You are on page 1of 4 %2Ft_in_enable_and_disable_secure_session_cookies_wls.


Administer and Deploy > Administrator's Guide 6.2.0 > System Maintenance > SSL for OpenPages GRC Platform environments > SSL configuration for WebLogic Application Server

Enabling secure session cookies on the Oracle WebLogic Application Server

To enable or disable secure session cookies in the Oracle WebLogic Application Server, you must modify the weblogic.xml file. The weblogic.xml file is located in the \sosa\WEB-INF and \openpages\WEB-INF directories on all application servers in your environment. A secure session cookie informs the browser to only send the session cookie back over an encrypted HTTP connection. This information ensures that the cookie identifier is secure and is only used with OpenPages when using HTTPS connections. When this feature is enabled, session cookies over an HTTP connection no longer work.

1. Go to the weblogic.xml file in the \sosa\WEB-INF directory. For example: <OP_HOME>\applications\op-apps\sosa\WEB_INF 2. Back up the weblogic.xml file by copying the file to another location. 3. Open the weblogic.xml file in a text editor. Do one of the following actions:
o o o o o o o o o

To enable secure session cookies, you must add the following code. To disable secure session cookies, you must remove the following code.
<session-param> <param-name>CookieSecure</param-name> <param-value>true</param-value> </session-param> <session-param> <param-name>URLRewritingEnabled</param-name> <param-value>false</param-value>


4. Repeat steps 2-3 for the weblogic.xml file in the \openpages\WEB-INF directory. For example, OP_HOME\applications\op-apps\openpages\WEBINF. 5. In a clustered environment, repeat steps 1-4 on all application servers. Parent topic: SSL configuration for WebLogic Application Server

Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14308-09 Previous Next

Home Book ContentsIndex Master Contact List Index Us

PDF Mobi ePub

9 Enabling Secure Cookies

By default, Oracle Identity Manager can be accessed over HTTP but does not work over Secure Socket Layer (SSL). This is because the cookie-secure flag is disabled by default. The cookiesecure flag tells the Web browser to only send the cookie back over an HTTPS connection. This ensures that the cookie is transmitted only on a secure channel. HTTPS must be enabled for the URL exposed by the application. To enable Oracle Identity Manager to work over SSL, you must enable the cookie-secure flag. To do so: 1. Add the <cookie-secure>true</cookie-secure> tag inside the <session-descriptor> element to the following files in the Oracle Identity Manager deployment: o OIM_HOME/apps/oim.ear/admin.war/WEB-INF/weblogic.xml o OIM_HOME/apps/oim.ear/iam-consoles-faces.war/WEB-INF/weblogic.xml o OIM_HOME/apps/oim.ear/xlWebApp.war/WEB-INF/weblogic.xml 2. Create a new weblogic.xml file for Nexaweb application if it does not exist in its WEBINF/ directory. 3. Add the following session descriptor in it:
4. <?xml version='1.0' encoding='UTF-8'?> 5. <weblogic-web-app 6. xmlns="" 7. xmlns:xsi="" 8. xsi:schemaLocation=""> 9. 10. <session-descriptor> 11. <persistent-store-type>replicated_if_clustered</persistent-storetype> 12. <cookie-http-only>false</cookie-http-only> 13. <cookie-name>oimjsessionid</cookie-name> 14. <cookie-secure>true</cookie-secure> 15. <url-rewriting-enabled>false</url-rewriting-enabled> 16. </session-descriptor> 17. 18. </weblogic-web-app>

19. Save weblogic.xml. 20. Restart the Oracle Identity Manager Managed Servers.