The Access Gateway and the Embedded Service Provider of the Access Gateway both use session cookies in their communication with the browser. The following sections explain how to protect these cookies from being intercepted by hackers.
For more information about making cookies secure, see the following documents:
An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid user session. This might happen because the Access Gateway communicates with its Embedded Service Provider on port 8080, which is a non-secure connection. Because the Embedded Service Provider does not know whether the Access Gateway is using SSL to communicate with the browsers, the Embedded Service Provider does not mark the JSESSION cookie as secure when it creates the cookie. The Access Gateway receives the Set-Cookie header from the Embedded Service Provider and passes it back to the browser, which means that there is a non-secure, clear-text cookie in the browser. If an attacker spoofs the domain of the Access Gateway, the browser sends the non-secure JSESSION cookie over a non-secure channel where the cookie might be sniffed.
To stop this from happening, you must first configure Access Gateway to use SSL. See Section 3.3, Configuring SSL Communication with the Browsers and the Identity Server. After you have SSL configured, you need to configure Tomcat to secure the cookie. See one of the following:
On the Linux Access Gateway Appliance, log in as root.
Specify the following command to create the /var/novell/.setsecureESP touch file:
touch /var/novell/.setsecureESP
Specify the following command to restart the Access Gateway Appliance:
/etc/init.d/novell-vmc stop
/etc/init.d/novell-vmc start
On the Access Gateway Service machine, log in as the admin user.
Change to the Tomcat configuration directory.
Linux: /var/opt/novell/tomcat5/conf
Windows: /Program Files/Novell/Tomcat/conf
In a text editor, open the server.xml file.
Search for the connector on port 8080.
Add the following parameter to this connector:
secure="true"
These lines should look similar to the following:
<Connector port="8080" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" debug="0" connectionTimeout="20000" disableUploadTimeout="true" secure="true" />
Save the server.xml file.
Restart Tomcat.
Linux: /etc/init.d/novell-tomcat5 restart
Windows: Use the following commands:
net stop "Apache Tomcat"
net start "Apache Tomcat"
The proxy session cookies store authentication information and other information in temporary memory that is transferred between the browser and the proxy. These cookies are deleted when the browser is closed. However if these cookies are sent through a non-secure channel, there is a threat of hackers intercepting the cookies and impersonating a user on Web sites. To stop this from happening, you can use the following configuration options:
You can configure the Access Gateway to have the authentication cookie set with the keyword secure.
To enable this option:
In the Administration Console, click > > > .
Select the option, then click twice.
Update the Access Gateway.
NOTE:If this option is enabled, then HTTP services will not be able to use the authentication servies.
If there is an SSL Terminator device between the users and the Gateway (and the option Behind Third Party SSL Terminator is checked), you can (force) set the secure keyword for HTTP and HTTPS services.
Cross-site scripting vulnerabilities in Web browsers allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user. You can configure the Access Gateway to set its authentication cookie with the HttpOnly keyword, to prevent scripts from accessing the cookie.
To enable this option:
In the Administration Console, click > > > .
Enable the option, then click twice.
Update the Access Gateway.