000025376 - How to use RSA ClearTrust with support proxy servers that generate their own cookies

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025376
Applies ToRSA ClearTrust 4.7
iPlanet Directory Server
Microsoft Windows NT 4.0
Microsoft Windows 2000
Sun Solaris
IssueHow to use RSA ClearTrust with support proxy servers that generate their own cookies
Both RSA ClearTrust and the proxy send a cookie to the web browser
CauseIn a typical proxied setting, ClearTrust Agents are installed on both the proxy servers and the content servers. As a result, when a user requests content, both the Agent on the proxy server and the Agent on the content server will attempt to generate and return a single sign-on (SSO) cookie for the user. To resolve this problem, configure the content server Agents to suppress generation of the cookie. This ensures the browser will receive only the cookie generated by the proxy server Agent, preserving the authentication relationship between the browser and the proxy server Agent.
ResolutionTo instruct the content server Agent to suppress generation of a ClearTrust SSO cookie for any request coming in via the proxy or firewall, you must add the IP addresses of all proxy servers and firewalls as a comma-separated list in the following parameter in the content Web server webagent.conf file:

        cleartrust.agent.cookie_exclusion_list=111.222.33.44,111.222.33.45
Legacy Article IDa11563

Attachments

    Outcomes