An attacker can spoof a non-secure browser and send a JSESSION cookie that contains a valid user session. You can prevent this by configuring Identity Server to use a SSL channel for communications.
Topics include:
Channel 1 in Figure 7-1, SSL Communication Channels.
You can set a SSL channel between Identity Server and LDAP servers while configuring user stores. Select the Use secure LDAP connections option to change the port from 389 to the secure LDAP port 636.
IMPORTANT:If you use port 389, usernames and passwords are sent in the clear text that is vulnerable to security issues.
To enable the Use secure LDAP connections option, perform the following steps:
Go to Identity Servers > Servers > Edit > Local > User Stores.
Click [name of the user store] > [name of the replica].
Select Use secure LDAP connections.
Channel 2 in Figure 7-1, SSL Communication Channels.
Click Devices > Identity Servers > Edit.
Change Protocol to HTTPS (the system changes the port to 8443).
In the SSL Certificate line, click the Browse icon > Replace and select the Identity Server certificate.
Restart Tomcat.
If your Identity Server and Administration Console are on the same machine, log in to Administration Console again.
After the Identity Server health turns green, go to Access Gateway > Edit > Service Provider Certificates > Trusted Roots.
Click Add to select the trusted root certificate of the certificate authority that signed Identity Server certificate.
(Conditional) If you imported intermediate certificates for the CA, select them also.
IMPORTANT:If the external certificate authority writes the DN in reverse order (the cn element is displayed first), you receive an error message that the certificate names do not match. You can ignore this warning, if the order of the DN elements is the cause.
Update Access Gateway.
Channel 6 in Figure 7-1, SSL Communication Channels.
To make the communication between Identity Server and a service provider more secure, you must consider the following settings:
Identity Provider Signing Certificate: Select a certificate from the keystore and assign it to the service provider.
Identity Provider Encryption Certificate:Select a certificate from the keystore and assign it to the service provider.
Signing certificate per service provider:When you assign custom certificates to each service provider while configuring Identity Server, ensure that you export these certificates and custom metadata to the service provider. To retrieve the metadata, click on the metadata link (available in the note on the Trust page).
For more information, see Configuring Communication Security for a SAML 2.0 Service Provider
NetIQ Access Manager Appliance 4.4 Administration Guide.
NOTE:These security considerations are also valid when Identity Server acts as a service provider.