By default, Oracle Identity Manager can be accessed over HTTP but does not work over Secure Socket Layer (SSL). This is because the cookie-secure flag is disabled by default. The cookie-secure flag tells the Web browser to only send the cookie back over an HTTPS connection. This ensures that the cookie is transmitted only on a secure channel. HTTPS must be enabled for the URL exposed by the application. It is not possible to secure cookies over HTTP.
To enable Oracle Identity Manager to work over SSL, you must enable the cookie-secure flag. To do so:
Add the <cookie-secure>true</cookie-secure> tag inside the <session-descriptor> element to the following files in the Oracle Identity Manager deployment:
OIM_HOME/apps/oim.ear/iam-consoles-faces.war/WEB-INF/weblogic.xml
OIM_HOME/apps/oim.ear/xlWebApp.war/WEB-INF/weblogic.xml
OIM_HOME/apps/oracle.iam.console.identity.self-service.ear
OIM_HOME/apps/oracle.iam.console.identity.sysadmin.ear
Create a new weblogic.xml file for Nexaweb application if it does not exist in its WEB-INF/ directory.
Add the following session descriptor in it:
<?xml version='1.0' encoding='UTF-8'?>
<weblogic-web-app
xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0 http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
<cookie-http-only>false</cookie-http-only>
<cookie-name>oimjsessionid</cookie-name>
<cookie-secure>true</cookie-secure>
<url-rewriting-enabled>false</url-rewriting-enabled>
</session-descriptor>
</weblogic-web-app>
Save weblogic.xml.
Restart the Oracle Identity Manager Managed Servers.