Topic
  • 4 replies
  • Latest Post - ‏2012-10-16T13:24:53Z by MartinMotovsky
MartinMotovsky
MartinMotovsky
5 Posts

Pinned topic How can I force WAS to use https?

‏2012-09-14T12:20:48Z |
Hello all,

I would like to force the web application server to use https in all urls which start with "/pages/secure/...".
I set up in web.xml the security constraints of the web application in the following way:

<security-constraint> <web-resource-collection> <web-resource-name>secure area</web-resource-name> <url-pattern>/pages/secure
/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

When I use Tomcat or Glassfish they behave as expected, i.e.
when user clicks e.g. /welcome.xhtml they use
http://myserver/my_web_application/welcome.xhtml
but when user clicks e.g. /pages/secure/login.xhtml, they use
https://myserver:secureport/my_web_application/pages/secure/login.xhtml.

WAS always uses http and not https in the second case. The security settings in the WAS are default, set up during the WAS installation.
I use WAS version 8.5, but we plan to use versions 8.0 or 7 too.

How can I force WAS to use https?

Thanks for the hints,
Martin
  • SystemAdmin
    SystemAdmin
    590 Posts

    Re: How can I force WAS to use https?

    ‏2012-09-14T14:29:32Z  
    Hi,
    Can you confirm you have the appSecurity-1.0 and ssl-1.0 features in your server.xml? You will also need to configure your ssl configuration like this:

    <keyStore id="defaultKeyStore" password="yourPassword" />

    For more details, you can refer to the info center article:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-dist&topic=twlp_sec_ssl
  • MartinMotovsky
    MartinMotovsky
    5 Posts

    Re: How can I force WAS to use https?

    ‏2012-09-18T11:27:32Z  
    Hi,
    Can you confirm you have the appSecurity-1.0 and ssl-1.0 features in your server.xml? You will also need to configure your ssl configuration like this:

    <keyStore id="defaultKeyStore" password="yourPassword" />

    For more details, you can refer to the info center article:
    http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-dist&topic=twlp_sec_ssl
    Thank you Elisa,

    I installed the WAS Liberty Profile, I followed your hints and it works. Thank you.

    We plan to deploy our application to SmartCloud. If my studies of possible deployment methods are correct, the only way how to deploy the web application to the SmartCloud Enterprise WAS Liberty profile is via IBM Workload Deployer. We do not have such a hardware appliance, so we are not able to use it. It looks that if we want to deploy the web application from the RAD, we have two possibilities only: to deploy it to the SmartCloud WAS version 7 or version 8.0. Version 8.5 seems to be not supported.
    It was a little bit long introduction to this question:
    How can we provide the same security settings as you recommended for the Liberty profile, but now for WAS versions 7, 8.0?
  • SystemAdmin
    SystemAdmin
    590 Posts

    Re: How can I force WAS to use https?

    ‏2012-09-18T15:39:08Z  
    Thank you Elisa,

    I installed the WAS Liberty Profile, I followed your hints and it works. Thank you.

    We plan to deploy our application to SmartCloud. If my studies of possible deployment methods are correct, the only way how to deploy the web application to the SmartCloud Enterprise WAS Liberty profile is via IBM Workload Deployer. We do not have such a hardware appliance, so we are not able to use it. It looks that if we want to deploy the web application from the RAD, we have two possibilities only: to deploy it to the SmartCloud WAS version 7 or version 8.0. Version 8.5 seems to be not supported.
    It was a little bit long introduction to this question:
    How can we provide the same security settings as you recommended for the Liberty profile, but now for WAS versions 7, 8.0?
    Liberty supports compatibility for app deployment when moving to the full profile of WAS v8. What you won't be able to use in the full profile is the server.xml. You should enable global and application security in your full profile WAS server (this is the equivalent of enabling appSecurity and ssl features), and deploy your application there. During the deploy, you may need to map users to roles and runAs users to roles.

    Here is an info center link for enabling security in the full profile:
    http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_csec2.html

    And for steps to deploy an application in the full profile:
    http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_tasroles.html
  • MartinMotovsky
    MartinMotovsky
    5 Posts

    Re: How can I force WAS to use https?

    ‏2012-10-16T13:24:53Z  
    Thank you Elisa for the advice,

    After huge reading and with the help of the IBM member in France I was successful to configure the WAS. I did it with the following steps:

    1) I had to correctly setup (adding an LDAP for example) the virtual member manager.
    WAS Administrative Console -> Security -> Global security -> Available realm definitions -> Configure
    2) Then go to Security -> Global security -> Authentication (right) -> Web and SIP security -> Click on Single sign-on.
    3) Tick Require SSL, then click OK and save the change.
    4) From the WebSphere Enterprise applications, click on your application.
    5) Click on Security role to user/group mapping.
    Note: My application did not have this link first time. I added to web.xml of my application the role requirements:
    <auth-constraint>
    <role-name>All Role</role-name>
    </auth-constraint>
    After redeploying my application with this change the link appeared.
    6) In order to ensure everyone has access to the application, select All Role and select All Authenticated in Application's Realm from the Map Special Subjects menu.
    7) RESTART the application server.