Setting up SSL | HCL Digital Experience
Get an overview of the tasks that are required to configure SSL for HCL Digital Experience. Some of these tasks are completed on the IBM® WebSphere® Application Server and the web server. The steps that refer to the WebSphere® Application Server and the web server are summarized here; refer to the WebSphere® Application Server and the web server documentation for detailed information. Steps that are unique to HCL Portal are described in detail here.
About this task
Note: This procedure might be slightly different if a front-end security proxy
server such as IBM® Security Access Manager WebSEAL is used. In that case, the
front-end security server handles the client SSL connections. The web server receives connections
from the front-end security proxy server. Mutually authenticated SSL can be configured between the
web server and the front-end security proxy server if needed. It is highly dependent on the security
requirements of each deployment.
If you plan to use a Security Access Manager
WebSEAL TAI with an SSL junction, complete only steps 1-3 of this procedure.
Important: If only the login process is secure over SSL, complete the first three steps and then go to
Configuring SSL only for the login process.
Procedure
- Configure the web server to support HTTPS. This configuration involves setting up the web server to accept inbound connections from client browsers over SSL.
-
Depending on the web server that you want to use, other software must be installed on the web
Server.
For example: instance Microsoft™ Internet Information Server and Microsoft® Certificate Service.
- The web server must have a port that is defined (usually 443),
and the necessary certificates and keys must be installed.
- Go to Securing with SSL communications in the related links section for information about how to enable SSL on an IBM® HTTP Server.
- Refer to the book z/OS® HTTP Server Planning, Installing, and Using in the related links section. It provides information about setting up a secure server.
- In a production environment, you must obtain a certificate from a certificate authority. For testing purposes, you can use iKeyman to generate a self-signed certificate. For Internet Information Server, use the web server's resource toolkit to create SSL keys. Refer to the related links section for information about iKeyman and creating Secure Sockets Layer digital certificates.
- Configure the WebSphere® Application Server plug-in for the web server to forward HCL Portal traffic that is received over SSL to WebSphere® Application Server (which then forwards the traffic to HCL Portal). Refer to the related links section for information about how to configure the plug-in.
-
In configurations where the web server and HCL Portal are
on separate servers, requests are rerouted to the application server. Under these circumstances, you
can also configure SSL between the web server and the application server to provide complete
security. This configuration requires that you create extra keyfiles for the web server plug-in and
for the embedded HTTPS of WebSphere® Application Server.
- For information about configuring SSL between the web server and the application server, use the IBM Redbooks called WebSphere® Application Server V8.5 Security Guide, found in the related links section. Use the section that is called Application server configuration: Web container configuration of the IBM® WebSphere® Application Server.
- For information about this step, use the IBM® Redbooks link in the related links section. Search for Security Handbook.
Note: Always create a new SSL keystore and truststore for the external web server and change the WebSphere_Portal server's secure transport channel to use the new SSL repository.CAUTION: Do not modify the default SSL key and truststore. - Required: Complete the following steps to create
or modify the following two properties in the configuration services:
- Update the Transport Security Constraint in wps.ear.
You can modify the transport so that WebSphere® Application Server enforces the use of SSL for all pages under the /myportal/ URL. Use this step to completely secure the protected area over HTTPS.Clustered environments: Complete this step on the primary node, then complete a full resynchronize to propagate the changes to all nodes.
- Optional:
Complete the following steps when you use a remote web server if you must allow direct access
to the WebSphere_Portal node on the internal port.
For example, http://hostname.example.com:10039/wps/portal, where hostname.example.com is the fully qualified host name of the server where Portal is running and 10039 is the default transport port that is created by WebSphere® Application Server. The port number might be different for your environment.:
- Optional: Complete the following steps only
if you use the Login portlet:
- Log in to HCL Portal.
- Click the Administration menu icon. Then, click .
- Locate the Login portlet and click the Configure portlet icon.
- Locate the UseSecureLoginActionUrl parameter and click the Edit value icon.
- Type true in the Value field and click OK to save your changes.
- Click OK to return to the Manage Portlets portlet.
- In a stand-alone environment, stop and restart the WebSphere_Portal
server. In a clustered environment, stop and restart the Deployment
Manager and the WebSphere_Portal servers.Clustered environments: In the Deployment Manager, verify that the EAR changes were successfully synchronized to all nodes. Stop and restart the servers on all nodes.
- Complete the following steps to test your changes: