Configuring HTTP Public Key Pinning (HPKP) for the Web Console

You can configure your Web Console to use HTTP Public Key Pinning (HPKP). HPKP is a method used to prevent man-in-the-middle (MITM) attacks. The first time a user accesses the Web Console using a supported browser, a pin is passed to the browser in the Public-Key-Pins HTTP header. This pin is used to validate the public key in your CA-signed (Certificate Authority) certificate. If the public key changes, the pin validation fails and users are prevented from accessing your website.

Note

Before enabling HPKP on your Web Console, you must understand HPKP and how to create pins so that you do not unintentionally prevent users from accessing your website. Configure HPKP on a test website before enabling it on a production website.

Before You Begin

Configure the Web Console to use HTTPS. You must use a CA-signed certificate with HPKP. For instructions on configuring HTTPS, see Configuring Secured Access.

Procedure

  1. To the Web Console computer, add the additional settings as shown in the following table.

    For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.

    Additional Setting

    Category

    Type

    Value

    enablePublicKeyPinning

    WebConsole

    STRING

    True, to enable HPKP on the Web Console

    hpkpIncludeSubDomains

    WebConsole

    STRING

    True, to include sub-domains

    hpkpPins

    WebConsole

    STRING

    Enter the pin used to validate your public key. Prefix the pin with pin-sha256= and surround it with quotation marks. If you have multiple pins, use a semi-colon (;) to separate each pin.

    Example: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";

    hpkpMaxAge

    WebConsole

    STRING

    Enter the maximum number of seconds that the pin is active.

    enableReportOnlyHpkp

    WebConsole

    STRING

    This additional setting is optional.

    True, to report on pin validation failures instead of preventing users from accessing your website. Enter the URI in the hpkpReportUri additional setting.

    hpkpReportUri

    WebConsole

    STRING

    Before you set the hpkpReportUri additional setting, set the enableReportOnlyHpkp additional setting to true to enable reporting.

    Enter the URI where pin validation failures will be reported.

  2. Restarting the Tomcat service on the Web Console computer.

    For instructions on restarting the Tomcat service, see Restarting a Service.

Result

The Public-Key-Pins HTTP header is built by the Commvault software using the values you entered in the additional settings.

Loading...