+

Search Tips   |   Advanced Search

Set up SSL

If we are using a Security Access Manager WebSEAL TAI with an SSL junction, complete only steps 1-3 of this procedure. The front-end security server will handle client SSL connections.

If only the login process will be secure over SSL, complete the first three steps and then go to Configure SSL only for the login process.


Set up SSL

  1. In a production environment, obtain a certificate from a certificate authority.

    In a testing environment, generate a self signed certificate. For IHS use iKeyman. For IIS, use the web server's resource toolkit.

  2. Configure the WAS plug-in for the web server to forward traffic received over SSL to WAS.

  3. Optional: Configure SSL between the remote web server and the application server

    Create a new SSL keystore and truststore for the external web server, and change the WebSphere_Portal server's secure transport channel to use the new SSL repository. Do NOT modify the default SSL key and truststore.

  4. Required: Create or modify the following two properties...

    1. Log on to the WAS admin console and go to...

        Resources | Resource Environment | Resource Environment Providers | WP ConfigService | Custom Properties

    2. Locate the redirect.login.ssl property and...

      • Set to true to use HTTPS.
      • Set to false to use HTTP.

    3. Locate the host.port.https property and set port number used for the virtual host alias (usually 443).

    4. Click Save to save the changes to the master configuration.

    5. Log out of the WAS admin console.

  5. Update the Transport Security Constraint in wps.ear.

    We can modify the transport so that WebSphere Application Server enforces the use of SSL for all pages under the /myportal/ URL. Use this step to completely secure the protected area over HTTPS.

    Complete this step on the primary node, then complete a full resynchronize to propagate the changes to all nodes.

    1. Export and extract wps.ear

    2. Edit...

        /path/to/exported/ear/installedApps/node/wps.ear/wps.war/WEB-INF/web.xml

    3. Set the value of the element <transport-guarantee> to CONFIDENTIAL under the <security-constraint> element for the /myportal/* URL.

      Do not change the values for the other <transport-guarantee> elements. 

      <security-constraint id="SecurityConstraint_1">

         <web-resource-collection id="WebResourceCollection_1">
             <web-resource-name></web-resource-name>
             <url-pattern>/myportal/*</url-pattern>
             <http-method>DELETE</http-method>
             <http-method>POST</http-method>
             <http-method>GET</http-method>
             <http-method>PUT</http-method>
         </web-resource-collection>

         <auth-constraint id="AuthConstraint_1">
             <description></description>
             <role-name>All Role</role-name>
         </auth-constraint>

         <user-data-constraint id="UserDataConstraint_4">
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>           
         </user-data-constraint>

      </security-constraint>

    4. Save and close web.xml.

    5. Redeploy wps.ear.

    6. Synchronize the nodes in the clustered environment.

        System Administration | Nodes | nodes | Full Resynchronize

  6. Update theme links:

    1. Edit the JSP and JSPF files that provide the login link.

      Locate the JSP and JSPF files that include the "wps.Login" string: Do not edit any of the themes included with WebSphere Portal because these themes are updated with fixes. Instead, copy the theme and make the changes to the copy.

      This attribute must appear in a tag similar to the following code:

        <portal-navigation:urlGeneration contentNode="wps.Login" portletWindowState="Normal">

      The exact structure of this tag can vary depending on how it was constructed by the page designer. The JSP comments might also be used to indicate where the login link is located:

        <%-- login button --%>

    2. After you find the login link, change or add the ssl="true" attribute to the <portal-navigation:urlGeneration> tag of the anchor. For example: 
      <wps:if loggedIn="no" notSelection="wps.Login">
 <wps:urlGeneration contentNode="wps.Login" portletWindowState="Normal" ssl="true">
  <td class="wpsToolBar" valign="middle" nowrap>
   <a href="<% wpsURL.write(escapeXmlWriter); %>" class="wpsToolBarLink">
   <wps:text key="link.login" bundle="nls.engine"/>
   </a>
  </td>
 </wps:urlGeneration>
</wps:if>

      The previous examples use the portal-navigation: prefix to designate JSP tags from the portal navigation tag library. Your custom JSP tags might use a different tag prefix.

  7. To use a remote web server, we must allow direct access to the WebSphere_Portal node on the internal port. For example...

      http://hostname.example.com:10039/wps/portal

    1. From the WAS admin console, go to Servers > Server Types > WebSphere application servers > WebSphere_Portal > Web Container Settings > Web Container Transport Chains.

    2. Click New.

    3. Select a name for the transport chain.

    4. Select the WebContainer-Secure template (templates/chains|webcontainer-chains.xml).

    5. Select Next.

    6. Specify the Port name. For example, port 443.

    7. Click Next.

    8. Click Finish to confirm the creation of the transport chain.

    9. Click Save.

    10. In a clustered environment, repeat the previous steps for each node in the cluster. For example, WebSphere_Portal2, and then synchronize the changes to all nodes.

  8. Optional: Complete the following steps only if we use the Login portlet:

    1. Log in to WebSphere Portal.

    2. Click Administration > Portlet Management > Portlets.

    3. Locate the Login portlet and click the Configure portlet icon.

    4. Locate the UseSecureLoginActionUrl parameter and click the Edit value icon.

    5. Type true in the Value field and click OK to save the changes.

    6. Click OK to return to the Manage Portlets portlet.

  9. In a stand-alone environment, restart the WebSphere_Portal server.

    In a clustered environment, in the dmgr, verify the EAR changes were successfully synchronized to all nodes, then restart dmgr and portal servers on all nodes.

  10. To test the changes:

    1. Start the home page in a web browser through an HTTP URL that is not secure. For example...

        http://hostname.example.com:10039/wps/portal

    2. Verify the login link in the banner area uses the HTTPS schema for the link to the login page.

    3. Enter the user name and password. Then, click the login link to verify the page is protected.

      The URL must be HTTPS and the browser must indicate the page is protected. After clicking the login link to accept the server certificate, a browser security prompt might appear.

    4. Log off.

    5. Log in using an HTTP URL that is not secure and that points directly to the protected area. For example...

        http://hostname.example.com:10039/wps/portal

    6. Verify we are requested to log in and the login page and the portal page are protected through SSL.

      If the security-constraint was not modified to CONFIDENTIAL, SSL does not protect the login page and the portal pages.


Parent Configure SSL

Next topic: Configure SSL only for the login process

Related concepts:

Understand the Portal v8.5 modularized theme
z/OS HTTP Server Planning, Installing, and Using
Secure with SSL communications
Create SSL digital certificates and SAF keyrings that applications can use to initiate HTTPS requests
Configure the web server plug-in for SSL
WebSphere Application Server V7.0 Security Guide
Redbooks
Install and configuring the plug-in for V5.3 HTTP Server for z/OS