+

Search Tips   |   Advanced Search

Configure SSL only for the login process

We can encrypt only the login process to IBM WebSphere Portal and then allow subsequent requests through HTTP.

To configure SSL only for the login process:

  1. Set properties in WP ConfigService application:

    From the WAS admin console go to...

      Resources | Resource Environment | Resource Environment Providers | WP ConfigService | Custom Properties | Additional Properties

    ...and set redirect.login.ssl ...

      Name redirect.login.ssl
      Value true
      Type java.lang.String

    The redirect.login.ssl parameter determines the protocol to use after login completes. If this parameter is set to true, https is used. If this parameter is set to false, http is used. This setting is not affected by the protocol used to access the main page.

  2. Set host.port.https...

      Name host.port.https
      Value 443
      Type java.lang.String

  3. Set host.port.http property if we are using a port other than the default 80.

      Name host.port.http
      Value 80
      Type java.lang.String

  4. Click Save to save the changes to the master configuration.

  5. Log out of the WAS admin console.

  6. To encrypt the login process to WebSphere Portal, and allow subsequent requests through HTTP:

    The Login portlet uses the UseSecureLoginActionUrl parameter to control the generation of the login action URL. Set this UseSecureLoginActionUrl=true to use a secure URL for login.

    1. From portal, click...

        Administration | Portlet Management | Portlets

    2. Search for Title start with = "Login".

    3. Select the Configure portlet icon.

    4. Edit the UseSecureLoginActionUrl parameter and set the parameter to true.


Results

We can test the SSL login using the following unprotected URL: http://portalserver.com/wps/myportal and submitting your credentials. You notice the URL does not change to https.

Confirm the login was encrypted by monitoring the packets through a network utility such as Ethereal or by reviewing the source code of the login form when accessed through an unprotected HTTP URL. The login form must have an action URL that is secured, for example...

    <form method="post" action="https://....">

Set the browser to warn you when we change between secure and insecure modes to see the behavior on the client-side.


Parent Configure SSL

Previous topic: Set up SSL

Next topic: Set up Client Certificate Authentication