OpenAm invalid cookie domain

Question

Can some one help me out with the invalid cookie domain in openAM, as I am new to openAM and configuring it first time.

when I run openAM war file from the tomcat installed in my windows PC,I am able to configure default user, but I get "invalid cookie domain" for the same when I try to create default user by running openAM from linux.

apperently openam has an issue with extracting cookiedomain. Due to proxy restrictions I could not use the www|openam.example.com and had to use another domain, the cookie domain failed to get created. When using `custom configuration` instead of the `default configuration` promoted in the getting-started guide, you can manually set the cookie domain (don't forget the padding dot). — dr jerry, Sep 22 '14 at 13:19

score 8 · Answer 1 · edited Aug 04 '17 at 21:34

8

A common newbie problem in OpenAM is attempting installation using localhost instead of a proper FQDN.

OpenAM needs proper cookie domains to function correctly. A good strategy for development is to create a local /etc/hosts entry (or the Windows equivalent) that looks something like this:

127.0.0.1 openam.example.com

When you install OpenAM, use openam.example.com as the host, and example.com as the cookie domain.

edited Aug 04 '17 at 21:34

Remy Lebeau

555,201
31
458
770

answered Dec 11 '13 at 21:32

Warren Strange

745
5
12

While going through setup, it does not allow me to change the hostname. It's a read-only field. – wizulus Apr 07 '15 at 22:28
1

The installer will use the domain name from the browser that you use to access openam. For example, do NOT use http://localhost/openam. Use the FQDN (http://www.example.com/openam) – Warren Strange Apr 09 '15 at 02:18
Ah okay, it wasn't clear from the answer this was from the context of a browser. Thanks! – wizulus Apr 09 '15 at 19:44
I did this change in windows 10 machine, but after setting the openam configuration, openam hangs in login page. But it doesnt hange for localhost configuration. Any clue? – Sameera Kumarasingha Jan 06 '17 at 17:51

score 3 · Answer 2 · answered Jan 29 '15 at 16:50

What I have found is that "not so common" domain names (names other than example.com, .net, .org, etc) do not behave well with openam.

Using openam version 11, I set up the hosts file with my machine's fqdn (fully qualified domain name), which is in a domain called something like "projectname.local".

When I deploy openam and try to create default configurations, it fails immediately saying something like "invalid cookie domain".

If I try to circumvent this by creating a new configuration, I see right away that openam thinks my domain is called ".local" instead of "projectname.local" in one of the early configuration forms.

It's only when I change the domain name in hosts to something like "example.com" (like the getting started guide tells you to) that default configuration runs ok.

Otherwise, i couldn't get it to work.

The installer uses the Mozilla public suffix list library to validate and understand DNS names. If your not so common domain names are not valid this will cause issues. — Warren Strange, Apr 09 '15 at 02:22

score 3 · Answer 3 · edited Mar 23 '16 at 14:07

The issue is well documented in OpenAM installation guide:

1.1. Preparing a Fully-Qualified Domain Name OpenAM requires that you provide the fully-qualified domain name (FQDN) when you configure it. Before you set up OpenAM, be sure that your system has an FQDN such as openam.example.com. For evaluation purposes, you can give your system an alias using the /etc/hosts file on UNIX systems or %SystemRoot%\system32\drivers\etc\hosts on Windows. For deployment, make sure the FQDN is properly assigned for example using DNS.

Do not use the localhost domain for OpenAM, not even for testing purposes. OpenAM relies on browser cookies, which are returned based on domain name. Furthermore, use a domain name that contains at least 2 . (dot) characters, such openam.example.com

score 1 · Answer 4 · answered Feb 23 '14 at 06:12

You should follow the OpenAM installation documentation. OpenAM requires you to provide a Fully-Qualified-Domain-Name (FQDN). Now, if your FQDN is of format dev-app.server.com (notice the DASH) OpenAM server may read that incorrectly and set your cookie domain to a wrong value. You can check this by simply visiting System > Platform > Global Attributes > Cookie Domains. For a FQDN dev-app.server.com ensure the cookie domain is set to .server.com

score 1 · Answer 5 · answered Sep 22 '14 at 17:26

When I first installed OpenAM I also faced this issue and found this topic here.

In my case, the error happened to occur when using the "Create Default Configuration" option (as shown on this video - http://forgerock.com/openam-11-0-two-minute-install/).

When I switch to the second option (Create New Configuration), I could see what was the reason for this issue:

The hostname was set to: "192.168.0.52:8080". The OpenAM Configurator automatically selected ".52" as the cookie domain. After changing it to the complete IP Address "192.168.0.52", the configurator was now able to successfully complete the installation.

Maybe it is not suitable for production use, but for my evaluation purposes this was enough. Hope it helps someone else out there.

As explained above, you can not use IP addresses. You must use proper DNS names. — Warren Strange, Apr 09 '15 at 02:21

score 0 · Answer 6 · edited Dec 03 '22 at 21:03

0

You did not tell which cookie domain you specified , so it's impossible to tell why OpenAM complains. However it's a good idea to make yourself familiar with 'HTTP state management mechanism' (https://www.rfc-editor.org/rfc/rfc6265). The question is not really related to OpenAM though.

edited Dec 03 '22 at 21:03

Mark Amery

143,130
81
406
459

answered Dec 11 '13 at 15:38

Bernhard Thalmayr

2,674
1
11
7

score 0 · Answer 7 · answered Feb 23 '17 at 08:02

I dont know if it is your case, but keep in mind that recent versions of Tomcat 8 (9?) seem to have changed something in their cookies, and now it will not work with cookiedomain starting with a dot (".example.com") as OpenAm examples suggests.

But that will happen after correct installation, and the later login will fail.

See https://forgerock.org/topic/login-page-not-loading-after-setup/ and others

score 0 · Answer 8 · answered Sep 01 '17 at 02:50

It needs FDQN. Eg. openam.server1.com / openam.server2.com

You can configure multiple cookie domains from System -> Platform -> Global Attributes -> Cookie Domains

Example: Add server1 and server2 here.

A cookie generated for server1 will not be valid in server2. There is an option for configuring multiple domains.

OpenAm invalid cookie domain

8 Answers8