+

Search Tips   |   Advanced Search

Set up SSL

Get an overview of the tasks that are required to configure SSL for HCL WebSphere Portal. Some of these tasks are completed on the IBM WebSphere Application Server and the web server. The steps that refer to the WebSphere Application Server and the web server are summarized here; refer to the WebSphere Application Server and the web server documentation for detailed information. Steps that are unique to HCL WebSphere Portal are described in detail here.

Note: This procedure might be slightly different if a front-end security proxy server such as Security Access Manager WebSEAL is used. In that case, the front-end security server handles the client SSL connections. The web server receives connections from the front-end security proxy server. Mutually authenticated SSL can be configured between the web server and the front-end security proxy server if needed. It is highly dependent on the security requirements of each deployment.To use a Security Access Manager WebSEAL TAI with an SSL junction, complete only steps 1-3 of this procedure.

Important: If only the login process is secure over SSL, complete the first three steps and then go to Configuring SSL only for the login process.

  1. Configure the web server to support HTTPS. This configuration involves setting up the web server to accept inbound connections from client browsers over SSL.

  2. Depending on the web server to use, other software must be installed on the web Server. For example: instance Microsoft Internet Information Server and Microsoft Certificate Service.

  3. The web server must have a port defined (usually 443), and the necessary certificates and keys must be installed.

  4. In a production environment, obtain a certificate from a certificate authority. For testing purposes, we can use iKeyman to generate a self-signed certificate. For Internet Information Server, use the web server's resource toolkit to create SSL keys.

  5. Configure the WebSphere Application Server plug-in for the web server to forward HCL WebSphere Portal traffic that is received over SSL to WebSphere Application Server (which then forwards the traffic to HCL WebSphere Portal).

  6. In configurations where the web server and HCL WebSphere Portal are on separate servers, requests are rerouted to the application server. Under these circumstances, we can also configure SSL between the web server and the application server to provide complete security. This configuration requires that you create extra keyfiles for the web server plug-in and for the embedded HTTPS of WebSphere Application Server.

    • For information about configuring SSL between the web server and the application server, use the IBM Redbooks called WebSphere Application Server V8.5 Security Guide.

    • For information about this step, use the IBM Redbooks link in the related links section. Search for Security Handbook.

    Note: Always create a new SSL keystore and truststore for the external web server and change the WebSphere_Portal server's secure transport channel to use the new SSL repository.

    CAUTION: Do not modify the default SSL key and truststore.

  7. Required: Create or modify the following two properties in the configuration services:

    1. Log on to the WebSphere Integrated Solutions Console.

    2. Go to Resources > Resource Environment > Resource Environment Providers.

    3. Click WP ConfigService.

    4. Click Custom Properties under the Additional Properties heading.

    5. Locate the redirect.login.ssl property and complete one of the following options: Parameter values: The redirect.login.ssl determines the protocol to use after login completes. Specify one of the following values:

      • Set to true to use HTTPS.

      • Set to false to use HTTP.

      • If the property exists, click the property to modify it and change the value to true.

      • If the property does not exist, click New to create the property and enter the following information:

        • Name: redirect.login.ssl
        • Value: true

        • Type: java.lang.String

    6. Locate the host.port.https property and complete one of the following options:

      • If the property exists, click the property to modify it and change the value to alias_port.

        Note: The alias_port is the port number used for the virtual host alias specified in a previous step (usually 443).

      • If the property does not exist, click New to create the property and enter the following information:

        • Name: host.port.https
        • Value: 443

        • Type: java.lang.String

    7. Click Save to save the changes to the master configuration.

    8. Log out of the WebSphere Integrated Solutions Console.

  8. Update the Transport Security Constraint in wps.ear. We can modify the transport so that WebSphere Application Server enforces the use of SSL for all pages under the /myportal/ URL. Use this step to completely secure the protected area over HTTPS. Clustered environments: Complete this step on the primary node, then complete a full resynchronize to propagate the changes to all nodes.

