When using an SSL offloader, the TARGET parameter when redirected to the login.fcc page is changed to specify a http rather than https protocol even though the original request was made over https

book

Article ID: 51429

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

This is a common configuration problem for traffic behind an SSL
offloader. When using an SSL Offloader, the actual traffic arrives at
the Web Server / Web Agent using an unencrypted http protocol. The
following entry:

  HTTPSPorts=<Port1>,<Port2> 
  HTTPSPorts=80 
 

needs to be set so that the Web Agent can identify that the traffic
received on port 80 is actually "https" traffic. Then it will set the
TARGET parameter correctly.

How this works with for the Web Agent Credential Collector feature ?

 

Environment

 

Web Agent 12.52SP1CR10 on Apache 2.4 on Linux;

 

Resolution

 

When redirecting to the Credentials Collector, the Web Agent
calculates the TARGET variable using the url used in the request.

With SSL Offloaders and Web Caches, often it will rewrite the request
before forwarding it on to the actual Web Server and so the Web Server
/ Web Agent will receive an unencrypted request, often on port 80
even, and the Web Agent will assume it is "http" request not a "https"
request.

The Agent Configuration Object Parameter:

  HTTPSPorts
 

Allows you to specify which ports are to be treated as if they were
SSL ports, by the Web Agent. The channel is then assumed to have a
security level of an SSL port, for SMSESSION cookies over secure
connections only, and also affect the settings http / https protocols
in generating redirect TARGET variables.

If the traffic arrives at the Web Server over port 80 directly from the
SSL Offloader, then you will need the entry:

  HTTPSPorts=80  

This can be used if the backend Web Server only accepts traffic from
the SSL Offloader, and all requests are then assumed to be
encrypted. It is important however to ensure that the Web Server only
accepts traffic from the SSLOffloader, and does not accept traffic
directly from other backed servers.

For simplicity, it is a common recommendation, that for the decrypted
traffic from the SSL Offloader to the backend Web Server that it uses
another port, not port 80 to avoid confusion. A commonly used port for
this traffic is port 81. So you setting would be:

  HTTPSPorts=81  
 

Then internally within your Firewall you can still differentiate
between SSL traffic and non-SSL traffic.

If in your configuration, there is also internal traffic on port 80 to
that machine, and internal https (port 443) traffic that can also go
to that machine, then in that case the setting would be:

  HTTPSPorts=81,443  
 

To indicate that traffic on port 81 from the SSL Offloader is
considered secure, as is any https traffic on port 443 and any traffic
arriving on port 80 is then considered normal http traffic.

Note: There has been some confusion, and despite some clarification
continues to be, about this point in the Agent Configuration Guide,
this parameter is not deprecated, and is also used for platforms other
than Apache, of particular note it is also used in IIS and Sun One
Web Servers.

Also of use depending on your configuration will be the following
Agent Configuration Parameter:

To set Agent Config Object setting:

  getportfromheaders=YES

 

This needs to be set for some Web Servers, if the port after the SSL
Offloader is not one of the standard ports 80,443 (It is common for
the traffic post decryption to be sent on another port say 81 to avoid
confusion with internal unencrypted traffic). And if Apache is the Web
Server, you may also need to set the following values in httpd.conf:


 
  UseCanonicalPhysicalPort Off (default is Off)
  UseCanonicalName On   
  ServerName server_name:port_number

 

Where,

  server_name = host name of the SSL offloader

  port_nubmer = the HTTP port which SSL Offloader uses to send the
  traffic to the backend webserver. This port number must be included
  in the HTTPSPorts ACO parameter