(5.0 - 5.3) Enabling HTTP Strict Transport Security (HSTS) headers

HTTP Strict Transport Security (HSTS) forces all web traffic to your IVG/VIS installation to use HTTPS with SSL by sending a Strict-Transport-Security response header to all incoming requests. This helps to eliminate any potential HTTP connections that can expose sensitive data unintentionally.

Use the steps in this article to enable HSTS for IVG/VIS.

  • Stop the tomcat service:
systemctl stop tomcat
  • Generate a keystore with certificate keys using a self-signed certificate or a CA private key and pem file.

Self-Signed certificate method

If you would like to use self-signed certificates, you can generate the keystore with the Java keytool, which is installed with Java by default. See the example below:

/usr/lib/jvm/jre-1.8.0/bin/keytool -genkey -alias tomcat -keyalg RSA -dname "cn=CompanyName, ou=OrganizationalUnit, o=OrganizationName, c=CountryName" -keystore "/etc/VirtualHold/.keystore"

Before executing this command, replace the following fields with appropriate values and provide the password.

  • CompanyName
  • OrganizationalUnit
  • OrganizationName
  • CountryName

Next, export the keystore to the jks format required for Tomcat:

/usr/lib/jvm/jre-1.8.0/bin/keytool  -importkeystore -srckeystore /etc/VirtualHold/keystore.p12 -srcstoretype pkcs12 -destkeystore /etc/VirtualHold/.keystore

Certificate Authority (CA) certificate method

If you already have the private key and certificate pem files from a CA, generate the keystore file using the Java keytool (installed with Java) using the steps below.

  • Copy the private key (privatekey.pem) and certificate (certificate.pem) files to /etc/VirtualHold/ on your IVG server.
  • Generate the keystore with the following command:
openssl pkcs12 -export -in /etc/VirtualHold/certificate.pem -inkey /etc/VirtualHold/privatekey.pem -out keystore.p12 -name "tomcat"
  • Provide the export password when requested.
  • Export the keystore to the jks format required for Tomcat:
/usr/lib/jvm/jre-1.8.0/bin/keytool  -importkeystore -srckeystore /etc/VirtualHold/keystore.p12 -srcstoretype pkcs12 -destkeystore /etc/VirtualHold/.keystore
  • When the destination password is requested, enter changeit. For the source password, enter the same value as the export password used in a previous step.
  • Change the file permissions:
chown tomcat-ivg:tomcat-ivg  /etc/VirtualHold/.keystorechmod 400  /etc/VirtualHold/.keystore
  • Add port 9443 to any firewalls running on the server:
firewall-cmd --permanent --add-port=9443/tcpfirewall-cmd --reload
  • Stop the tomcat service:
systemctl stop tomcat
  • Open the server.xml file (/export/home/tomcat-ivg/conf) for editing.
  • In server.xml, update the redirect port in the following section from 8443 to 9443:
<Connector port="8080" protocol="HTTP/1.1"    connectionTimeout="20000"    redirectPort="9443" />
  • Uncomment and update the Connector section that includes protocol="org.apache.coyote.http11.Http11NioProtocol"as follows.
    • port: Change from 8443 to 9443
    • Remove the SSLHostConfigtag and add the values below:
      • keystoreFile="/etc/VirtualHold/.keystore "
      • keystorePass: Enter the password.
      • keyAlias: Enter the certificate name.
      • clientAuth="false"
      • sslProtocol="TLSv1.2"

Consult the example below to verify your changes.

Before changes:

<!--
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
       maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"type="RSA" />
        </SSLHostConfig>
    </Connector>
-->

After changes:

<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
keystoreFile="/etc/VirtualHold/.keystore" keystorePass="changeit" keyAlias="tomcat"
clientAuth="false" sslProtocol="TLSv1.2" />
  • Add the following section within the <service> tag in server.xml.
    • This will add a security constraint to accept only HTTPS connections.
<security-constraint>
  <web-resource-collection>
    <web-resource-name>twx-portal</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>
  • Add the following section within the <filter> tag in web.xml.
    • This will add the hstsEnabled parameter and set related parameters.
<init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
</init-param>
<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>
<init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
</init-param>
  • Update the webaudiopath property in the toolkit.properties file (/etc/VirtualHold/toolkit.properties) to use HTTPS with the appropriate port:
com.virtualhold.toolkit.webaudiopath=https://localhost:9443/namefiles
  • Start the tomcat service:
systemctl start tomcat
  • Attempt to browse https://<IP Address>:9443 to verify the HTTPS configuration works.
  • After a successful test in the previous step, update the HMS CCXML path to reflect the HTTPS URL.
    • Log in to the Holly Management System (HMS) and navigate to Configuration > Holly Configuration > Components > Holly Call Control
    • Select the required host.
    • Update the newsessiondocument parameter to https://localhost:9443/CCIS/vht_hvp.ccxml.
  • Update the HMS application URLs.
    • (Administrator > Applications) Select the required application and update the URL as follows.
    • Change the protocol from HTTP to HTTPS
    • Change the port number from 8080 to 9443
    • Example inbound URL: https://localhost:9443/VIS/PlatformSupport_HVP/BeginTenant=VHT&MODE=HVPAvaya
  • Place test calls to confirm that HTTPS is used.