test

Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

Configuring CDSSO and Cookie Hijacking Prevention

The configuration instructions in this section use the following mapping based on Figure 16–5:

Table 16–2 Mapping Fig 16–5 to Server Names

Figure Label 

Server Name Example 

Load Balancer 1 

lb1_server.hostname

Load Balancer 2 

lb2_server.hostname

OpenSSO Enterprise Server 1 

server1.hostname

OpenSSO Enterprise Server 2 

server2.hostname

ProcedureTo Enable CDSSO and Cookie Hijacking Prevention in Java EE Policy Agent

  1. Enable CDSSO for the Centralized Mode policy agent profile.

    1. Log in to the OpenSSO Enterprise server as an administrator.

    2. In the OpenSSO Enterprise administration console, go to Realm > Agents > J2EE Agents > Agent_Name > SSO.

    3. Enable the property Cross Domain SSO

    4. Set the value for the CDSSO Redirect URI.

      Example: /agentapp/sunwCDSSORedirectURI

    5. Set the value for the CDSSO Servlet URL.

      Example: 


      lb2_server_protocol://lb2_server.hostname:lb2_server.port/server-deployment-uri/cdcservlet

    6. Set the CDSSO Clock Skew to 0.

    7. Add the CDSSO Trusted ID Provider.

      Example:


      server1_protocol://server1.hostname:server1.port/server1-deployment-uri/cdcservlet
server2_protocol://server2.hostname:server2.port/server2-deployment-uri/cdcservlet

  2. Enable CDSSO for the Local Mode policy agent profile:

    Edit OpenSSOAgentConfiguration.properties and set CDSSO related parameters. Example:


    com.sun.identity.agents.config.cdsso.enable = true 
com.sun.identity.agents.config.cdsso.redirect.uri=/agentapp/sunwCDSSORedirectURI 
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = 
  <lb2_server_protocol>://<lb2_server.hostname>:
  <lb2_server.port>/<server-deployment-uri>/cdcservlet 
com.sun.identity.agents.config.cdsso.clock.skew = 0 
com.sun.identity.agents.config.cdsso.trusted.id.provider[0]= 
  <server1_protocol>://<srver1.hostname>:
  <server1.port>/<server1-deployment-uri>/cdcservlet 
com.sun.identity.agents.config.cdsso.trusted.id.provider[1] = 
  <server2_protocol>://<server2.hostname>:
  <server2.port>/<server2-deployment-uri>/cdcservlet

  3. Enable Cookie Hijacking Prevention in the OpenSSO Enterprise server.

    1. Log in OpenSSO Enterprise server as an administrator.

    2. In the OpenSSO Enterprise administration console, go to Configuration >Sites and Server >Default server settings > Advanced and set the following properties: 


      com.sun.identity.enableUniqueSSOTokenCookie=true 
com.sun.identity.authentication.uniqueCookieName=sunIdentityServerAuthNServer 
com.sun.identity.authentication.uniqueCookieDomain=server domain

    3. Go to Configuration > System > Platform .

      Remove server domain and add the OpenSSO Enterprise server host name.

      Caution – Caution –

      If OpenSSO Enterprise is deployed behind a load balancer, then in step 3c, do not use the OpenSSO server host name. Instead, be sure to use the load balancer host name.

    4. Enable a unique SSO token cookie in the agent profile.

      Do one of the following:

      • For the Centralized Mode policy agent, go to RootRealm > Agents> J2EE Agents > AgentName > Advanced > Custom Properties, and add the following property: com.sun.identity.enableUniqueSSOTokenCookie=true.

      • For the Local Mode policy agent, in the OpenSSOAgentConfiguration.properties file, add the following property: com.sun.identity.enableUniqueSSOTokenCookie=true.

ProcedureTo Enable CDSSO and Cookie Hijacking Prevention in the Web Policy Agent

  1. Enable CDSSO for the Centralized Mode policy agent profile.

    1. Log in to the OpenSSO Enterprise server as an administrator.

    2. In the OpenSSO Enterprise administration console, go to Realm > Agents > Web Agents > Agent_Name > SSO.

    3. Enable the property Cross Domain SSO.

    4. Set the value for the CDSSO Servlet URL.

      Example: 


      lb2_server_protocol://lb2_server.hostname:lb2_server.port/server-deployment-uri/cdservlet

  2. Enable CDSSO for the Local Mode policy agent profile:

    Edit OpenSSOAgentConfiguration.properties and set CDSSO related parameters. Example: 


    com.sun.identity.agents.config.cdsso.enable = true
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = 
  lb2_server_protocol://lb2_server.hostname:
  lb2_server.port/server-deployment-uri/cdcservlet

  3. Enable Cookie Hijacking Prevention in the OpenSSO Enterprise server.

    1. Log in OpenSSO Enterprise server as an administrator.

    2. In the OpenSSO Enterprise administration console, go to Configuration >Sites and Server >Default server settings > Advanced and set the following properties: 


      com.sun.identity.enableUniqueSSOTokenCookie=true 
com.sun.identity.authentication.uniqueCookieName=sunIdentityServerAuthNServer 
com.sun.identity.authentication.uniqueCookieDomain= server domain

    3. Go to Configuration > System > Platform .

      Remove server domain and add the server host name.

      Caution – Caution –

      If OpenSSO Enterprise is deployed behind a load balancer, then in step 3c, do not use the OpenSSO server host name. Instead, be sure to use the load balancer host name.