Enabling and disabling web service HSTS

Enabling HSTS (RFC 6797) enforces secure HTTPS connection between web services that talk to the web browsers and Ivanti Standalone Sentry. By default, HSTS is Enabled.

Restart Tomcat for enable/disable HSTS operations to take effect.

Before enabling HSTS ensure the following:

Ivanti Standalone Sentry uses a root or intermediate certificate from a publicly trusted CA.

You have policies and processes to ensure that the certificate is current.

Port 443 is open.

Use the CLI command line to run the following commands:

  • To enable HSTS, use the following CLI command in CONFIG mode:

    • sentry hsts enable

  • To disable HSTS, use the following CLI command in CONFIG mode:

    • no sentry hsts

  • To show HSTS in the current setting, use the following CLI command in CONFIG mode:

    • do show sentry hsts

After disabling HSTS, also clear HSTS for the Standalone Sentry FQDN from your browser cache. Otherwise, the browser continues to attempt to load the Standalone Sentry FQDN with a secure connection and you will not be able to access the site.

  • To view the current status of HSTS, use the following CLI command in EXEC mode:

    • show sentry hsts

Examples

  • Enabling HSTS

[email protected]/config# sentry hsts enable

Are you sure you want to enable Sentry Strict-Transport-Security (HSTS rfc6797)? {yes|[no]} : yes

Please restart tomcat service for changes to take effect.

[email protected]/config#

  • Disabling HSTS

[email protected]/config# no sentry hsts

Disabling Strict-Transport-Security (HSTS rfc6797) for Sentry.

Please restart tomcat service for changes to take effect.

[email protected]/config#

For more information on HSTS, see https://tools.ietf.org/html/rfc6797.