This blog is about another important security enhancement delivered in SAP BusinessObjects 4.3 SP03 release, which is support for the HTTP Strict Transport Security(HSTS) policy mechanism. As we know, HSTS is the web security policy mechanism; with the support of this policy in the BI Platform, now the BI end-users and BI Administrators will be able to access BI Launchpad, OpenDocument, and Central Management Console more secure way. For more information about HSTS and a better understanding of the policy, refer to the following blog.
The Strict-Transport-Security header is ignored by the browser when your site has only been accessed using HTTP. Once your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honour the Strict-Transport-Security header. This means until the BI end user accesses the HTTPS URL first time, the browser will not auto-convert any HTTP URL to the HTTPS URL in that end-user system, even though the Server can do HTTPS communication and enable HSTS policy.
How to Implement HSTS in your BI Landscape’s Web deployment system :
As obvious, the first thing is configuring the Web Tier server (The application server on which the SAP BusinessObjects Web Applications are deployed) should be configured with HTTPS (that is, SSL/TLS) to enable the HSTS. Once SSL is enabled, please follow the below steps.
Navigate to <BO_Install_Dir>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
Create a PROPERTIES file with the name “global.properties”
Open in any text editor and enter the following text