This is a bit of an ancient feature, but one I hadn’t touched for a while. I wanted a domain cookie in my deployment, I had a Virtual Host and a standard host.
host1.example.comhost2.example.com (A virtual Host).
And I was struggling to get the login process (via AAC and the identifier first authentication) on the standard host and then to set a domain cookie so I could go back to the Virtual Host. Consider this post a reminder to myself to avoid wasting my time in the future.
So to configure shared sessions between the virtual host and non-virtual junctions.
# Enable a cookie based session to be shared across all standard and virtual
# host junctions on a single WebSEAL instance. This is achieved through
# enabling the WebSEAL instance to store a single session key as an
# independent value in a multi-valued domain cookie, indexed by the instance
# name. The domain cookie itself is shared across all participating WebSEAL
# instances, but the session values are specific to each instance.
#
# If WebSEAL exists in an environment where the DSC or Redis already handles
# single sign-on across domains, do not enable this configuration item.
shared-domain-cookie = yes
Nominate the domain you want to use:
[session-cookie-domains]
# Normally WebSEAL session cookies are 'host' cookies which browsers
# only return to the host that originally set them. This stanza
# can be used to configure 'domain' session cookies that may be sent
# to any host in a particular DNS domain. Review the WebSEAL
# documentation and understand the security implications of domain
# session cookies before enabling any entries in this stanza.
# Format is:
# domain = example.com
# domain = otherdomain.com
# ...
domain = example.comThe last thing I had to do – and the main reason it wasn’t setting was to ensure that the Reverse Proxy knew it’s own domain and was happy to participate in the domain assigned (This is necessary since it can support multiple domains simultaneously):
[server]
...
# If web-host-name is set WebSEAL will use this for the server's hostname. If
# left unset WebSEAL will attempt to automatically determine the server's
# hostname. On systems with many hostnames, interfaces or WebSEAL instances
# the automatic determination may not always be correct requiring this manual
# setting.
# web-host-name = www.webseal.com
web-host-name = host1.example.com
#----------------------Of course, despite me spending more time than I would admit troubleshooting this, all I had to do was read the documentation – PROPERLY. 😦
Philip Nye 