By default, Oracle Identity Manager can be accessed over HTTP but does not work over Secure Socket Layer (SSL). This is because the cookie-secure flag is disabled by default. The cookie-secure flag tells the Web browser to only send the cookie back over an HTTPS connection. This ensures that the cookie is transmitted only on a secure channel. HTTPS must be enabled for the URL exposed by the application.
To enable Oracle Identity Manager to work over SSL, you must enable the cookie-secure flag. To do so:
Add the <cookie-secure>true</cookie-secure> tag inside the <session-descriptor> element to the following files in the Oracle Identity Manager deployment:
OIM_HOME/apps/oim.ear/admin.war/WEB-INF/weblogic.xml
OIM_HOME/apps/oim.ear/iam-consoles-faces.war/WEB-INF/weblogic.xml
OIM_HOME/apps/oim.ear/xlWebApp.war/WEB-INF/weblogic.xml
Create a new weblogic.xml file for Nexaweb application if it does not exist in its WEB-INF/ directory.
Add the following session descriptor in it:
<?xml version='1.0' encoding='UTF-8'?> <weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0 http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd"> <session-descriptor> <persistent-store-type>replicated_if_clustered</persistent-store-type> <cookie-http-only>false</cookie-http-only> <cookie-name>oimjsessionid</cookie-name> <cookie-secure>true</cookie-secure> <url-rewriting-enabled>false</url-rewriting-enabled> </session-descriptor> </weblogic-web-app>
Save weblogic.xml.
Restart the Oracle Identity Manager Managed Servers.