HTTP Strict Transport Security (HSTS) With SAP BusinessObjects BI Web Applications
This blog is about another important security enhancement delivered in SAP BusinessObjects 4.3 SP03 release, which is support for the HTTP Strict Transport Security(HSTS) policy mechanism. As we know, HSTS is the web security policy mechanism; with the support of this policy in the BI Platform, now the BI end-users and BI Administrators will be able to access BI Launchpad, OpenDocument, and Central Management Console more secure way. For more information about HSTS and a better understanding of the policy, refer to the following blog.
The Strict-Transport-Security header is ignored by the browser when your site has only been accessed using HTTP. Once your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honour the Strict-Transport-Security header. This means until the BI end user accesses the HTTPS URL first time, the browser will not auto-convert any HTTP URL to the HTTPS URL in that end-user system, even though the Server can do HTTPS communication and enable HSTS policy.
How to Implement HSTS in your BI Landscape’s Web deployment system :
As obvious, the first thing is configuring the Web Tier server (The application server on which the SAP BusinessObjects Web Applications are deployed) should be configured with HTTPS (that is, SSL/TLS) to enable the HSTS. Once SSL is enabled, please follow the below steps.
- Navigate to <BO_Install_Dir>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
- Create a PROPERTIES file with the name “global.properties”
- Open in any text editor and enter the following text
hsts.enabled=true hsts.Include.SubDomains=true hsts.MaxAge.Seconds=31536000
- Save the file.
- Re-deploy the BOE.war file; refer to the following note 2723514.
How to find that the BI system is added to the Browser domain?
- Open Google Chrome
- Search for chrome://net-internals/#hsts in the address bar
- In the Query HSTS/PKP domain field, type in the domain name for which you want to fetch the HSTS settings. This should return some values.
- you can find HSTS domain details