System Administration - Securing the HTTP Server

NOTE: Before beginning the steps below, please ensure X-Frame-Options has been set up for the midtierjsp HTTP server. Further details can be found in System Administration - How to Set Up X-Frame-Options for CMiC.

This contains a list of settings supported by CMiC to secure the HTTP server. Ensure to backup the httpd.conf file in the instances folder before applying any changes. The httpd.conf file is usually located in:

d:\oracle\midtierjsp\user_projects\domains\ohs\config\fmwconfig\components\OHS\instances\ohs1\

The settings are based on https://docs.oracle.com/en/middleware/fusion-middleware/web-tier/12.2.1.4/secure-ohs/introduction-oracle-http-server-security.html.

• System Administration - Securing the HTTP Server
  • HSTS - HTTP Strict Transport Security Header
  • X-Frame-Options

HSTS - HTTP Strict Transport Security Header

There are two scenarios:

1. The load balancer is implemented in front of the Oracle HTTP server to offload SSL. Most of the customers are running in this mode.

   Backup the main httpd.conf file (usually located in d:\oracle\midtierjsp\user_projects\domains\ohs\config\fmwconfig\components\OHS\instances\ohs1\) and add the following line at the bottom:

   Copy

   Header always set Strict-Transport-Security "max-age=63072000; preload; includeSubDomains"

2. SSL is implemented directly by the Oracle HTTP server.

   Backup the main ssl.conf file (usually located in d:\oracle\midtierjsp\user_projects\domains\ohs\config\fmwconfig\components\OHS\instances\ohs1\) and add the following line into the definition of Virtual Server, right after SSLEngine on directive.

   Copy

   Header always set Strict-Transport-Security "max-age=63072000; preload; includeSubDomains"

   Please make sure it’s added on a new line. See below for an example.

   NOTE: Don’t copy below example to clients as it contains the Virtual Server name and port. This example is to demonstrate where to copy the directive mentioned above.

   Copy

   <VirtualHost test2v12.cmic.ca:4443>
   <IfModule ossl_module>
   # SSL Engine Switch:
   # Enable/Disable SSL for this virtual host.
   SSLEngine on
   Header always set Strict-Transport-Security "max-age=63072000; preload; includeSubDomains"

   Restart the Oracle HTTP server for the change to take effect.

X-Frame-Options

The X-Frame-Options is set by patch 18-2 automatically. This section is for clients who would like to set it up before installing patch 18-2.

The following line should be added into httpd.conf:

Header always set X-Frame-Options SAMEORIGIN

This setting can be done in two ways.

1. Manually backup the httpd.conf file and add the following line into the file:

   • Backup the httpd.conf file in the instance folder.

   • Add the following line at the end of the httpd.conf file:

     Copy

     Header always set X-Frame-Options SAMEORIGIN

   • Restart the HTTP server.

   • Test the application.

2. Using perl script ac_ohs_xframeoptions_update.pl which will be automatically executed in patch 18-2. It was created as part of issue 23.68242, work item 2:

   • Install issue 23.68242, work item 2 – ask shipping to package it.

   • Shutdown ohs1 server from the midtierjsp instance.

   • Execute ac_ohs_xframeoptions_update.pl:

     Copy

     cmd>perl D:\cm\V12\<ENV>\sql\ac_ohs_xframeoptions_update.pl <ENV> D:\cm none D:\oracle\midtierjsp ac_ohs_xframeoptions_update.log v12  v12-001

   • Start the ohs1 server from the midtierjsp instance.