Problem with Liferay portal and SSL
We are trying to run a Liferay portal through a load balancer that provides SSL acceleration. We installed the certificates on the LoadMaster and they work just fine. The LoadMaster passes the GET request that comes in on port 443 to port 80 on the Tomcat server. What should happen, (please correct me if I am wrong on this) as the LoadMaster is set to re-write URLs to HTTPS, is that the Tomcat server responds to the GET request and answers on port 80. The LoadMaster, as proxy, intercepts this and encrypts the response and at the same time changes any URLs in the reponse from HTTP to HTTPS.
The site loads fine and the initial redirect from the root to the /web/guest/home works as expected. The login process, however, reverts us back to standard HTTP. The "Sign In" button itself shows the link as HTTP://host.domain.com/... Of the other links on the guest home page, some show up as SSL links like the "Sign In" under the "Welcome!" drop down but the "Home" link under the "Welcome!" drop down comes up as non-SSL.
So now we've logged in and gone back and changed the address of our page to SSL... Most things work fine when we navigate from section to section. We do run into problems with entering information into actual portlets. The navigation surrounding them is fine, but once you "enter" the portlet it reverts you back to http from SSL.
I can't imagine I am the first to see this but I have been unsuccessful in finding postings that reveal the fix for this.
Please help!
More details
Tomcat 6.0
Windows server 2003 with latest SP and patches
Kemp Technologies LoadMaster
Liferay Portal Standard Edition 5.1.2
C:\liferay-portal-tomcat-6
Using CATALINA_BASE: C:\liferay-portal-tomcat-6
Using CATALINA_HOME: C:\liferay-portal-tomcat-6
Using CATALINA_TMPDIR: C:\liferay-portal-tomcat-6
Using JRE_HOME: C:\Program Files\Java\jdk1.6.0_11
Tomcat server.xml connector entry.. (the Kemp people suggested turning off keep alives)
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
maxKeepAliveRequests="1"
redirectPort="443" URIEncoding="UTF-8" />
Tomcat starts up clean except for some duplicate listeners that are being ignored.
The site loads fine and the initial redirect from the root to the /web/guest/home works as expected. The login process, however, reverts us back to standard HTTP. The "Sign In" button itself shows the link as HTTP://host.domain.com/... Of the other links on the guest home page, some show up as SSL links like the "Sign In" under the "Welcome!" drop down but the "Home" link under the "Welcome!" drop down comes up as non-SSL.
So now we've logged in and gone back and changed the address of our page to SSL... Most things work fine when we navigate from section to section. We do run into problems with entering information into actual portlets. The navigation surrounding them is fine, but once you "enter" the portlet it reverts you back to http from SSL.
I can't imagine I am the first to see this but I have been unsuccessful in finding postings that reveal the fix for this.
Please help!
More details
Tomcat 6.0
Windows server 2003 with latest SP and patches
Kemp Technologies LoadMaster
Liferay Portal Standard Edition 5.1.2
C:\liferay-portal-tomcat-6
Using CATALINA_BASE: C:\liferay-portal-tomcat-6
Using CATALINA_HOME: C:\liferay-portal-tomcat-6
Using CATALINA_TMPDIR: C:\liferay-portal-tomcat-6
Using JRE_HOME: C:\Program Files\Java\jdk1.6.0_11
Tomcat server.xml connector entry.. (the Kemp people suggested turning off keep alives)
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
maxKeepAliveRequests="1"
redirectPort="443" URIEncoding="UTF-8" />
Tomcat starts up clean except for some duplicate listeners that are being ignored.
ASKER
Doesn't that negate the benefit of offloading the SSL encryption to the other device?
no, because it should then consistently encrypt end-to-end.
your subpages (links) are still delivering content unencrypted, so this needs to be forced, if reqired.
Perhaps just for pages or links you can specify in the above format
<url-pattern>/welcome/*</u
<url-pattern>/welcomepage.
etc..
If it still isn't working, set logging to debug mode and check what's happening there.
your subpages (links) are still delivering content unencrypted, so this needs to be forced, if reqired.
Perhaps just for pages or links you can specify in the above format
<url-pattern>/welcome/*</u
<url-pattern>/welcomepage.
etc..
If it still isn't working, set logging to debug mode and check what's happening there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
to force this, change tomcat's web.xml.
add section
<security-constraint>
<user-data-constraint>
<description> force wapplication to use ssl </description>
<transport-guarantee>CONFI
</user-data-constraint>
<web-resource-collection>
<url-pattern>/*</url-patte
</web-resource-collection>
</security-constraint>
I've seen a couple of funky situations which required url-pattern entries for each JSP, but for most situations, the code above should force all requests to be returned on a secure socket.