The SEPM must be using a 3
rd
party certificate.
Follow
Updating or restoring a server certificate
to configure the SEPM to use a certificate other than the default self-signed certificate. For more information, see
About server certificates
.
Self-signed certificates (the SEPM default configuration) do not support HSTS.
The root certificate installed on each SEPM in the Trusted Root Certification Authorities.
Warning
Enabling HSTS will cause the following items to not function properly.
Built-in Help pages in the SEPM. Clicking Help -> Help Topics within the SEPM will display a browser page indicating “This content cannot be displayed in a frame.”
SEPM Web Console (port 8443) when using the SEPM IP address.
Using the SEPM Hostname to access the Web Console remains unaffected.
Java remote console is unaffected.
Steps to enable HSTS for semsrv service on port 8443
Stop the SEPM services.
Symantec Endpoint Protection Launcher
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager API Service
Symantec Endpoint Protection Manager Webserver
Open …\<SEPM install directory>\tomcat\conf\web.xml with a text editor.
Navigate to the section “Built in Filter Definitions”. The first filter is httpHeaderSecurity, it is commented out. On the next line below the closing comment (-->) copy and paste in the following filter configuration.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Start the SEPM services.
Symantec Endpoint Protection Launcher
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager API Service
Symantec Endpoint Protection Manager Webserver
Verify the Web Console is working by logging into
https://<Hostname>:8443
.
Steps to enable HSTS for semwebsrv service (httpd) on port 8445 and 443
Stop the SEPM services.
Symantec Endpoint Protection Launcher
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager API Service
Symantec Endpoint Protection Manager Webserver
Open …\<SEPM install directory>\apache\conf\ssl
In a text editor, open ssl.conf and add the following line at the bottom, then save the file.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
In a text editor, open sslforclients.conf and add the following line at the bottom, then save the file.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Start the SEPM services.
Symantec Endpoint Protection Launcher
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager API Service
Symantec Endpoint Protection Manager Webserver
Additional Information on HSTS for port 8446:
It is possible to enable HSTS on port 8446; however the configuration won't have an actual effect. This is because HSTS is used to direct a client to only use HTTPS when trying to communicate to a specific service. In the case of the SEPM API Service (running on port 8446), the service -only- responds to HTTPS traffic by default; it will not respond to HTTP traffic. As such, the HSTS header is actually meaningless to the client, as it must already use HTTPS regardless.
