You can configure your Web Console to use HTTP Public Key Pinning (HPKP). HPKP is a method used to prevent man-in-the-middle (MITM) attacks. The first time a user accesses the Web Console using a supported browser, a pin is passed to the browser in the Public-Key-Pins HTTP header. This pin is used to validate the public key in your CA-signed (Certificate Authority) certificate. If the public key changes, the pin validation fails and users are prevented from accessing your website.
Note
Before enabling HPKP on your Web Console, you must understand HPKP and how to create pins so that you do not unintentionally prevent users from accessing your website. Configure HPKP on a test website before enabling it on a production website.
Before You Begin
Configure the Web Console to use HTTPS. You must use a CA-signed certificate with HPKP. For instructions on configuring HTTPS, see Configuring Secured Access.
Procedure
-
To the Web Console computer, add the additional settings as shown in the following table.
For instructions on adding the additional setting from the CommCell Console, see Add or Modify an Additional Setting.
Additional Setting
Category
Type
Value
WebConsole
STRING
True, to enable HPKP on the Web Console
WebConsole
STRING
True, to include sub-domains
WebConsole
STRING
Enter the pin used to validate your public key. Prefix the pin with pin-sha256= and surround it with quotation marks. If you have multiple pins, use a semi-colon (;) to separate each pin.
Example: pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
WebConsole
STRING
Enter the maximum number of seconds that the pin is active.
WebConsole
STRING
This additional setting is optional.
True, to report on pin validation failures instead of preventing users from accessing your website. Enter the URI in the hpkpReportUri additional setting.
WebConsole
STRING
Before you set the hpkpReportUri additional setting, set the enableReportOnlyHpkp additional setting to true to enable reporting.
Enter the URI where pin validation failures will be reported.
-
Restarting the Tomcat service on the Web Console computer.
For instructions on restarting the Tomcat service, see Restarting a Service.
Result
The Public-Key-Pins HTTP header is built by the Commvault software using the values you entered in the additional settings.