WebSphere Portal: Set up SSL

 

+
Search Tips   |   Advanced Search

 

Overview

SSL encrypts traffic between the client browser and the portal server.

Most commonly, the Web server is configured to accept inbound SSL traffic on port 443, and the WAS plug-in for the Web server is configured to forward traffic on that port to a virtual host on WAS. Finally, WebSphere Portal is set up to generate self-referencing URLs using SSL as the transport.

This procedure might be slightly different if a front-end security proxy server such as WebSEAL is used. In that case, the front-end security server handles the client SSL connections. If you plan to use a Tivoli Access Manager WebSEAL TAI with an SSL junction, perform only steps 1-3 of this procedure.

  1. Configure the Web server to support HTTPS.

    The Web server must have a port defined (usually 443), and the necessary certificates and keys must be installed.

    If this is a production environment, obtain a certificate from a certificate authority. For testing purposes, you can use ikeyman to generate a self-signed certificate.

  2. Configure the WAS plug-in for the Web server to forward WebSphere Portal traffic that is received over SSL to WAS (which will then forward the traffic to WebSphere Portal). Update the virtual host list for WAS to include the correct host.name and port number, and regenerate the plug-in configuration.

    1. Open the WAS Administrative Console and click...

      Environment | Virtual Hosts

    2. Add a host alias for the host.name and SSL port that were added to the Web server in step 1. In a default setup, simply adding the new alias to the "default_host" virtual host will be sufficient.

      The host.name might be "*" or it might be a fully qualified host.name. Usually this would be the host.name of the Web server.

    3. Click...

      Environment | Update Web Server Plugin | OK

    4. If the Web server is remote, copy the plugin-cfg.xml file to the remote Web server.

  3. In configurations where the Web server and WebSphere Portal reside on separate machines, requests to the Web server are rerouted to the appserver. Under these circumstances, you can also configure SSL between the Web server and the appserver to provide more complete security. This requires that you create additional keyfiles for the Web server plug-in and for the embedded HTTPD of WAS. For complete instructions for this step, refer to the section 10.11: SSL between the Web server and WebSphere of IBM WebSphere V5.0 Security (SG24-6573-00).

  4. Edit ConfigService.properties in...

    <wp_root>/shared/app/config/services/
    and change the following parameters: 
        redirect.login.ssl = true
    host.port.https = <alias_port>

    ...where <alias_port> is the port number that is used for the virtual host alias that is specified in step 2. The parameter redirect.logout.ssl determines the protocol that is used when the logout button is clicked. If this parameter is set to true, https is used. If this parameter is set to false, http is used. This setting is not affected by the protocol that is used to access the main portal page.

  5. This step is only required if inbound connections to WebSphere Portal must be over SSL. If inbound connections are forwards from external Web Servers over standard HTTP, meaning that the Web Server is the SSL end point, then skip this step.

    Edit...

    $WAS_HOME/installedApps/<hostname>/wps.ear/wps.war/WEB-INF/web.xml

    ..and set the <security-constraint> tag of the protected portal to CONFIDENTIAL: 

        <security-constraint id="SecurityConstraint_1">
       <web-resource-collection id="WebResourceCollection_1">
        <web-resource-name></web-resource-name>
        <url-pattern>/myportal/*</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
       </web-resource-collection>
       <auth-constraint id="AuthConstraint_1">
        <description></description>
        <role-name>All Role</role-name>
       </auth-constraint>
       <user-data-constraint id="UserDataConstraint_4">
        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
       </user-data-constraint>
    </security-constraint>

  6. Edit the JSPs that provide the login link. You can search the theme directories for all JSPs that have the following string: 
        screen="Login"

    This attribute should appear in an anchor similar to this: 

        <a href='<wps:url home="public" screen="Login"/>'>

    The exact structure of this tag can vary depending on how it was constructed by the page designer. JSP comments might also be used to indicate where the login link is located: 

        <%-- login button --%>
    After finding the login link, change or add the ssl="true" attribute to the <wps:url> tag of the anchor, for example: 
    <%-- login button --%>
<wps:if loggedIn="no" notScreen="Login">
<td valign="middle">
   <a href='<wps:url home="public" ssl="true" screen="Login"/>'>
    <img src='<wps:urlFindInTheme file="nav_login.gif"/>'
       alt='<wps:text key="link.login" bundle="nls.engine"/>'
      align="absmiddle" width="25" 
       title='<wps:text key="link.login" bundle="nls.engine"/>'>
   </a>
</td>
</wps:if>

  7. Delete the compiled JSPs from the appserver cache by removing the contents of the following directory: 
        $WAS_HOME/temp/<node_name>/WebSphere_Portal/wps/wps.war

  8. Restart the Web server and the WAS for these changes to take effect.

  9. Test your changes by launching the portal home page in a Web browser and clicking the login link. The session will be directed to a secure connection after you log in. A browser security prompt appears after you click the login link to send your credentials to the server.

 

See also

  1. IBM WebSphere V5.0 Security (SG24-6573-00)
  2. IBM HTTP Server Information Center
  3. Set up LDAP over SSL
  4. WPS/TAM Integration
  5. Set up LDAP over SSL with IBM Tivoli Directory Server
  6. Configuration task reference
  7. Set up LDAP over SSL with Novell eDirectory
  8. Set up LDAP over SSL to Windows Active Directory
  9. Use WSRP services
  10. Configure Tivoli Access Manager to perform authentication only
  11. Configure WebSphere Portal for Active Directory
  12. wpconfig.properties
  13. Configuration properties reference
  14. Enable SSL: WCM
  15. WebSphere Portal: Set up SSL
  16. Configure Tivoli Access Manager for authentication, authorization, and the Credential Vault
  17. Member Manager LDAP repository configuration
  18. Configure WebSphere Portal for Sun ONE
  19. Configure WebSphere Portal for Novell eDirectory
  20. Configure WebSphere Portal for IBM Tivoli Directory Server
  21. Configure WebSphere Portal for Domino Directory
  22. Configure WebSphere Portal for IBM Tivoli Directory Server
  23. Configure WebSphere Portal for Novell eDirectory
  24. Configure WebSphere Portal for Sun ONE
  25. Configure WebSphere Portal for Domino Directory
  26. Configure WebSphere Portal for Active Directory
  27. Create a simple portlet
  28. Configurable Portal Services
  29. Configurable Portal Services
  30. utils.xml
  31. esm_cfg.xml
  32. lcc_cfg.xml
  33. validation.xml

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.