Monday, May 14, 2012

WebSphere and Portal SSL Termination Consideration

Francis recently ran into some issues in an environment with SSL termination at the F5 BigIP content routers. Initially, I thought his issue had to do with how the URL's that had been put into forms and content by the developers for his project. I later realized the issue after he sent me this link:

It makes perfect sense now. The application server receives requests and determines if the request came in on a secure port (SSL / HTTPS.) This is important in two ways; first the Servlet API and second the Portal's URL generation. The Servlet API has the ServletRequest#isSecure method as well as the ServletRequest#getScheme method. The application servers behind SSL termination points see this as being non-encrypted traffic. Next, Portal URL generation causes an issue since it generates URL for themes and Portlets using this information. When URL's are generated in their full form (absolute URL's) they are generated for non-secure (http) traffic.

One way to try to mitigate the issue is to change the Portal settings in the State Service to use relative URL's. # enables or disables the generation of relative URLs by default if URLs are generated # from tags # this setting can be overridden on a per-tag basis # # Default: false = false The solution presented in the Technote should be applied in any event since there may be circumstances where relative URL's are either undesirable or not feasible. One setting in the WebSphere Portal asks for traffic to be redirected to secure transport and without the above issues would still occur.

Applying both changes may be the best solution however usage scenarios vary so... test.

Tim Reilly is a Technology Manager with Prolifics. He has led the implementation of many global projects using IBM WebSphere Portal and has extensive background in design and development of enterprise portals. He specializes in providing Enterprise J2EE and Portal solutions leveraging WebSphere Portal, Content Management, Tivoli and 3rd party integrations. He has over 9 years of experience with Websphere Portal and is a former Apache Software Foundation committer.