An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because Access Gateway communicates with its ESP on port 9009, which is a non-secure connection. Because ESP does not know whether Access Gateway is using SSL to communicate with the browsers, ESP does not mark the JSESSION cookie as secure when it creates the cookie. Access Gateway receives the Set-Cookie header from ESP and passes it to the browser as a non-secure clear-text cookie. If an attacker spoofs the domain of Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this, you must first configure Access Gateway to use SSL. See Section 19.5, Configuring SSL Communication with Browsers and Access Gateway.
After you have SSL configured, you must configure Tomcat to secure the cookie.
Log in to Access Gateway server as an admin user.
Change to the Tomcat configuration directory.
Linux: /opt/novell/nam/mag/conf/
Windows: /Program Files/Novell/Tomcat/conf
In a text editor, open the server.xml file.
Search for the connector on port 9009.
Add the following parameter within the Connector element:
secure="true"
Save the server.xml file.
Enter one of the following commands to restart Tomcat:
Linux: /etc/init.d/novell-mag restart OR rcnovell-mag restart
Windows: Use the following commands:
net stop Tomcat8
net start Tomcat8
Preventing Automatically Changing Session ID
Go to Devices > Access Gateway > Edit > Reverse Proxy / Authentication > ESP Global Options.
Set RENAME_SESSIONID to false. By default, this is set to true.
Restart Tomcat on each Identity Server in the cluster.