IDP and ESP session cookie values not found in server side IDP/ESP logs after upgrade to NAM 4.3

  • 7018697
  • 09-Mar-2017
  • 09-Mar-2017


NetIQ Access Manager 4.3


After upgrading from NAM 4.2 to 4.3, the JSESSIONID cookies set by the IDP and AG is visible on browser as it was in 4.2 ie. the JSESSONID as a cookie value is 32 bit and looks like this:


However, when scanning the server side logs in debug mode there's no reference to this JSESSION value. Instead it does report a session ID but shows up as a 64-bit value and looks like this:


How can I match the client and server side session IDs together as I could with NAM 4.2?


Make the changes as described in eg.  uncomment the following section in /opt/novell/nids/lib/webapp/WEB-INF/web.xml to make change on IDP server,

      <description> Filter to set the masked cookies in http response for debugging purpose.</description>


The purpose of the change was to improve security with NAM 4.3. The server side logs the sha256 hash of the JSESSIONID cookie, which prevents anyone with access to server side logs from tryin to hijack the client session. If you need to convert the client side JSESSIONID to the server side equivalent without making the changes from the docs above, simply run it through a SHA256 generator such as