cancel
Showing results for 
Search instead for 
Did you mean: 

Configure the remote web server to use HSTS

SAPSupport
Employee
Employee
0 Kudos
151

Hello Team,

We have received a security vulnerability from our security team and the fix was to Configure the remote web server to use HSTS. This has to be done on our sandbox database server. Could you please let us know the steps which can be taken to implement this on the database server.


------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.
View Entire Topic
SAPSupport
Employee
Employee
0 Kudos

SAP HANA has two primary means by which it communicates with clients:

  • The HTTP Protocol
  • SQL Protocols (OBDC, JDBC, SQLDBC, etc.)

For the HTTP communication used for XS classic applications, SAP HANA implements an internal SAP Webdispatcher to route communication to the appropriate database for processing (see Maintain Standard HTTP Port Numbers with SAP HANA XS). Therefore, you can configure the webdispatcher to accomplish HSTS as per 3359291 - Configuring HSTS with Web Dispatcher or ICM.

The simplest means to disable non-TLS HTTP communication, is to reconfigure the webdispcher.ini > [profile] section from the SYSTEMDB by either:

  • Adjusting the icm/server_port_0 entry from PROT=HTTP,PORT=80$(SAPSYSTEM),PROCTIMEOUT=600 to PROT=HTTP,PORT=0,PROCTIMEOUT=600
    • As per icm/server_port_<xx> a port value of zero means that no inbound connections can be made for the specified protocol.
  • Removing icm/server_port_0 and instead specifying an icm/HTTP/redirect_<xx> to the HTTPS port.

For SQL communication, you can force TLS with configuration parameter sslenforce.

Best regards,
Tyler
SAP Technical Support | BTP HANA

tyler_johnson01
Advisor
Advisor
0 Kudos
Please ensure that you have restarted the webdispatcher service in order to apply the configuration changes. A restart of the webdistpatcher service is always required to apply configuration changes. If using HANA Studio, you can restart the webdispatcher from Administration > Landscape > Services. Restart the service by right-clicking the service name and selecting Kill...; please see restartWebdispatcher.png attached. Note that the hdbdaemon will immediately restart the webdispatcher.