The Access Gateway and the embedded service provider (ESP) of the Access Gateway both use session cookies in their communication with the browser.
For more information about how to protect these cookies from being intercepted by hackers, see Enabling Secure Cookies
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.
By default, the Identity Server and ESP cluster cookies do not have any secure or HTTPOnly flags.
To set the cluster cookies in the Identity Server, you must add the following parameter in the NIDP web.xml and restart Tomcat:
Add the following parameters in web.xml after the ldapLoadThreshold context param:
<context-param>
<param-name>secureClusterCookie</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>httponlyClusterCookie</param-name>
<param-value>true</param-value>
</context-param>
To set the cluster cookies in ESP, you must add the following parameter in the NESP web.xml and restart Tomcat:
Add the following parameters in the web.xml below the ldapLoadThreshold context param:
<context-param>
<param-name>httponlyClusterCookie</param-name>
<param-value>true</param-value>
</context-param>
NOTE:The secure cookies cannot be configured for ESP cluster because the communication between the Access Gateway and NESP is over HTTP on the loopback interface.