    1. Export wps.ear.

    2. Go to the directory where you exported wps.ear: path_to_exported_EAR/installedApps/node/wps.ear/wps.war/WEB-INF

      Note: You might need to extract the exported EAR before we can edit any files.

    3. Locate and open web.xml with any text editor.

    4. Set the value of the <transport-guarantee> element to CONFIDENTIAL under the <security-constraint> element for the /myportal/* URL. Do not change the values for the other <transport-guarantee> elements. Use the following information to update the XML file: 

              <security-constraint >
         <web-resource-collection >
            <web-resource-name></web-resource-name>
         <url-pattern>/myportal/*</url-pattern>
         				<http-method>DELETE</http-method>
            <http-method>POST</http-method>
            <http-method>GET</http-method>
            <http-method>PUT</http-method>
         </web-resource-collection>
         <auth-constraint >
            <description></description>
            <role-name>All Role</role-name>
         </auth-constraint>
         <user-data-constraint >
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
         </user-data-constraint>
      </security-constraint>

    5. Save and close web.xml.

    6. Redeploy wps.ear.

    7. Synchronize the nodes in the clustered environment.

      1. Log in to the Deployment Manager.

      2. Select System Administration > Nodes.

      3. Select the nodes to synchronize from the list.

      4. Click Full Resynchronize.

  9. Optional: Complete the following steps when we use a remote web server if we must allow direct access to the WebSphere_Portal node on the internal port. For example, http://hostname.example.com:10039/wps/portal, where hostname.example.com is the fully qualified host name of the server where Portal is running and 10039 is the default transport port that is created by WebSphere Application Server. The port number might be different for the environment.:

    1. From the WebSphere Integrated Solutions Console, go to Servers > Server Types > WebSphere application servers > WebSphere_Portal > Web Container Settings > Web Container Transport Chains.

    2. Click New.

    3. Select a name for the transport chain.

    4. Select the WebContainer-Secure template (templates/chains|webcontainer-chains.xml).

    5. Select Next.

    6. Specify the Port name. For example, port 443.

    7. Click Next.

    8. Click Finish to confirm the creation of the transport chain.

    9. Click Save.

    10. In a clustered environment, repeat the previous steps for each node in the cluster. For example, WebSphere_Portal2, and then synchronize the changes to all nodes.

  10. Optional: Complete the following steps only if we use the Login portlet:

    1. Log in to HCL WebSphere Portal.

    2. Click the Administration menu icon. Then, click Portlet Management > Portlets.

    3. Locate the Login portlet and click the Configure portlet icon.

    4. Locate the UseSecureLoginActionUrl parameter and click the Edit value icon.

    5. Type true in the Value field and click OK to save changes.

    6. Click OK to return to the Manage Portlets portlet.

  11. In a stand-alone environment, stop and restart the WebSphere_Portal server. In a clustered environment, stop and restart the Deployment Manager and the WebSphere_Portal servers.Clustered environments: In the Deployment Manager, verify that the EAR changes were successfully synchronized to all nodes. Stop and restart the servers on all nodes.

  12. Test your changes:

    1. Start the home page in a web browser through an HTTP URL that is not secure. For example, http://hostname.example.com:10039/wps/portal, where hostname.example.com is the fully qualified host name of the server where Portal is running and 10039 is the default transport port that is created by WebSphere Application Server. The port number might be different for the environment..

    2. Verify that the login link in the banner area uses the HTTPS schema for the link to the login page.

    3. Enter the user name and password. Then, click the login link to verify that the page is protected. The URL must be HTTPS and the browser must indicate that the page is protected.Browser security prompt: After click the login link to accept the server certificate, a browser security prompt might appear.

    4. Log off.

    5. Log in using an HTTP URL that is not secure and that points directly to the protected area. For example, http://hostname.example.com:10039/wps/portal, where hostname.example.com is the fully qualified host name of the server where Portal is running and 10039 is the default transport port that is created by WebSphere Application Server. The port number might be different for the environment.

    6. Verify that we are requested to log in and that the login page and the portal page are protected through SSL.

      Note: If the security-constraint was not modified to CONFIDENTIAL, SSL does not protect the login page and the portal pages.

Related information