The following subsections explain some of the key or more complex aspects of the Access Manager solution to the cookie hijacking security issues defined in this document.
A key task presented in this document is the task of ensuring that each agent has its own agent profile. For Policy Agent 2.2, J2EE agents and web agents differ in regard to the agent profile. Each J2EE agent must have a unique agent profile to function. Web agents, on the other hand, have a default value for the agent profile that all web agent instances can share. Therefore, to configure web agents against session-cookie hijacking, you must perform additional configuration steps after a web agent is installed to ensure that each web agent has a unique agent profile.
Basically, all the configuration steps presented in this document rely on each agent having its own agent profile. As explained in Access Manager Solution: Shared Session Cookies, a situation where applications share session cookies presents a security issue. Access Manager addresses this potential security risk by issuing a unique SSO token to each agent. In order to issue a unique SSO token to each agent, each agent must have its own agent profile.
When Access Manager is configured to issue unique SSO tokens for each Application/Agent, the following cookies are involved:
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
---|---|---|
iPlanetDirectoryPro |
SSO-token |
amHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder SSO-token, is the actual value of the token. The domain is set to the host name of the Access Manager instance where the user was authenticated.
Cookie Name |
Cookie Value (place holder) |
Example Cookie Domain Information |
---|---|---|
iPlanetDirectoryPro |
restricted-SSO-token |
agentHost.example.com |
The value of this cookie, which is represented in the preceding table with the place holder restricted-SSO-token, is the actual value of the token. The domain is set to the host name of the agent instance for which the restricted token is issued.
Cookie Name |
Example Cookie Value |
Example Cookie Domain Information |
---|---|---|
sunIdentityServerAuthNServer |
https://amHost.example.com:8080 |
.example.com |
The value of this cookie, which is represented in the preceding table with the example URL https://amHost.example.com:8080, is the URL of the Access Manager instance where the user was authenticated. The protocol used for this particular example is HTTPS while the port number is a non-default example, 8080. The domain must be set such that it covers all the instances of Access Manager installed on the network.
To enable Access Manager to issue unique SSO tokens, you must enable CDSSO. Therefore, though CDSSO is usually enabled for multiple-domain deployments, in this case, CDSSO must be enabled whether the entire deployment is on a single domain or is spread across multiple domains. In no way does enabling CDSSO for a single domain negatively affect the deployment.
The next section describes the steps required to configure Access Manager to prevent session-cookie hijacking from causing a breach of security.