ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Admin ui JSESSIONID Cookie is Not Marked as Secure

book

Article ID: 228182

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

Cybersecurity team has flagged the below vulnerability in connection with SiteMinder Admin Console.

It appears that the session cookies are not being marked as secure, even though it was over https.

URL: https://admin_ui_host:8443/iam/siteminder/console/
Name: Session Cookie Not Marked as Secure
Severity: High
Confirmed: True

Identified Cookie(s) :
JSESSIONID

Cookie Source :
HTTP Header

Cause

This is out of box design with current 12.8 admin ui.

Expected result should be something like:

Set-Cookie: JSESSIONID=882D48C8842EA82E3F3AFACC4425A695; Path=/iam/siteminder; Secure; HttpOnly

Environment

Release : 12.8.05

Component : SITEMINDER WAM UI

Resolution

Open file  ~/CA/siteminder/adminui/standalone/deployments/iam_siteminder.ear/user_console.war/WEB-INF/web.xml
 
Go to <cookie-config> tag:
Change content below
from:
<cookie-config>
              <http-only>true</http-only>
               <secure>false</secure>
</cookie-config>
 
To:
<cookie-config>
              <http-only>true</http-only>
               <secure>true</secure>
</cookie-config>
 
Secure sub tag must be true.
Recycle admin ui and login admin ui verify.

Additional Information

DE519825

Attachments