HTTP Strict Transport Security on the Access Gateway can't be disabled.

  • 7018300
  • 22-Nov-2016
  • 18-Apr-2018

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager Appliance
NetIQ Access Gateway Appliance

Situation

In Access Manager 4.3, HSTS has been enabled by default for all components.

To disable HTTP Strict Transport Security on the Access Gateway, the following steps are listed in the NAM 4.3 security-guide:

12.3.4 Removing HTTP Strict Transport Security

  1. Open httpd.conf.
    Linux: /etc/opt/novell/apache2/conf
    Windows: C:\Program Files\Novell\apache\conf

  2. Disable the mod_headers library by commenting the following line:
    Linux: LoadModule headers_module libexec/mod_headers.so
    Windows: LoadModule headers_module modules/mod_headers.so

  3. Comment out the “header set” directive to disable the HSTS header at the bottom of the file:
    Header always set Strict-Transport-Security "max-age=31536000;
    includeSubDomains"

When checking, it is seen that the mentioned settings are not present in the the /etc/opt/novell/apache2/conf/httpd.conf.
Instead they show in the /etc/opt/novell/apache2/conf/NovellAgSettings.conf

Making manual changes to the NovellAGsettings.conf will get overwritten after the access manager server components gets restarted or a new config is applied.

Resolution

As a workaround we made the below changes to disable the option:

Modify the /etc/opt/novell/apache2/conf/httpd.conf file and unmarked the below entry to enable the mod_headers module:
LoadModule headers_module libexec/mod_headers.so

Add the below entry as the last line in the httpd.conf file:
Header always unset Strict-Transport-Security

Restart apache:
/etc/init.d/novell-apache2 restart

Status

Reported to Engineering