Offloading SSL traffic causes improper redirects or links to HTTP
When an SSL accelerator, proxy, or load balancer is used in front of an IBM WebSphere® Portal server to offload SSL processing, users may observe one or more of the following conditions:
-- The browser is redirected from an HTTPS page to an HTTP page and back to an HTTPS page.
-- Links on the page are generated using http:// instead of https://.
-- The browser displays a warning to users that they are being redirected to an unsecure page.
Handling of redirects by the WebSphere Application Server (WSAS) when SSL offloading is in use.
Resolving the problem
The behavior of the WebSphere Application Server has been modified to help avoid the symptoms mentioned in the problem description. To take advantage of such behavior, you must update the external component handling the SSL connection as well as the WebSphere Application Server configuration as follows:
1. Update the SSL accelerator/proxy/load balancer to insert a custom HTTP header variable into HTTP requests that will be read by the WebSphere Application Server. The Related information below offers a couple of vendor-specific examples from F5 and Citrix.
2. Add the property, "httpsIndicatorHeader", into the WebSphere_Portal web container properties as follows:
-- Log into the WebSphere Administrative console.
-- Navigate to Servers --> Application Servers --> WebSphere_Portal --> Web Container --> Custom Properties.
-- Click "New". For the Name field, enter "httpsIndicatorHeader". The value field should contain the name of the HTTP header field* inserted by the SSL accelerator/proxy/load balancer. WebSphere Application Server does not look at the actual value of the header field on the incoming request.
-- If in a cluster, repeat this step for each Portal server in the cluster.
-- Save the changes and restart the server.
* The name of the field that is added to the HTTP header is left to the discretion of the administrator of the external component handling SSL. WebSphere Application Server is simply going to look at this name in order to confirm that it matches the httpsIndicatorHeader value.
|Organizational Productivity- Portals & Collaboration||Lotus Quickr for WebSphere Portal||AIX, HP-UX, Linux, Windows||8.5, 18.104.22.168, 8.1.1, 8.1, 22.214.171.124, 8.0|
|Organizational Productivity- Portals & Collaboration||WebSphere Portal End of Support Products||AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS||6.0|
More support for:
Software version: 6.1, 7.0, 8.0
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Software edition: Enable, Express, Extend, Server
Reference #: 1221253
Modified date: 31 October 2005