Cluster cookies on both Identity servers and embedded service provider servers do not have any secure or HTTPOnly flags set

  • 7008934
  • 04-Jul-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Access Gateway Service
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Access Manager 3.1 Support Pack 3 applied

Situation

In an Access Manager environment with multiple Identity (IDP) servers and Linux Access Gateway (LAG) servers, cluster cookies (UrnNovellNidpClusterMemberId) are automatically set when hitting the IDP or embedded Service Provider (ESP) services from a browser for the first time. Session cookies (JSESSIONID), as opposed to cluster cookies, set when hitting these services from the browser all have the option to enable the secure flag and HTTPOnly flag but the cluster cookies have no such option. The cookie typically looks as follows:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: UrnNovellNidpClusterMemberId=~03~01~7Ccg~01~16~15miv~05~0C;
Path=/nesp (or /nidp on the IDP server)
Set-Cookie: urn:novell:nidp:cluster:member:id=~03~01~7Ccg~01~16~15miv~05~0C;
Path=/nesp (or /nidp on the IDP server)

There should be secure/httpOnly options available for the cluster cookie.
 

Resolution

Apply Access Manager 3.1 Support Pack 3 Interim Release 2 and modify the web.xml (/opt/novell/nids/lib/webapp/WEB-INF/web.xml on IDP server and /opt/novell/nesp/lib/webapp/WEB-INF/web.xml on LAG) parameters to have below options to enable Secure/HTTPOnly cookie flags :

        <context-param>
                <param-name>secureClusterCookie</param-name>
                <param-value>true</param-value>
        </context-param>
        <context-param>
                <param-name>httponlyClusterCookie</param-name>
                <param-value>true</param-value>
        </context-param>
Note that the Secure/HTTPOnly option will be set for all IDP cluster nodes but only the HTTPOnly cookie will be set for ESP cluster nodes. This is because the LAG to ESP communication takes place over HTTP on the loopback interface.