Configure the 12.9 Siteminder AdminUI to set the 'Samesite' attribute on the JSESSIONID Cookie
Article ID: 395852
Updated On:
Products
Issue/Introduction
Some security scans may determine that the JSESSIONID cookie tied to the URL of the Siteminder AdminUI might need to have the Samesite flag set.
Environment
Component: Siteminder AdminUI
Release : 12.9
Cause
The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.
Resolution
1) Download the file "AdminUI-Samesite-Fix.zip" attached to this KB
2) Copy the file "AdminUI-Samesite-Fix.zip" to the Siteminder AdminUI host and unzip it.
3) Stop the Siteminder AdminUI
4) Browse to the following directory:
<AdminUI_Install_Dir>\adminui\modules\com
5) Copy the folder named "broadcom" from "1674239267076__AdminUI-Samesite-Fix" to <AdminUI_Install_Dir>\adminui\modules\com\
6) After copying the 'broadcom folder, verify that the following files and directory structure are present:
<AdminUI_Install_Dir>\adminui\modules\com\broadcom\websec\filter\main\modules.xml
<AdminUI_Install_Dir>\adminui\modules\com\broadcom\websec\filter\main\samesitefilter.jar
7) Backup the following file:
<AdminUI_Install_Dir>\adminui\standalone\configuration\standalone-ful.xml
8) Edit the following file:
<AdminUI_Install_Dir>\adminui\standalone\configuration\standalone-ful.xml
9) Within the file "standalone-full.xml" locate the following entry:
<subsystem xmlns="urn:jboss:domain:undertow:12.0......"
10) Within the [<subsystem xmlns="urn:jboss:domain:undertow:8.0] section, locate the <filters> section
<filters>
<response-header header-name="X-Frame-Options" header-value="SAMEORIGIN" name="xframe-options"/>
<response-header header-name="X-Content-Type-Options" header-value="nosniff" name="x-content-type-options"/>
<response-header header-name="X-XSS-Protection" header-value="1; mode=block" name="x-xss-protection"/>
<response-header header-name="Content-Security-Policy" header-value="frame-ancestors 'self'" name="content-security-policy"/>
</filters>
11) Modify the <filters> section as follows:
<filters>
<response-header header-name="X-Frame-Options" header-value="SAMEORIGIN" name="xframe-options"/>
<response-header header-name="X-Content-Type-Options" header-value="nosniff" name="x-content-type-options"/>
<response-header header-name="X-XSS-Protection" header-value="1; mode=block" name="x-xss-protection"/>
<response-header header-name="Content-Security-Policy" header-value="frame-ancestors 'self'" name="content-security-policy"/>
<filter class-name="com.broadcom.websec.filter.SameSiteCookieHandler" module="com.broadcom.websec.filter" name="samesitecookiehandler">
<param name="sameSite" value="None"/>
</filter>
</filters>
NOTE: Within the 'value=' attribute for the parameter named "SameSite" [<param name="sameSite" value= ] you will populate with one of the supported SameSite values. (e.g.: None | Lax | Strict) Please ensure you have provided one these values exactly
12) Within the file "standalone-full.xml" locate the following entry:
<host alias="localhost" name="default-host">
13) Implement the following change:
<host alias="localhost" name="default-host">
<filter-ref name="samesitecookiehandler"/>
<location handler="welcome-content" name="/"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="xframe-options"/>
<filter-ref name="x-content-type-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="content-security-policy"/>
</host>
NOTE: There are examples in the sample copy of the 'standalone-full.xml' within "AdminUI-Samesite-Fix". That copy is NOT intended to replace your existing 'standalone-full.xml', it is merely there for reference purposes. DO NOT replace your copy of 'standalone-full.xml' with the same copy provided.
14) Start the Siteminder AdminUI server
15) Using a web browser trace tool, logon to the Siteminder AdminUI and review the JSESSIONID cookie in the responses to verify the solution is working.
Attachments
Feedback
