Error when HTTPOnly is enabled for DAS in OpenAM 11.x and 12.x
The purpose of this article is to provide assistance if you encounter the following error: https is not the trusted server when HTTPOnly is enabled for the Distributed Authentication Service (DAS) in OpenAM 11.x and 12.x.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown in the browser when authenticating against DAS:
HTTP Status 403 - https is not the trusted server.An error similar to the following is shown in the OpenAM Authentication debug log:
amLoginServlet:09/08/2014 09:05:19:145 AM EDT: Thread[http-8443-2,5,main] authCookieValue : https amAuthClientUtils:09/08/2014 09:05:19:146 AM EDT: Thread[http-8443-2,5,main] This server URL : https://auth.openam.examle.com:443/auth/UI/Login amAuthClientUtils:09/08/2014 09:05:19:146 AM EDT: Thread[http-8443-2,5,main] Server URL from cookie : https amLoginServlet:09/08/2014 09:05:19:147 AM EDT: Thread[http-8443-2,5,main] LoginServlet.initializeRequestContext(): Routing the request to distauth server with Login URL https is not allowedThe DistAuth Cookie (called AMDistAuthCookie by default) has a URL that is not enclosed in " " (quote marks) as its value. This can be checked by viewing the AMDistAuthCookie in the Header sent in the HTTPRequest.
For example:
- When HTTPOnly is set to true and AMDistAuthCookie has a value such as: https://example.com:443/sso/UI/Login (no quotes), authentication fails with the HTTP Status 403 - https is not the trusted server error.
- When HTTPOnly is set to false (or removed from the configuration) and AMDistAuthCookie has a value such as: "https://example.com:443/sso/UI/Login" (enclosed in quotes), authentication succeeds.
Recent Changes
The HTTPOnly cookie setting has been set to true in the DAS configuration file:
com.sun.identity.cookie.httponly=trueCauses
Apache Tomcat™ parses HTTPOnly cookies slightly differently when they contain special characters.
Solution
This issue can be resolved by enabling cookie encoding in DAS.
You should add the following property to the DAS configuration file for each DAS instance where you have enabled HTTPOnly:
com.iplanet.am.cookie.encode=trueThe DAS configuration file is located in the $HOME/FAMDistAuth directory and is called *AMDistAuthConfig.properties.
See Also
How do I configure HTTPOnly and Secure cookies for DAS in OpenAM 11.x and 12.x?
FAQ: Distributed Authentication Service (DAS) in OpenAM
Related Training
N/A
Related Issue Tracker IDs
OPENAM-1565 (Add urlencoding option for AMDistAuthCookie)
OPENAM-3999 (Adaptive module doesn't honor encoded cookies in user requests)