Redirecting non-SSL (HTTP) requests to SSL (HTTPS) requests with IBM HTTP Server or Apache, and WebSphere Application Server
 Technote (troubleshooting)
 
Problem(Abstract)
Steps for automatically forcing HTTP requests served by WebSphere® Application Server to be redirect all non-secure requests through a secure connection. This includes configuring IBM® HTTP Server or Apache as part of a complete solution.
 
Cause
After enabling a WebSphere Application Server-hosted site to support HTTPS (SSL-encrypted sites), you may wish to "turn off" non-SSL requests, then redirect those requests through SSL. In other words, change HTTP://xxx to HTTPS://xxx. This allows user's old bookmarks to stay valid, and prevents the need for links in existing web pages to change.
 
Resolving the problem
Using a Microsoft® Windows® example, redirection can be configured with the following steps Unix® would be the same except for the appropriate path and file name for the rewrite log):
  1. Add the following statements to your httpd.conf file:

    RewriteEngine On
    # handy for seeing what's going on when the web server tries to redirect
    RewriteLog "C:/rwlog.txt"
    RewriteLogLevel 1
    # if the port's not 443 (ssl)...
    RewriteCond %{SERVER_PORT} !^443
    $
    #...redirect it to the same page but make it SSL
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


    Note: This example redirects everything. It also possible to only redirect certain requests by use of the <Directory> block or constructing a more elaborate rewrite condition. See the Apache.org web site for details.
  2. In the WebSphere Application Server V3.5, V4.0 and V5.0 administrative console:
    1. Remove all virtual hosts except those ending in ":443". Otherwise, the Web server will forward the requests to WebSphere Application Server before redirecting, allowing unencrypted requests.
    2. Regenerate the plug-in configuration file for the hosting node(s).
    3. Stop and start the hosting application servers.
  3. Stop and start the Web server (Apache or IBM HTTP Server).
  4. Use a browser to access a resource and verify that an "http://xxx" request resolves to "https://xxx".
  5. If it does not work, view the rewrite log.
  6. If the rewrite log is empty, there may be a problem with your rewrite condition.
  7. If the rewrite "to" destination is not a valid web address, there may be a problem with your rewrite rule.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server Security
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Security (LDAP- Authentication- etc.)
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1107738
IBM Group: Software Group
Modified date: Oct 4, 2006