Configuring the Access Manager Deployment Against Cookie Hijacking

At this point in the configuration, each agent has its own agent profile. However, Access Manager has not been configured yet to associate an SSO token to a specific agent profile. The steps in this section enable this type of association. Ultimately, the new configuration introduces “restricted tokens” into the Access Manager deployment, guarding against security issues as described in this document.

To Configure the Access Manager Deployment Against Cookie Hijacking

This task description includes configuration information for agents in the Policy Agent 2.2 software set. Perform the task on every agent instance for which you want to enhance security. The best practice is to perform the task on all the agent instances in the Access Manager deployment. As part of the configuration of each agent instance, you must also make specific configurations directly to Access Manager. For this task, be prepared to access the Access Manager Administration Console, the agent AMAgent.properties configuration file, the Access Manager AMConfig.properties configuration file, and a browser that can access a protected web resource.

1. Using the Access Manager Administration Console, access the agent profile configuration page.

   For the steps on navigating within the Access Manager Administration Console to the agent profile configuration page, see To Create an Agent Profile.

2. Add the appropriate value to the field labeled Agent Key Value.

   Set the agent properties with a key/value pair as illustrated in the example that follows. This property is used by Access Manager to retrieve an agent profile from an agent repository for credential assertions about agents. Currently, only one property is valid. All other properties are ignored. Use the following format:

   agentRootURL=protocol://hostname:port/

   The preceding entry must be precise. Be aware that the string “agentRootURL” is case sensitive. Also, the slash following the port number is required.

   protocol

   Represents the protocol used, such as HTTP or HTTPS.

   hostname

   Represents the host name of the machine on which the agent resides. This machine also hosts the resources that the agent protects.

   port

   Represents the port number on which the agent is installed. The agent listens to incoming traffic on this port and, from the port, intercepts all requests to access resources on the host.

   The following is an example of how this property could be set:

   agentRootURL=https://agentHost.example.com:8080/

3. Edit the appropriate (J2EE agent or web agent) AMAgent.properties configuration file as necessary.

   1. Set the property that enables CDSSO to true as illustrated:

      • For J2EE agents set the following property as indicated:

        com.sun.identity.agents.config.cdsso.enable = true

      • For web agents set the following property as indicated:

        com.sun.am.policy.agents.config.cdsso.enable = true

      The preceding property setting enables CDSSO, which is required for each agent instance since the agent will use functionality provided by the CDSSO feature.

   2. Set the property that stores the URL users are directed to after they log in successfully in a deployment enabled for CDSSO:

      • For J2EE agents set the corresponding property as suggested by the following example:

        com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://amHost.example.com:8080/amserver/cdcservlet

      • For web agents set the corresponding property as suggested by the following example:

        com.sun.am.policy.agents.config.cdcservlet.url = https://amHost.example.com:8080/amserver/cdcservlet

4. Restart the container that hosts the agent.

5. Edit the Access Manager AMConfig.properties configuration file to reflect the required changes.

   1. Set the following property to true as illustrated:

      com.sun.identity.enableUniqueSSOTokenCookie = true

   2. Set the following property exactly as it is illustrated:

      com.sun.identity.authentication.uniqueCookieName = sunIdentityServerAuthNServer

   3. Set the following property to a domain such that it covers all the Access Manager instances installed:

      com.sun.identity.authentication.uniqueCookieDomain

      The following example illustrates how this property would be set if the domain name was example.com.

      com.sun.identity.authentication.uniqueCookieDomain = .example.com

6. In the Access Manager Administration Console, select the Configuration tab.

7. Scroll as needed to the System Properties list and click Platform.

8. In the Cookie Domain list, change the cookie domain name.

   This step enables Access Manager to set host-specific session cookies instead of domain-wide session cookies.

   1. Ensure that the default domain, such as “example.com,” is selected.

   2. Click Remove.

   3. Enter the name of the machine hosting the Access Manager instance.

      For example:

      amHost.example.com

   4. Click Add.

9. Ensure that the proper cookies appear in a browser.

   1. Use a browser to access a resource that is protected by the agent that you just configured.

   2. Check the browser's cookie settings to ensure that the three following cookies appear:

      Cookie Name	Example Cookie Value	Example Cookie Domain Information
      iPlanetDirectoryPro	SSO-token	amHost.example.com
      iPlanetDirectoryPro	restricted-SSO-token	agentHost.example.com
      sunIdentityServerAuthNServer	https://amHost.example.com:8080	.example.com

      For more information about the preceding cookies, see Access Manager Session Cookies Involved in Issuing Unique SSO Tokens.