Release : 14.4, 14.5

Component : Identity Manager

3rd Party Issue

Identity Manager / Identity Portal / Identity Governance Standalone:

Edit standalone.xml being used. (Example: standalone-full-ha.xml)

<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" instance-id="${jboss.node.name}" default-security-domain="other">
            <buffer-cache name="default"/>
            <server name="default-server">
               ..(Cleared for readability)..
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <session-cookie http-only="true" secure="true"/>  <!-- add http-only and secure attributes -->
                <websockets/>
            </servlet-container>
      </subsystem>

Stop IDM, Clear tmp and data folder then start IDM.

Identity Manager VAPP

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-5/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_SecureCookie

If for some reason the config is not updated, try following the steps below

Identity Manager VAPP/Standalone (If you use CLI commands):

To do this on VAPP first add a new user to JBoss:

sudo /opt/CA/wildfly-idm/bin/add-user.sh

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): a
Username : <JbossAdminName>
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:
Press Enter to leave blank
About to add user '<JbossAdminName>' for realm 'ManagementRealm'
Is this correct yes/no? yes
Added user '<JbossAdminName>' to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-users.properties'
Added user '<JbossAdminName>' to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-users.properties'
Added user '<JbossAdminName>' with groups  to file '/opt/CA/wildfly-idm/standalone/configuration/mgmt-groups.properties'
Added user '<JbossAdminName>' with groups  to file '/opt/CA/wildfly-idm/domain/configuration/mgmt-groups.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? no

Next, navigate to /opt/CA/wildfly-idm/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials

Once connected run the below CLI commands:

/subsystem=undertow/servlet-container=default/setting=session-cookie:write-attribute(name=secure,value=true)

/subsystem=undertow/servlet-container=default/setting=session-cookie:add(http-only=true,secure=true)

Stop Identity Manager (stop_im)

Clear JMS (deleteIDMJMSQueue)

Start Identity Manager (start_im)

For Identity Portal / Identity Governance:

sudo /opt/CA/wildfly-portal/bin/add-user.sh
sudo /opt/CA/wildfly-ig/bin/add-user.sh

Then follow the creation steps provided above and ensure that when you perform the connection requests you connect to IP/IG.

Example:

navigate to /opt/CA/wildfly-portal/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials

navigate to /opt/CA/wildfly-ig/bin/
execute ./jboss-cli.sh
type: connect
Enter credentials

This can also be controlled by an webserver, for example apache:

Ensure you have mod_headers.so enabled in Apache HTTP server

Add following entry in /etc/apache2/conf-enabled/security.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Restart Apache HTTP server to test

Third party network

https://community.akamai.com/customers/s/article/Security-in-Cookies?language=en_US

Refer to the following link with official info:

https://access.redhat.com/solutions/3132781