Allowing insecure access to Heritage Process Portal ( deprecated)
You should require HTTPS communication from the browser to the server when accessing any IBM® Business Process Manager user interface. Typically, these user interfaces are available for authenticated users only and authentication credentials are submitted with every request; for example, user IDs and passwords, or the LTPA cookie. These authentication credentials should be protected from eavesdropping and therefore never be transmitted over unencrypted connections. If you have an SSL offloading requirement, see the httpsIndicatorHeader configuration in Web container customer properties in the WebSphere® Application Server documentation.
About this task
This task describes how to change the protocol by running the configBSpaceTransport.py script.
Enforcement of HTTPS with cumulative fix 2017.03 also enabled additional security configuration: setting the secure flag for LTPA and HTTP session cookies. This new default configuration instructs browsers to send these sensitive cookies over secure connections only. If you configure Business Space or Heritage Process Portal to be available over non-secure HTTP connections, these cookies must not be marked with the secure flag. The configBSpaceTransport.py script has been enhanced to disable the secure flag for these two cookies for the allowhttp parameter and to enable the secure flag for these two cookies for the httpsonly parameter.