--- title: Access description: The following sections describe how to restrict non-essential access to your deployment, and reduce the amount of non-essential information that it provides. component: java-agents version: 2025.11 page_id: java-agents:security-guide:access canonical_url: https://docs.pingidentity.com/java-agents/2025.11/security-guide/access.html section_ids: non-essential-features: Remove non-essential features non-essential-access: Remove non-essential access update-patches: Update patches agent_sessions: Manage Java Agent sessions expire_advanced_identity_cloud_and_am_sessions: Expire Advanced Identity Cloud and AM sessions manage_cookies: Manage cookies --- # Access The following sections describe how to restrict non-essential access to your deployment, and reduce the amount of non-essential information that it provides. ## Remove non-essential features The more features you have turned on, the more features you need to secure, patch, and audit. If something is not being used, uninstall it, disable it, or protect access to it. ## Remove non-essential access Make sure that only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and presenting strong-enough credentials. Make sure that users connect to systems through the latest versions of TLS, and audit system access periodically. Protect read-access to endpoints that monitor Common REST, Prometheus, CSV file-based metrics. For Common REST and Prometheus endpoints: * Name exposed base endpoints to prevent them from being easily associated with an application. * Set up strict not-enforced rules, to minimize unauthenticated access. For information, refer to [Manage endpoints for Common REST and Prometheus metrics](../maintenance-guide/monitoring.html#proc-enable-metrics-endpoint). ## Update patches Prevent the exploitation of security vulnerabilities by using up-to-date versions of the agent and third-party software. Review and follow the Ping Identity security advisories. Follow similar lists from all of your vendors. ## Manage Java Agent sessions On startup, Java Agent uses the following properties to obtain a session from AM: * [Agent Profile Name](../properties-reference/org.forgerock.agents.profile.name.html) * [Encrypted Agent Password](../properties-reference/org.forgerock.agents.encrypted.password.html) * [Agent Profile Realm](../properties-reference/org.forgerock.agents.agent.profile.realm.html) The session lifetime is defined by the AM version and configuration, and is essentially indefinite. Consider the following points when you configure the agent session lifetime in AM: * If the lifetime is too short, the agent has to re-authenticate with AM too frequently, using network bandwidth and delaying user requests. * If the lifetime is too long, the CTS can be cluttered with zombie sessions that are no longer in use. * A value between 60 minutes and 1440 minutes (24 hours) is suitable for many use cases. To set the agent session lifetime in AM, add the property `com.iplanet.am.session.agentSessionIdleTime` to the JVM properties in the container where the agent runs, and restart the container. The following example sets the agent session lifetime to 1440 minutes (24 hours): ```bash JAVA_OPTS="$JAVA_OPTS -Dcom.iplanet.am.session.agentSessionIdleTime=1440" ``` ## Expire Advanced Identity Cloud and AM sessions To minimize the time an attacker can attack an active session, set expiration timeouts for every Advanced Identity Cloud and AM session. Set timeouts according to the context of the deployment, balancing security and usability, so that the user can complete operations without the session frequently expiring. For more information, refer to OWASP's [Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration). Set a maximum session lifetime and idle time in Advanced Identity Cloud: * In the Advanced Identity Cloud admin UI, select [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management. * In the AM admin UI, select Services > Add a Service and add a Session service. * Specify the following properties in minutes: * Maximum Session Time * Maximum Idle Time Set a maximum session lifetime and idle time in AM: * In the AM admin UI, select Services > Add a Service and add a Session service. * Specify the following properties in minutes: * Maximum Session Time * Maximum Idle Time ## Manage cookies Increase the security of cookies generated by Java Agent or the protected application in the following ways: * To prevent cookies from being easily associated with an application, change the default name of key cookies. For example, change pre-authentication cookies in [Pre-Authentication Cookie Name](../properties-reference/org.forgerock.agents.authn.cookie.name.html), and JWT cookies in [JWT Cookie Name](../properties-reference/org.forgerock.agents.jwt.cookie.name.html). * To transmit securely all cookies written by the agent, set [Transmit Cookies Securely](../properties-reference/org.forgerock.agents.secure.cookies.enabled.html). * To reduce the risk of cross-site request forgery (CSRF) attacks, set the SameSite attribute of cookies in [Set-Cookie Internal Map](../properties-reference/org.forgerock.agents.set.cookie.internal.map.html) or [Set-Cookie Attribute Map](../properties-reference/org.forgerock.agents.set.cookie.attribute.map.html). * To ensure that cookies cannot be accessed through client-side scripts, and to mitigate any XSS attacks, set [Enable HTTP Only Cookies](../properties-reference/com.sun.identity.cookie.httponly.html) to create cookies with the `httpOnly` flag. * To make cookies accessible only from HTTPS sites, prefix the cookie name with `__Secure-`. A forged insecure site cannot overwrite a secure cookie. * To make cookies accessible only on the same host where they are set, prefix the cookie name with `__Host-`. A subdomain cannot overwrite the cookie value. * To protect the CDSSO session cookie from hijacking, configure AM as described in [Enabling restricted tokens for CDSSO session cookies](https://docs.pingidentity.com/pingam/8/security-guide/enable-cdsso-cookie-hijacking-protection.html) in AM's *Security guide*.