SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
Article Number
000038074
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
This article explains the HSTS header and how to troubleshoot HSTS cases and explains that a Scan could find no HSTS if the Help on a Security Console of Self-Service console page is accessed. The static help pages do not have HSTS enabled, but neither can they be changed, they accept no input or post commands.
RSA has enabled HSTS on our console pages for a couple of years now, since AM ver. 8.2 P6. We no longer allow the initial redirect from http to https, i.e. http://am82p.vcloud.local:7004/console-ims used to work in that it redirected to https://am82p.vcloud.local:7004/console-ims, but that is no longer true, e.g.
http://am82p.vcloud.local:7004/ - ERR_EMPTY_RESPONSE
http://am82p.vcloud.local:7004/console-ims - ERR_EMPTY_RESPONSE
Image description
Port 7002 for AM replication behaves the same way because it does not process any http or https, only internal Authentication Manager processes communicate over the 7002 port.
http://am82p.vcloud.local:7002/ - ERR_EMPTY_RESPONSE
While default port 7004 has no http or https pages on them.
https://am82p.vcloud.local:7004/ - Error 404--Not Found
RSA has enabled HSTS on our console pages for a couple of years now, since AM ver. 8.2 P6. We no longer allow the initial redirect from http to https, i.e. http://am82p.vcloud.local:7004/console-ims used to work in that it redirected to https://am82p.vcloud.local:7004/console-ims, but that is no longer true, e.g.
http://am82p.vcloud.local:7004/ - ERR_EMPTY_RESPONSE
http://am82p.vcloud.local:7004/console-ims - ERR_EMPTY_RESPONSE
Image descriptionPort 7002 for AM replication behaves the same way because it does not process any http or https, only internal Authentication Manager processes communicate over the 7002 port.
http://am82p.vcloud.local:7002/ - ERR_EMPTY_RESPONSE
While default port 7004 has no http or https pages on them.
https://am82p.vcloud.local:7004/ - Error 404--Not Found
Task
- In your browser, point to any RSA Authentication Manager Security console or Self-Service Console page, and right-click to "inspect". Select Network. then look at Header Response. See details in Resolution.
Resolution
What is HSTS?
It is a Strict-Transport-Security header which is received in the first response from the Web-server and it is managed by the browser. Once it is received the browser will always use HTTPS for this specific domain for a certain amount of seconds, known as max-age which will be set in the header itself as highlighted below:
Image descriptionThe includeSubDomains field is used to force the HTTP traffic to any of the subdomains to get redirected to HTTPS instead.
How can we delete the HSTS settings?
- Navigate to chrome://net-internals/#hsts. This is Chrome’s UI for managing your browser’s local HSTS settings.
- First confirm the domain’s HSTS settings are recorded by Chrome by typing the hostname into the Query HSTS/PKP domain section at the bottom of the page.
- Click Query. If the query box returns Found with settings information below, the domain’s HSTS settings are saved in your browser. Note that this is a very sensitive search. Only enter the hostname, such as www.example.com or example.com without a protocol or path.
- Type the same hostname into the Delete domain security policies section and click Delete, Your browser will no longer force an HTTPS connection for that site!
What is HSTS Preloading?
There is still a window where a user who has a fresh install, or who wipes out their local state, is vulnerable. Because of that, Chrome maintains an HSTS Preload List (and other browsers maintain lists based on the Chrome list). These domains will be configured with HSTS out of the box.
If, for example, the customer owns a site or has a Self-Service Console that they would like to see included in the preloaded HSTS list you can submit the request to HSTS Preload. The header should look like the example below:
Image descriptionNotes
RSA Support has heard of a Scan finding a console help page that did not have HSTS set, which is why you should ask about specific URL details from any Scan finding. RSA Engineering's response here is that this is not exploitable and has no inherent risk because;
- Authentication Manager has already sent the browser the HSTS setting for 2 years, so the browser should honor that setting, and
- These help pages are static with no option to do anything involving an upload or post.
In this article
