Cookie Sharing

Authentication credentials cached with cookie surrogates can be shared across all nodes in a cluster.

When cookie mode caching is enabled, after a user is authenticated the cookie for that user is used for subsequent authentication attempts by any of the proxies that are clustered with the proxy that did the initial authentication. This feature is especially useful in load balanced environments.

When either Cache using Cookies only or Cache using both IP addresses and Cookies is enabled, the Cookie Sharing option is automatically enabled.

Note: All proxies in the cluster must use the same caching method when cookie sharing is enabled.
  • Select Choose File for both Public and Private keys to import your own keys for use with this feature. Browse to the file you want to use and select it. Files must be in PEM format.

    The same keys must be imported for each proxy in the cluster.

  • After selecting each file, click Import Keys to import custom keys (recommended) and store them in the default location.

    Note that default keys are provided and are added when the product is installed or upgraded. The default files are:

    /opt/WCG/config/cookie_auth_public.pem

    /opt/WCG/config/cookie_auth_private.pem

    Select the files you wish to import. The custom keys are automatically copied to this folder and renamed to the default names.

    Important: When custom keys are imported, the default files provided by Forcepoint are overwritten. You should backup the default keys prior to importing. See Save Public Key and Save Private Key below.

    Keys must be PKCS#1 RSA public keys and are RSA 1024/2048/4096 bit public and private key pairs without a passphrase. Use the following commands to generate keys:

    openssl genrsa -out cookie_auth_private.pem 1024

    openssl rsa -in cookie_auth_private.pem -RSAPublicKey_out -out cookie_auth_public.pem

    Change 1024 to 2048 or 4096 to generate 2048 or 4096 bit keys.

  • Select Save Public Key and Save Private Key to make a backup of the files.

    Select the location and filenames to use for the backup copy, keeping in mind that the default names are always used for the active keys.

    Key files should be backed up prior to importing new keys.

When load balancing has been configured, all proxies must use the same setting for Redirect Hostname. The value must be the fully qualified domain name (FQDN) of the load balancer.

Important:

Cookie sharing has the following limitations:

  • Cookie caching limitations also apply to cookie sharing. Therefore, since cookie caching is not supported for CONNECT requests, cookie sharing is not supported.
  • Custom keys must be imported manually. Custom Keys are not synchronized across the cluster.
  • Cookie sharing is not supported with client certificate authentication.