The following sections describe how to restrict non-essential access to your deployment, and reduce the amount of non-essential information that it provides.
The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, uninstall it, disable it, or protect access to it.
Make sure only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials.
Make sure users connect to systems through the latest versions of TLS, and audit system access periodically.
Provide access only as necessary; restrict to required users, and limit their access to the information they need.
Prevent the exploitation of security vulnerabilities by using up-to-date versions of the agent and third-party software.
Review and follow the ForgeRock Security advisories. To receive email notifications for new security advisories, log in to Backstage, and click the Subscribe button for agent security advisories. Follow similar lists from all of your vendors.
On startup, Web Agent uses the following properties to obtain a session from AM:
The session lifetime is defined by the AM version and configuration, and is essentially indefinite. Consider the following points when you configure the agent session lifetime in AM:
If the lifetime is too short, the agent has to re-authenticate with AM too frequently, using network bandwidth and delaying user requests.
If the lifetime is too long, the CTS can be cluttered with zombie sessions that are no longer in use.
A value between 60 minutes and 1440 minutes (24 hours) is suitable for many use cases.
To set the agent session lifetime in AM, add the property
com.iplanet.am.session.agentSessionIdleTime to the JVM properties in the
container where the agent runs, and restart the container.
The following example sets the agent session lifetime to 1440 minutes
Increase the security of cookies generated by Web Agent or the protected application in the following ways:
To prevent cookies from being easily associated with an application, change the default name of key cookies. For example, change the SSO cookie in Cookie Name.
To transmit securely all cookies written by the agent, set Enable Cookie Security.
To reduce the risk of cross-site request forgery (CSRF) attacks, set the SameSite attribute of cookies in SameSite Cookie Attribute.
To ensure that cookies cannot be accessed through client-side scripts, and to mitigate any XSS attacks, set Enable HTTP Only Mode to create cookies with the
To make cookies accessible only from HTTPS sites, prefix the cookie name with
__Secure-. A forged insecure site cannot overwrite a secure cookie.
To make cookies accessible only on the same host where they are set, prefix the cookie name with
__Host-. A subdomain cannot overwrite the cookie value.