Problem with Liferay portal and SSL

We are trying to run a Liferay portal through a load balancer that provides SSL acceleration.  We installed the certificates on the LoadMaster and they work just fine.  The LoadMaster passes the GET request that comes in on port 443 to port 80 on the Tomcat server. What should happen, (please correct me if I am wrong on this) as the LoadMaster is set to re-write URLs to HTTPS, is that the Tomcat server responds to the GET request and answers on port 80.  The LoadMaster, as proxy, intercepts this and encrypts the response and at the same time changes any URLs in the reponse from HTTP to HTTPS.

The site loads fine and the initial redirect from the root to the /web/guest/home works as expected.  The login process, however, reverts us back to standard HTTP.  The "Sign In" button itself shows the link as HTTP://host.domain.com/...  Of the other links on the guest home page, some show up as SSL links like the "Sign In" under the "Welcome!" drop down but the "Home" link under the "Welcome!" drop down comes up as non-SSL.

So now we've logged in and gone back and changed the address of our page to SSL... Most things work fine when we navigate from section to section.  We do run into problems with entering information into actual portlets.  The navigation surrounding them is fine, but once you "enter" the portlet it reverts you back to http from SSL.

I can't imagine I am the first to see this but I have been unsuccessful in finding postings that reveal the fix for this.

Please help!



More details
Tomcat 6.0
Windows server 2003 with latest SP and patches
Kemp Technologies LoadMaster
Liferay Portal Standard Edition 5.1.2
C:\liferay-portal-tomcat-6.0-5.1.2\bin>startup
Using CATALINA_BASE:   C:\liferay-portal-tomcat-6.0-5.1.2
Using CATALINA_HOME:   C:\liferay-portal-tomcat-6.0-5.1.2
Using CATALINA_TMPDIR: C:\liferay-portal-tomcat-6.0-5.1.2\temp
Using JRE_HOME:        C:\Program Files\Java\jdk1.6.0_11

Tomcat server.xml connector entry.. (the Kemp people suggested turning off keep alives)

    <Connector port="80" protocol="HTTP/1.1"
          connectionTimeout="20000"
          maxKeepAliveRequests="1"
          redirectPort="443" URIEncoding="UTF-8" />
          
Tomcat starts up clean except for some duplicate listeners that are being ignored.    
LVL 4
freymishAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sr1xxonCommented:
surely you should be rewriting your ssl session from the loadbalancer to tomcat's port 443, not port 80.

to force this, change tomcat's web.xml.

add section

<security-constraint>
  <user-data-constraint>
    <description> force wapplication to use ssl </description>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  <web-resource-collection>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
</security-constraint>

I've seen a couple of funky situations which required url-pattern entries for each JSP, but for most situations, the code above should force all requests to be returned on a secure socket.


freymishAuthor Commented:
Doesn't that negate the benefit of offloading the SSL encryption to the other device?
sr1xxonCommented:
no, because it should then consistently encrypt end-to-end.

your subpages (links) are still delivering content unencrypted, so this needs to be forced, if reqired.

Perhaps just for pages or links you can specify in the above format

<url-pattern>/welcome/*</url-pattern>
<url-pattern>/welcomepage.jsp</url-pattern>

etc..

If it still isn't working, set logging to debug mode and check what's happening there.
freymishAuthor Commented:
OK, got supprt from Liferay directly on this due to the fact that it needs to work like tomorrow!  Here's the skinny:
 
In portal.properties look for the following section. At minimum I think you will need to set web.server.protocol:

##
## Web Server
##

#
# Set the HTTP and HTTPs ports when running the portal in a J2EE server that
# is sitting behind another web server like Apache. Set the values to -1 if
# the portal is not running behind another web server like Apache.
#
web.server.http.port=-1
web.server.https.port=-1

#
# Set the hostname that will be used when the portlet generates URLs.
# Leaving this blank will mean the host is derived from the servlet
# container.
#
web.server.host=

#
# Set the preferred protocol.
#
#web.server.protocol=https

#
# Set this to true to display the server name at the bottom of every page.
# This is useful when testing clustering configurations so that you can know
# which node you are accessing.
#
web.server.display.node=false
 
After adding "web.server.protocol=https" and restarting Tomcat all is well.
 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.