+

Search Tips   |   Advanced Search


Configure SSL only for the login process

You can encrypt only the login process to WebSphere Portal and then allow subsequent requests via HTTP.

To configure SSL only for the login process:

  1. Verify that the following settings are correct for your installation in the WP ConfigService application, which is located in the administrative console in a standalone environment or in the Deployment Manager administrative console in a cluster environment:

    • redirect.login.ssl=false false is the default value.

    • host.port.http=alias_port_for_HTTP

    • host.port.https=alias_port_for_HTTPS

    where alias_port is the port number (usually 443) that is used for the virtual host alias specified in the Setting up SSL topic. The redirect.login.ssl parameter determines the protocol that is used when the login button is clicked. If this parameter is set to true, https is used. If this parameter is set to false, http is used. This setting is not affected by the protocol that is used to access the main page.

    Set the host.port.http if you are using a port other than the default 80.

  2. To only encrypt the login process to WebSphere Portal and allow subsequent requests via HTTP:

    The Login portlet uses the UseSecureLoginActionUrl parameter to control the generation of the login action URL. Set this parameter to true to use a secure URL for login.

    1. Navigate to Administration > Portlet Management > Portlets.

    2. Search for Title start with = "Login".

    3. Select the Configure portlet icon.

    4. Edit the UseSecureLoginActionUrl parameter and set the parameter to true.

You can test the SSL login using the following unprotected URL: http://portalserver.com/wps/myportal and submitting your credentials. You will notice that the URL does not change to https.

Confirm the login was encrypted by monitoring the packets via a network utility such as Ethereal or by reviewing the source code of the login form when accessed through an unprotected HTTP URL. The login form should have an action URL that is secured, for example <form method="post" action="https://....">. Set your browser to warn you when changing between secure and insecure modes to see the behavior on the client-side.


Parent topic:

Configure SSL


Previous topic:

Set up SSL


Next topic:

Set up Client Certificate Authentication