HTTP Strict Transport Security (HSTS) is a web security policy mechanism. By default, HSTS is now enabled to protect web application users against some passive (eavesdropping) and active network attacks.
To disable HSTS, perform the following steps:
On a Windows Primary Server:
Go to %ZENSERVER_HOME%\bin (example: C:\Program Files (x86)\Micro Focus\ZENworks\bin).
Open the ZENServerW file.
In the Java tab, add the -DEnableHSTS=false at the end of the Java Options section as a new line.
By default, -DEnableHSTS= is set to true.
On a Linux Primary Server:
Open the /etc/opt/microfocus/zenworks/settings/zenserversettings.sh file.
Set -DEnableHSTS property to false in the following line:
JAVA_EXTRA_OPTION="$HEAP_DUMP_OPTIONS $ZEN_PROBE_OPTS $ZEN_JVM_TRUSTSTORE_OPTS $ZEN_JMX_OPTS -DEnableHSTS=false"
By default, -DEnableHSTS= is set to true.
In Tomcat:
Open the <Tomcat>/conf/web.xml file from the following path:
On Linux Server: /opt/microfocus/zenworks/share/tomcat/conf/
On Windows Server: <ZENSERVER_HOME>\services\zenserver\conf\
Comment the httpHeaderSecurity filter definition and the <filter-mapping> section.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>Save the file and restart Tomcat.