Cloud Management and AIOps


This is an IBM Automation portal for Cloud Management, Technology Cost Management, Network Automation and AIOps products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Submitted
Workspace IBM Cloud Pak for AIOps
Created by Guest
Created on Jan 19, 2026

RELATED IDEAS

ADSF Citation - NSFM - LTPAToken2 SameSite=Strict causing NOI/Jazz UI failures in Hybrid Domain Deployments on 1.6.14 version.

As per bank security policy, the LTPAToken2 response cookie must have SameSite attribute set to Strict across all environments. However, enabling this configuration in NOI 1.6.14 leads to functional failures in hybrid and cross-domain deployments.

Current Configuration & Constraints

Product: NOI 1.6.14
Cookie impacted: LTPAToken2
Required policy: SameSite=Strict
Jazz Console domain: *.bankofamerica.com
NOI Console domain: *.bofa.com
WAS setting tested:
com.ibm.websphere.security.addSameSiteAttributeToCookie=Strict
NOI common-ui deployment cookie configuration also set to Strict

 

Observed Behavior

When SameSite is set to Strict:

Accessing NOI or Jazz Alerts/Topology/CNEA Policy pages fails
Error Observed:
Error 404: SRVE0190E: File not found: /
This occurs consistently across environments

When SameSite is set to None:

Cross-domain hybrid deployment works as expected.
However, this violates bank security policy and is not acceptable for production use.

Why is this useful ?

This  proposal is useful because it resolves a direct conflict between enterprise security policy and NOI product behavior.

Key value:

  • Enables compliance with strict banking security standards
  • SameSite=Strict is mandatory to prevent cross-site cookie leakage and session hijacking.
  • Prevents production outages
  • Current behavior breaks NOI and Jazz UI (404 / SRVE0190E errors).
  • Avoid insecure workarounds
  • Setting SameSite to None or Lax is not acceptable in regulated environments.


Who would benefit from this ?

Primary beneficiaries

     Banks & Regulated Enterprises

  • Cannot relax SameSite or cookie scoping
  • Often use multiple domains/subdomains for operational and legal reasons.

Security & Risk Teams

  • Eliminates risk of:
  • Session fixation
  • Cross domain cookie leakage
  • Unauthorized access via sibling applications

How should it work ?
Goal: SameSite cookie attribute should be set to Strict to remediate the risk as per bank policies.

For more details please go through the following documentation -> https://www.ibm.com/support/pages/netcool-operations-insight-hybrid-deployment-console-integration-definitions-asm-exist-are-blank-deployment-where-noi-cluster-and-prem-domains-are-different?view=full

  • Minimal security risk
  • Works with SameSite=Strict
  • Fully compliant
  • UI navigation does not rely on cross-domain redirects that require cookies.

Why Current behavior fails ?

NOI/Jazz UI implicitly expects:

Cookies to be sent across domains
SameSite is not Strict

When Strict is enforced:

Session breaks
UI fails with 404 / SRVE0190E
Cookies are dropped by the browser

Existing IBM PMR Case Numbers:

TS018143558
TS019031795

Idea priority Urgent

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.