM. If you are running these versions of AM, you have many more problems than just HSTS

SSH into AM server, primary or replica, as rsaadmin
 cd /opt/rsa/am/server/wrapper/
There are several *Wrapper.conf files here, list them out

 ls -l *Wrapper.conf

 <screen shot above in tasks>

you need to determine the last number used for wrapper.java.additional.<nn> and use the next higher number, so for example in the AdminServerWrapper.conf on my AM 8.6 primary the highest number is .51, 


 <screen shot 2>

so I need to add one more configuration parameter with .51, like this

 wrapper.java.additional.52=-Dweblogic.http.headers.enableHSTS=true

so that it ends up looking like this


 <screen shot 3>

The next configuration file is BiztierServerWrapper.conf, and the highest # on wrapper.java.additional is 48, 


 <screen shot 4>

so add the following line 

  wrapper.java.additional.49=-Dweblogic.http.headers.enableHSTS=true

and save, so that it looks like this.


 <screen shot 5>

 cd /opt/rsa/am/server
 ./rsaserv restart all