Access Manager 4.4.3 upgrade process breaks IDP Tomcat x509 Dual Connector configuration

  • 7023624
  • 10-Jan-2019
  • 30-Jan-2019


  • Access Manager 4.4.3
  • Access Manager 4.4.3 IDP server


  • IDP server has been configured to run x509 mutual authentication using the Dual Connector setup with tomcat
  • After running the NAM 4.4.3 update process the user gets prompted for the certificate but gets presneted with the login page again.
  • catalina.out reports the Contract Execution succeeded but authentication fails


  • this issue has been addressed to engineering for future releases

  • in case you have no backup of the existing context.xml file please review the configuration steps from the admin guide section: "Configuring X.509 Authentication to Provide Access Manager Error Message"
7. Navigate to the /opt/novell/nids/lib/webapp/META-INF/ directory and open the context.xml file.
8. Change Tomcat context.xml to set a same cookie for sub-domains.
    Ensure that the path is set to "/" as follows:

<?xml version="1.0" encoding="UTF-8"?>
    <Context sessionCookiePath="/" sessionCookieDomain="">
        <!-- Disable session persistence across Tomcat restarts -->
        <Manager pathname="" saveOnRestart="false"/>

Applicable for Access Manager 4.4 Service Pack 3 and later versions) Uncomment the following in the context.xml file:
<CookieProcessor className="org.apache.tomcat.util.http.LegacyCookieProcessor" />


The "/opt/novell/nids/lib/webapp/META-INF/context.xml" IDP content configuration file will be overwritten with the default configuration file during the NAM 4.4 SP3 upgrade process. The RPM installing  the file is: "novell-nidp-server-". The RPM does not verify the content.xml file nor creates any backup