Environment
NetIQ Access Manager 4.3
Situation
After upgrading from NAM 4.2 to 4.3, the JSESSIONID cookies set by the IDP and AG is visible on browser as it was in 4.2 ie. the JSESSONID as a cookie value is 32 bit and looks like this:
40994C1B3FD59E4232C2C8A0E58292C3
However, when scanning the server side logs in debug mode there's no reference to this JSESSION value. Instead it does report a session ID but shows up as a 64-bit value and looks like this:
6a961a30433d9141118c9ee6a89bb9985212ca001868166f0bd8c2c28fb42038
How can I match the client and server side session IDs together as I could with NAM 4.2?
Resolution
Make the changes as described in https://www.netiq.com/documentation/access-manager-43/admin/data/bix0cd7.html#masked-cookies eg.
uncomment the following section in /opt/novell/nids/lib/webapp/WEB-INF/web.xml to make change on IDP server,
<filter> <filter-name>DebugFilter</filter-name> <description> Filter to set the masked cookies in http response for debugging purpose.</description> <filter-class>com.novell.nidp.servlets.filters.debug.MaskedCookiesSetter</filter-class> </filter> <filter-mapping> <filter-name>DebugFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Cause
The purpose of the change was to improve security with NAM 4.3. The
server side logs the sha256 hash of the JSESSIONID cookie, which
prevents anyone with access to server side logs from tryin to hijack the
client session. If you need to convert the client side JSESSIONID to
the server side equivalent without making the changes from the docs
above, simply run it through a SHA256 generator such as http://passwordsgenerator.net/sha256-hash-generator/.