APAR status
Closed as documentation error.
Error description
When you enable the Security.CsrfSessionTokenSalt and Security.CsrfSessionTokenProtectedUris security-hardening properties, the cookie is not compatible with enabling the HTTPOnly flag. The CSRF token is a double-submit token, requiring JavaScript in a browser to be able to access the CSRF token cookie to add to a hidden field in post requests. This requirement isn't documented in Table 1 of "Security-hardening properties" (https://www.ibm.com/support/knowledgecenter/en/SS8JB4_20.x/com. ibm.wbpm.imuc.doc/topics/rsec_harden_properties.html). PRODUCTS AFFECTED IBM Business Process Manager (BPM) Advanced
Local fix
N/A
Problem summary
This cookie is a double-submit cookie pattern and, therefore, the HTTPOnly flag set must not be set.
Problem conclusion
The content will be updated the next time the documentation is refreshed.
Temporary fix
Comments
APAR Information
APAR number
JR63046
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
J00
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-11-18
Closed date
2020-11-24
Last modified date
2020-11-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1"}]
Document Information
Modified date:
25 November 2020