Enabling HSTS in OpManager

From OpManager version 12.3.178 and above, users can enable HSTS in OpManager to enhance security by ensuring that all communication with the server is conducted over HTTPS, preventing potential man-in-the-middle attacks and SSL stripping.

What is HSTS?

HTTP Strict Transport Security (HSTS) is a security feature that forces browsers to connect to a website over HTTPS, ensuring secure communication. Once a browser receives the HSTS response header, it will block all HTTP communication with the site, redirecting it to HTTPS. HSTS was developed to prevent SSL Stripping, a type of Man-in-the-Middle (MITM) attack, where HTTPS communication is downgraded to HTTP.

How to enable HSTS in OpManager?

Prerequisites:

  • SSL must be enabled for the OpManager server.
  • The server must hold a valid SSL certificate.

Steps to enable HSTS:

  1. Ensure SSL is enabled: If SSL is not enabled, refer to the link to enable SSL.
  2. Connect to the OpManager database: Follow the instructions link to connect to OpManagerDB.
  3. Execute the query:
    Insert into SystemSettings(PROPNAME, PROPVAL) values('enableHSTS','true');
  4. Restart the OpManager server.
  5. Clear browser cache: Log in again to the OpManager server.
  6. HSTS will now be enabled for the OpManager server.

Notes:

  • Once HSTS is enabled, browsers will only connect to the server via HTTPS, even if trying to access through other ports or HTTP.
  • NFA DE uses both HTTP and HTTPS protocols. Enabling HSTS will restrict the HTTP protocol. Other ME products running on different ports will also be restricted if accessed through HTTP.
  • If SSL is enabled, the response for OpManager will come with the header 'strict-transport-security: max-age=0; includeSubDomains'. This does not mean that HSTS is enabled. The max-age value is set to 0 in order to clear the HSTS flag in the browser.

Disabling HSTS in OpManager:

Steps to disable HSTS:

  1. Connect to the database: Refer to link to connect to OpManagerDB.
  2. Execute the query:
    Update SystemSettings set PROPVAL = 'false' where PROPNAME = 'enableHSTS';
  3. Clear Browser Cache and log in again to the OpManager server.
  4. HSTS will now be disabled.

Enabling HSTS after disabling:

  1. Ensure SSL is enabled: If not, follow link to enable SSL.
  2. Connect to the database: Refer to link to connect to OpManagerDB.
  3. Execute the query:
    Update SystemSettings set PROPVAL = 'true' where PROPNAME = 'enableHSTS';
  4. Restart the OpManager server.
  5. Clear browser cache: Log in again to the OpManager server.
  6. HSTS will now be re-enabled.