Adobe Connect Support Blog

Updated December 6, 2021
January 4, 2017 /Administration /Application /Clustering /General /Install /SSL /SSO /

How to Enable HTTP Strict Transport Security in Connect

Objective: Meet security requirements that prescribe on-premise Connect servers use HTTP Strict Transport Security (HSTS): https://https.cio.gov/hsts/

Environment: On-premise Connect servers

Steps: There are more than a few ways to implement HSTS:

1. The Connect application server:

For the Connect application, uncomment and add the following
parameters to the httpHeaderSecurity filter in the Tomcat web.xml found in appserv/conf:

<filter>
<filter-name>httpHeaderSecurity</filter-name>

<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-c
lass>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>

Also, uncomment the following:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

2. SSL acceleration: There may be additional considerations for Connect servers deployed behind hardware-based load-balancing devices that also serve as SSL accelerators.

For example, see this iRule for F5 LTM: https://devcentral.f5.com/articles/implementing-http-strict-transport-security-in-irules

Examine articles related to the specific load-balancing device and SSL accelerator employed.

3. The Adobe Experience Manager (AEM) based Connect Events Module:

An additional means of  implementing HSTS for Connect AEM-based Events is through the use of the Dispatcher AEM proxy; version 5.5 for Connect 9.5 Events is available here: https://www.adobeaemcloud.com/content/companies/public/adobe/dispatcher/dispatcher.html

If a dispatcher is present you can use mod_headers to set the header. Strict-Transport-Security: max-age=31536000; includeSubDomains

Additional Information: HSTS forces HTTPS on the second and subsequent requests rather than merely redirecting clients from HTTP to HTTPS. HSTS cannot be used for RTMPS VIPs. Adobe Media Server (AMS) does not use HTTPS, but rather RTMPS and does not support HSTS. The application server uses HSTS upon and then subsequent parallel connections to AMS do not use HSTS.

Administration, Application, Clustering, General, Install, SSL, SSO
HTTPS (1), RTMPS (1), Secure (1)

Frank DeRienzo, MBA

PRINCIPAL TECHNICAL ACCOUNT MANAGER

Join the discussion

  • By Mike Murtha - 3:01 AM on January 4, 2017   Reply

    Frank, does this also work with Connect 8?
    Thanks!

    • By Frank DeRienzo - 10:16 PM on January 4, 2017   Reply

      You can add filters like the HSTS filter to older Tomcat versions, however you have to create and add the required jar file yourself. https://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat

      The newer Tomcat versions (I think starting with version 8) include the required files and you just enable it as described in the article.

Join the discussion