Securing The Identity Server Cookie - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

IMPORTANT: If you enter a cipher name incorrectly, Tomcat reverts to the default values,
which allow the weak ciphers to be used.
If you want to allow the SSL cipher suites, the following JSSE names can be added to the list:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
For a complete list of supported cipher suites and their requirements, see
Provider (http://java.sun.com/javase/6/docs/technotes/guides/security/
SunProviders.html#SunJSSEProvider).
3 To activate the cipher list, restart Tomcat.
Linux: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows: Enter the following commands:
net stop Tomcat5
net start Tomcat5
4 (Conditional) If you have multiple Identity Servers in your cluster configuration, repeat these
steps on each Identity Server.

1.4.4 Securing the Identity Server Cookie

An attacker can spoof a non-secure browser into sending a JSESSION cookie that contains a valid
user session. To stop this from happening, you need to first configure the Identity Server to use SSL.
For configuration information, see
the Novell Access Manager 3.1 SP2 Setup
After you have configured the Identity Server to use SSL, you need to configure Tomcat to secure
the cookie.
1 On the Identity Server, log in as the administrator.
2 Change to the Tomcat configuration directory:
Linux:
Windows Server 2003:
Windows Server 2008:
3 Create a
<Context useHttpOnly="true">
</Context>
4 Save the file, then restart Tomcat:
Linux: Enter the following command:
/etc/init.d/novell-tomcat5 restart
Windows: Enter the following commands:
net stop Tomcat5
net start Tomcat5
34 Novell Access Manager 3.1 SP2 Identity Server Guide
"Configuring Secure Communication on the Identity
/var/opt/novell/tomcat5/conf
\Program Files\Novell\Tomcat\conf
\Program Files (x86)\Novell\Tomcat\conf
file with the following content:
context.xml
Guide.
The SunJSSE
Server" in