Solutions
Archived

Error when HTTPOnly is enabled for DAS in OpenAM 11.x and 12.x

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter the following error: https is not the trusted server when HTTPOnly is enabled for the Distributed Authentication Service (DAS) in OpenAM 11.x and 12.x.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown in the browser when authenticating against DAS:

HTTP Status 403 - https is not the trusted server.

An error similar to the following is shown in the OpenAM Authentication debug log:

amLoginServlet:09/08/2014 09:05:19:145 AM EDT: Thread[http-8443-2,5,main] authCookieValue : https amAuthClientUtils:09/08/2014 09:05:19:146 AM EDT: Thread[http-8443-2,5,main] This server URL : https://auth.openam.examle.com:443/auth/UI/Login amAuthClientUtils:09/08/2014 09:05:19:146 AM EDT: Thread[http-8443-2,5,main] Server URL from cookie : https amLoginServlet:09/08/2014 09:05:19:147 AM EDT: Thread[http-8443-2,5,main] LoginServlet.initializeRequestContext(): Routing the request to distauth server with Login URL https is not allowed

The DistAuth Cookie (called AMDistAuthCookie by default) has a URL that is not enclosed in " " (quote marks) as its value. This can be checked by viewing the AMDistAuthCookie in the Header sent in the HTTPRequest.

For example:

  • When HTTPOnly is set to true and AMDistAuthCookie has a value such as: https://example.com:443/sso/UI/Login (no quotes), authentication fails with the HTTP Status 403 - https is not the trusted server error.
  • When HTTPOnly is set to false (or removed from the configuration) and AMDistAuthCookie has a value such as: "https://example.com:443/sso/UI/Login" (enclosed in quotes), authentication succeeds.

Recent Changes

The HTTPOnly cookie setting has been set to true in the DAS configuration file:

com.sun.identity.cookie.httponly=true

Causes

Apache Tomcat™ parses HTTPOnly cookies slightly differently when they contain special characters.

Solution

This issue can be resolved by enabling cookie encoding in DAS.

You should add the following property to the DAS configuration file for each DAS instance where you have enabled HTTPOnly:

com.iplanet.am.cookie.encode=true

The DAS configuration file is located in the $HOME/FAMDistAuth directory and is called *AMDistAuthConfig.properties.

See Also

How do I configure HTTPOnly and Secure cookies for DAS in OpenAM 11.x and 12.x?

FAQ: Distributed Authentication Service (DAS) in OpenAM

Related Training

N/A

Related Issue Tracker IDs

OPENAM-1565 (Add urlencoding option for AMDistAuthCookie)

OPENAM-3999 (Adaptive module doesn't honor encoded cookies in user requests)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.