IBM Support

Offloading SSL traffic causes improper redirects or links to HTTP

Technote (troubleshooting)


Problem

When an SSL accelerator, proxy, or load balancer is used in front of an IBM WebSphere® Portal server to offload SSL processing, users may observe one or more of the following conditions:

-- The browser is redirected from an HTTPS page to an HTTP page and back to an HTTPS page.
-- Links on the page are generated using http:// instead of https://.
-- The browser displays a warning to users that they are being redirected to an unsecure page.

Cause

Handling of redirects by the WebSphere Application Server (WSAS) when SSL offloading is in use.

Resolving the problem

The behavior of the WebSphere Application Server has been modified to help avoid the symptoms mentioned in the problem description. To take advantage of such behavior, you must update the external component handling the SSL connection as well as the WebSphere Application Server configuration as follows:

1. Update the SSL accelerator/proxy/load balancer to insert a custom HTTP header variable into HTTP requests that will be read by the WebSphere Application Server. The Related information below offers a couple of vendor-specific examples from F5 and Citrix.

2. Add the property, "httpsIndicatorHeader", into the WebSphere_Portal web container properties as follows:

    -- Log into the WebSphere Administrative console.
    -- Navigate to Servers --> Application Servers --> WebSphere_Portal --> Web Container --> Custom Properties.
    -- Click "New". For the Name field, enter "httpsIndicatorHeader". The value field should contain the name of the HTTP header field* inserted by the SSL accelerator/proxy/load balancer. WebSphere Application Server does not look at the actual value of the header field on the incoming request.
    -- If in a cluster, repeat this step for each Portal server in the cluster.
    -- Save the changes and restart the server.

* The name of the field that is added to the HTTP header is left to the discretion of the administrator of the external component handling SSL. WebSphere Application Server is simply going to look at this name in order to confirm that it matches the httpsIndicatorHeader value.

Related information

WebSphere Web Container custom properties
F5 BigIP (see pages 17-18)

Cross reference information
Segment Product Component Platform Version Edition
Organizational Productivity- Portals & Collaboration Lotus Quickr for WebSphere Portal AIX, HP-UX, Linux, Windows 8.5, 8.1.1.1, 8.1.1, 8.1, 8.0.0.2, 8.0
Organizational Productivity- Portals & Collaboration WebSphere Portal End of Support Products AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 6.0

Document information

More support for: WebSphere Portal
Security

Software version: 6.1, 7.0, 8.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Enable, Express, Extend, Server

Reference #: 1221253

Modified date: 31 October 2005


Translate this page: