Overview
We have a customer who recently deployed a new web service behind the CA Access Gateway (CAG). As a requirement, the external clients that will be consuming the service cannot support session cookies. As such, the customer deployed the cookieless session scheme for the web service’s virtual host to support the consuming service and the agent configuration must be changed to disable the RequireCookies parameter.
Unauthorized Request
During testing, the web service calls were being rejected by the CAG with the client service receiving an HTTP 403 error. As a first check, we examined the CAG’s service.conf configuration file to validate that the cookieless session scheme was configured correctly. No configuration errors were found in the server.conf that would prevent the session scheme from working.
Update Web Agent Configuration Object
For our next check, we examined the agent configuration object and discovered that the parameter RequireCookies was set to ‘Yes’. For cookieless session schemes, this parameter needs to be set to ‘No’, so we had the client change it and restart the server. Rerunning the test yielded a successful result.
Wrap Up
Interested in other CAG related posts? Check out Pro Tip: Hardening TLS Ciphers for CA Access Gateway
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.
