HTTP Strict Transport Security on the Access Gateway can't be disabled.

In Access Manager 4.3, HSTS has been enabled by default for all components.

To disable HTTP Strict Transport Security on the Access Gateway, the following steps are listed in the NAM 4.3 security-guide:

12.3.4 Removing HTTP Strict Transport Security

1. Open httpd.conf.
   Linux: /etc/opt/novell/apache2/conf
   Windows: C:\Program Files\Novell\apache\conf
   
   
2. Disable the mod_headers library by commenting the following line:
   Linux: LoadModule headers_module libexec/mod_headers.so
   Windows: LoadModule headers_module modules/mod_headers.so
   
   
3. Comment out the “header set” directive to disable the HSTS header at the bottom of the file:
   Header always set Strict-Transport-Security "max-age=31536000;
   includeSubDomains"
   

When checking, it is seen that the mentioned settings are not present in the the /etc/opt/novell/apache2/conf/httpd.conf.
Instead they show in the /etc/opt/novell/apache2/conf/NovellAgSettings.conf

Making manual changes to the NovellAGsettings.conf will get overwritten after the access manager server components gets restarted or a new config is applied.

As a workaround we made the below changes to disable the option:

Modify the /etc/opt/novell/apache2/conf/httpd.conf file and unmarked the below entry to enable the mod_headers module:
LoadModule headers_module libexec/mod_headers.so

Add the below entry as the last line in the httpd.conf file:
Header always unset Strict-Transport-Security

Restart apache:
/etc/init.d/novell-apache2 restart